by Mitja Kolsek, the 0patch Team
Windows 7 and Server 2008 R2 users without Extended Security Updates
have just received a micropatch for CVE-2020-1281, an integer overflow
vulnerability in Windows OLE marshaling that could allow a remote
attacker to execute arbitrary code on user's computer.
This vulnerability was patched by Microsoft with June 2020 Updates, but
Windows 7 and Server 2008 R2 users without Extended Security Updates
remained vulnerable.
Security researcher Yuki Chen found the vulnerability, wrote an in-depth analysis, analyzed
Microsoft's patch and provided a POC for triggering the vulnerability.
The vulnerability is in the way new object size is being calculated when
an object is enlarged (e.g., in string concatenation). This new size is
then used for allocating memory for the resulting "enlarged" object.
The vulnerable code doesn't account for really large numbers where
adding would exceed the capacity of 32-bit numbers. In such cases, an
integer overflow occurs, a too-small memory block is allocated, and
subsequent copying to this new block overwrites memory outside of it.
Microsoft's patch modified several functions related to calculating the
object size. We decided to only patch the one that is proven to be
exploitable at this point (BSTR_UserSize). Upon detecting an overflow,
our patch reports "Exploit Blocked" and terminates the process:
MODULE_PATH "..\Affected_Modules\oleaut32.dll_6.1.7601.24537_64bit\oleaut32.dll"
PATCH_ID 441
PATCH_FORMAT_VER 2
VULN_ID 6279
PLATFORM win64
patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2
PATCHLET_OFFSET 0x5fcf
N_ORIGINALBYTES 5
JUMPOVERBYTES 0
PIT oleaut32.dll!0x10edc,Kernel32.dll!TerminateProcess,Kernel32.dll!GetCurrentProcess
; This patchlet is located in BSTR_UserSize and replaces the main branch of code right up to the retn
; On entry we have:
; - rax points to the content of the BSTR object (the first character of the string)
; - rdx is the size to be added to the string
; - ecx is rdx+3 (just computed using "lea ecx, [rdx+3])
; The patch performs the same operations the original code does, but for each of them,
; it checks for a numeric overflow and if so, pops ExploitBlocked and triggers an exception like the official patch
code_start
and ecx, 0xFFFFFFFC ; we pushed this instruction out, so replacing it here
cmp ecx, edx ; check if adding 3 and aligning resulted in an overflow
jb OVERFLOW ; overflow detected
test eax, eax ; same as in original code
jz BSTR_IS_NULL
mov eax, dword [rax-4] ; same as in original code
jmp END1
BSTR_IS_NULL:
xor eax, eax ; same as in original code
END1:
add eax, 1 ; original code has "inc eax", but that doesn't set the carry flag
jc OVERFLOW ; overflow would set the carry flag
and eax, 0xFFFFFFFE
add eax, ecx
jc OVERFLOW ; overflow would set the carry flag
add eax, 0x0C
jc OVERFLOW ; overflow would set the carry flag
retn ; return from the function
OVERFLOW:
call PIT_ExploitBlocked
call PIT_GetCurrentProcess
mov rcx, rax
mov rdx, 0x1337
call PIT_TerminateProcess
code_end
patchlet_end
Here's a video of our micropatch in action:
We'd like to thank Yuki Chen
for an excellent analysis and POC for this issue, which allowed us to
create a micropatch for Windows users without security updates.
This
micropatch is immediately available to all 0patch users with a PRO
license, and is targeted at Windows 7 and Windows Server 2008 R2 users without Extended Security Updates. To obtain the micropatch and have it applied on your
computer(s) along with other micropatches included with a PRO license,
create an account at 0patch Central, install 0patch Agent and register it to your account. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch.
To learn more about 0patch, please visit our Help Center.
No comments:
Post a Comment