Google Project Zero bug-hunter Tavis Ormandy has alerted the world to yet another way Microsoft's anti-virus tool Windows Defender could be attacked.
Ormandy went public with the bug on Friday after Microsoft shipped its fix. He reported the issue to Redmond on June 9th.
The bug is in the non-sandboxed x86 emulator Windows Defender uses. The
apicall instruction runs with system privilege, and Ormandy wrote a fuzzer to check it out.
What he found, in the post entitled “MsMpEng: mpengine x86 Emulator Heap Corruption in VFS API”, is “heap corruption in the
KERNEL32.DLL!VFS_Write API” which he suspects has so far been ignored by fuzzers.
“I suspect the
MutableByteStream object [is] getting corrupted with an unchecked memcpy, I've seen multiple different stacktraces including wild eip”, he writes.
After his initial post, Ormandy mulled the exploitability of the bug, and came up with a minimal test case for the bug:
MpApiCall("NTDLL.DLL", "VFS_Write", 1, Buf, 0, 0xffffffff, 0); MpApiCall("NTDLL.DLL", "VFS_Write", 1, Buf, 0x7ff, 0x41414141, 0);
“The first call extends the length of the file to
nOffset, but because the numberOfBytes parameter is 0 no space is allocated. Then you can read and write arbitrary data to an arbitrary offset to the
MutableByteStream object buffer”, he writes. “This is a very powerful exploit primitive, and exploitation does not seem difficult.”
Microsoft has issued a fixed version of the Malware Protection Engine, version 1.1.13903.0. ®