Microsoft Windows Jet Database Engine Out-Of-Bounds Write Vulnerability: CVE-2018-8423

An Out-of-Bounds write vulnerability was disclosed to Microsoft. The issue affects Microsoft JET Database engine. Upon successful exploitation an attacker can gain code execution (current process context) on the target machine. To trigger this vulnerability, the target user needs to open a  crafted file containing data stored in JET database format. Many Windows application use the JET Database engine. Microsoft Access provides an easy-to-use interface to the Jet database engine. A PoC has been released that crashes the target application due to an “Access Violation” error.

Vulnerability
As mentioned earlier it is an Out-of-Bounds vulnerability. The issue occurs due to improper management of indexes within the Jet database engine. An attacker can write beyond an allocated buffer and gain arbitrary code execution under the context of the target process. The PoC released by ZDI crashes the target machine.

(94c.48c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00002300 ebx=00000002 ecx=0276e888 edx=00000000 esi=0db8cf38 edi=0026d474
eip=6b051234 esp=0026d2e8 ebp=0971427c iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
msrd3x40!TblPage::CreateIndexes+0x194:
6b051234 89b48174050000  mov     dword ptr [ecx+eax*4+574h],esi ds:0023:027779fc=????????

 # ChildEBP RetAddr  
00 0026d394 6b051a03 msrd3x40!TblPage::CreateIndexes+0x194
01 0026d3b8 6b04ee6e msrd3x40!TblPage::InitTable+0x173
02 0026d400 6b03707b msrd3x40!Table::Open+0x13e
03 0026d424 6b040945 msrd3x40!Instance::Instance+0x1fb
04 0026d448 6b03117e msrd3x40!Session::OpenDatabase+0xe5
05 0026d484 6a2e7137 msrd3x40!ErrIsamOpenDatabase+0x8e
06 0026d4a8 6a2dbb2b msjet40!ErrOpenForeignDatabase+0x67
07 0026d714 6a2df69d msjet40!ErrOpenDatabase+0x34b
08 0026d730 6b9c310b msjet40!JetOpenDatabase+0x4d

In the debug log above we can see the crash due to “Access Violation“. Based on the assembly instruction we can see that it was trying to access an address beyond the buffer boundary (ecx+0x9174). If we back track we can find the function that declared the buffer.

eax=0276e888 ebx=00000000 ecx=77795bd3 edx=00000000 esi=04d1efb0 edi=0026d474
eip=6b05466f esp=0026d3f8 ebp=0026d40c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
msrd3x40!operator new+0x1d:

 # ChildEBP RetAddr  
00 0026d3f0 6b05466f msrd3x40!malloc+0x49
01 0026d40c 6b037022 msrd3x40!operator new+0x1d
02 0026d424 6b040945 msrd3x40!Instance::Instance+0x1a2
03 0026d448 6b03117e msrd3x40!Session::OpenDatabase+0xe5
04 0026d484 6a2e7137 msrd3x40!ErrIsamOpenDatabase+0x8e
05 0026d4a8 6a2dbb2b msjet40!ErrOpenForeignDatabase+0x67
06 0026d714 6a2df69d msjet40!ErrOpenDatabase+0x34b
07 0026d730 6b9c310b msjet40!JetOpenDatabase+0x4d

In the call stack above we can see that msrd3x40!Instance::Instance calling a wrapper function (msrd3x40!operator new) that calls malloc() to allocate the buffer in question. The buffer size is 0x778 bytes which is clearly less than offset 0x9174. If we check the instruction where the crash occurs the offset is calculated as ecx+eax*4+574h, here eax = 0x2300. Upon further analysis we find that this value is obtained by msrd3x40!Index::Restore. The function accepts a buffer address as an argument. The buffer in question contains the contents of the file group1 (part of PoC). The value 0x2300 is obtained from the data source file.

09c53000  00 01 00 00 53 74 61 6e-64 61 72 64 20 4a 65 74  ....Standard Jet
09c53010  20 44 42 00 00 00 00 00-00 01 00 00 01 01 00 00   DB.............
09c53020  02 00 00 00 03 00 00 00-04 00 00 00 05 00 00 00  ................
09c53030  00 00 00 00 00 00 00 00-00 00 09 04 e4 04 00 00  ................
.
.
.
09c54258  00 23 00 00 00 00 00 00-00 ff ff ff ff 00 00 00  .#..............
09c54268  00 04 04 00 02 49 64 0c-50 61 72 65 6e 74 49 64  .....Id.ParentId
09c54278  4e 61 6d 65 09 00 04 06-00 00 05 06 00 00 08 00  Name............
09c54288  02 06 00 00 03 06 00 00-0d 00 08 06 00 00 09 06  ................

Mitigation
Qualys customers can use QID: 91474 to detect vulnerable targets. Currently the QID detects only 32 bit versions Windows 7 SP1 and Windows 2008 SP2 (excluding core). We are actively working on refining our detections. Till the patch is released, the general rule of thumb is to not open unrecognized/unfamiliar files.

Update: Microsoft has addressed this issue in October 2018 patches, CVE-2018-8423 affects all versions of Windows. QID: 91474 has been updated to detect vulnerable targets.

Please continue to follow Qualys Threat Protection for information on this vulnerability.

References
(0Day) Microsoft Windows Jet Database Engine Out-Of-Bounds Write Remote Code Execution Vulnerability
ZDI-CAN-6135
CVE-2018-8423 | Microsoft JET Database Engine Remote Code Execution Vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *