An Out-of-Bounds write vulnerability was disclosed to Microsoft. The issue affects Microsoft JET Database engine. Upon successful exploitation an attacker can gain code execution (current process context) on the target machine. To trigger this vulnerability, the target user needs to open a crafted file containing data stored in JET database format. Many Windows application use the JET Database engine. Microsoft Access provides an easy-to-use interface to the Jet database engine. A PoC has been released that crashes the target application due to an “Access Violation” error.
Vulnerability
As mentioned earlier it is an Out-of-Bounds vulnerability. The issue occurs due to improper management of indexes within the Jet database engine. An attacker can write beyond an allocated buffer and gain arbitrary code execution under the context of the target process. The PoC released by ZDI crashes the target machine.
(94c.48c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00002300 ebx=00000002 ecx=0276e888 edx=00000000 esi=0db8cf38 edi=0026d474 eip=6b051234 esp=0026d2e8 ebp=0971427c iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212 msrd3x40!TblPage::CreateIndexes+0x194: 6b051234 89b48174050000 mov dword ptr [ecx+eax*4+574h],esi ds:0023:027779fc=???????? # ChildEBP RetAddr 00 0026d394 6b051a03 msrd3x40!TblPage::CreateIndexes+0x194 01 0026d3b8 6b04ee6e msrd3x40!TblPage::InitTable+0x173 02 0026d400 6b03707b msrd3x40!Table::Open+0x13e 03 0026d424 6b040945 msrd3x40!Instance::Instance+0x1fb 04 0026d448 6b03117e msrd3x40!Session::OpenDatabase+0xe5 05 0026d484 6a2e7137 msrd3x40!ErrIsamOpenDatabase+0x8e 06 0026d4a8 6a2dbb2b msjet40!ErrOpenForeignDatabase+0x67 07 0026d714 6a2df69d msjet40!ErrOpenDatabase+0x34b 08 0026d730 6b9c310b msjet40!JetOpenDatabase+0x4d
In the debug log above we can see the crash due to “Access Violation“. Based on the assembly instruction we can see that it was trying to access an address beyond the buffer boundary (ecx+0x9174). If we back track we can find the function that declared the buffer.
eax=0276e888 ebx=00000000 ecx=77795bd3 edx=00000000 esi=04d1efb0 edi=0026d474 eip=6b05466f esp=0026d3f8 ebp=0026d40c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 msrd3x40!operator new+0x1d: # ChildEBP RetAddr 00 0026d3f0 6b05466f msrd3x40!malloc+0x49 01 0026d40c 6b037022 msrd3x40!operator new+0x1d 02 0026d424 6b040945 msrd3x40!Instance::Instance+0x1a2 03 0026d448 6b03117e msrd3x40!Session::OpenDatabase+0xe5 04 0026d484 6a2e7137 msrd3x40!ErrIsamOpenDatabase+0x8e 05 0026d4a8 6a2dbb2b msjet40!ErrOpenForeignDatabase+0x67 06 0026d714 6a2df69d msjet40!ErrOpenDatabase+0x34b 07 0026d730 6b9c310b msjet40!JetOpenDatabase+0x4d
In the call stack above we can see that msrd3x40!Instance::Instance calling a wrapper function (msrd3x40!operator new) that calls malloc() to allocate the buffer in question. The buffer size is 0x778 bytes which is clearly less than offset 0x9174. If we check the instruction where the crash occurs the offset is calculated as ecx+eax*4+574h, here eax = 0x2300. Upon further analysis we find that this value is obtained by msrd3x40!Index::Restore. The function accepts a buffer address as an argument. The buffer in question contains the contents of the file group1 (part of PoC). The value 0x2300 is obtained from the data source file.
09c53000 00 01 00 00 53 74 61 6e-64 61 72 64 20 4a 65 74 ....Standard Jet 09c53010 20 44 42 00 00 00 00 00-00 01 00 00 01 01 00 00 DB............. 09c53020 02 00 00 00 03 00 00 00-04 00 00 00 05 00 00 00 ................ 09c53030 00 00 00 00 00 00 00 00-00 00 09 04 e4 04 00 00 ................ . . . 09c54258 00 23 00 00 00 00 00 00-00 ff ff ff ff 00 00 00 .#.............. 09c54268 00 04 04 00 02 49 64 0c-50 61 72 65 6e 74 49 64 .....Id.ParentId 09c54278 4e 61 6d 65 09 00 04 06-00 00 05 06 00 00 08 00 Name............ 09c54288 02 06 00 00 03 06 00 00-0d 00 08 06 00 00 09 06 ................
Mitigation
Qualys customers can use QID: 91474 to detect vulnerable targets. Currently the QID detects only 32 bit versions Windows 7 SP1 and Windows 2008 SP2 (excluding core). We are actively working on refining our detections. Till the patch is released, the general rule of thumb is to not open unrecognized/unfamiliar files.
Update: Microsoft has addressed this issue in October 2018 patches, CVE-2018-8423 affects all versions of Windows. QID: 91474 has been updated to detect vulnerable targets.
Please continue to follow Qualys Threat Protection for information on this vulnerability.
References
(0Day) Microsoft Windows Jet Database Engine Out-Of-Bounds Write Remote Code Execution Vulnerability
ZDI-CAN-6135
CVE-2018-8423 | Microsoft JET Database Engine Remote Code Execution Vulnerability