by Mitja Kolsek, the 0patch Team
August 2022 Windows Updates brought a fix for a memory corruption vulnerability in Microsoft Outlook, discovered by security researcher insu of 78ResearchLab. The vulnerability exploits a flaw in Outlook's processing of multiple Content-Type headers in a multipart/signed email, whereby a malicious email can lead to free'ing an unallocated memory address and crashing Outlook as such email is downloaded (even before one can view it). Once such email is in user's Inbox, Outlook crashes whenever the user clicks on it or it gets displayed in the Preview pane.
While Microsoft categorized this flaw as "denial of service", it seems possible it could be exploited for arbitrary code execution.
0patch has security-adopted Office 2010 in November 2020 when its support was officially terminated, but Microsoft kept providing security updates for it until April 2021. After that date, we analyzed every published vulnerability affecting still-supported versions of Office to see if Office 2010 was affected, and until now, have not confirmed any. This is the first case where we could reproduce a publicly detailed, potentially critical issue in an Office 2010 component.
Thankfully, the researcher published an analysis and a POC for this vulnerability. This made it possible for us to create a patch for Outlook 2010 that no longer receives official fixes from Microsoft.
Microsoft assigned this issue CVE-2022-35742 and fixed it by properly preserving the flag (bit) that denotes whether a Content-Type buffer needs to be free'd or not. Our micropatch is logically equivalent to Microsoft's:
MODULE_PATH "..\AffectedModules\OUTLMIME.DLL_14.0.7268.5000_Office-2010_64bit_202104\outlmime.dll"
PATCH_ID 1025
PATCH_FORMAT_VER 2
VULN_ID 7481
PLATFORM win64
patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2
PATCHLET_OFFSET 0x27d72
N_ORIGINALBYTES 5
JUMPOVERBYTES 0
PIT outlmime!0x27db9,outlmime!0x27d7d,outlmime!0x272ac
code_start
mov r15, 0 ; default r15 for setz command
call PIT_0x272ac ; rewrite original code for patch placement
mov ebp, eax ; rewrite original code for patch placement
test eax, eax ; rewrite original code for patch placement
js PIT_0x27db9 ; rewrite original code for patch placement
mov eax, [rdi+100h] ; get flag from memory
and al, 2 ; check flag state
cmp al, 2 ; check flag state
setz r15b ; set r15 accordingly to flag
jmp PIT_0x27d7d ; jump to block where memory is copied
code_end
patchlet_end
patchlet_start
PATCHLET_ID 2
PATCHLET_TYPE 2
PATCHLET_OFFSET 0x27db3
N_ORIGINALBYTES 5
JUMPOVERBYTES 6
PIT outlmime!0x27db9
code_start
mov [rdi+12Ch], eax ; rewrite original code for patch placement
mov rax, [rbx+0F8h] ; read value from memory
test byte[rax+10h], 4 ; check if read memory+10h contains 4
jnz PIT_0x27db9 ; if memory+10h contains 4 then check flags
; else jump to function return block
test r15d, r15d ; check if flag is set
jz AND_BLOCK ; if set jump to AND_BLOCK
or dword[rdi+100h], 2 ; if flag not set then set it
jmp PIT_0x27db9 ; jump to function return block
AND_BLOCK:
and dword[rdi+100h], 0FFFFFFFDh ; reset flag
; continue normal execution
code_end
patchlet_end
This video demonstrates the effect of our micropatch. With
0patch disabled, downloading the malicious email in Outlook 2010 crashes Outlook, and restarting Outlook leads to the same result, effectively disabling user's email; with 0patch enabled, the malicious email gets downloaded and while it can't be displayed due to malformed content, it sits there doing no harm.
The micropatch was written for 32-bit and 64-bit versions of Outlook 2010, fully updated with its latest free updates from April 2021.
This micropatch has already been distributed to all online 0patch Agents with a PRO or Enterprise license. To obtain the micropatch and have it applied on your computers along with our other micropatches, create an account in 0patch Central, install 0patch Agent and register it to your account with a PRO or Enterprise subscription. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch.
We'd like to thank insu of 78ResearchLab for publishing their analysis and providing a proof-of-concept that allowed us to reproduce the vulnerability and create a micropatch. We also encourage security researchers to privately share their analyses with us for micropatching.
No comments:
Post a Comment