And ProjectZero releases the details of the vulnerability

With an emergency update, Microsoft fixed the vulnerability in the Microsoft Malware Protection Engine discovered by ProjectZero over the weekend, and which the two described as “the worst Windows remote code exec in recent memory

[embed]https://www.andreafortuna.org/the-worst-windows-rce-exploit-of-all-time-is-coming-41ddd286eb2a[/embed]

While initially the two Google experts didn’t reveal what Windows feature the bug was found in, the veil of mystery lifted yesterday when both Microsoft and the two experts shared more details about the issue (CVE-2017–0290):

MsMpEng is the Malware Protection service that is enabled by default on Windows 8, 8.1, 10, Windows Server 2012, and so on. Additionally, Microsoft Security Essentials, System Centre Endpoint Protection and various other Microsoft security products share the same core engine. MsMpEng runs as NT AUTHORITYSYSTEM without sandboxing, and is remotely accessible without authentication via various Windows services, including Exchange, IIS, and so on.

On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on. This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine. MIME types and file extensions are not relevant to this vulnerability, as MsMpEng uses it's own content identification system.


Simple to exploit

The Microsoft Malware Protection Engine (MsMpEng), is a core service that ships with Windows 7, Windows 8.1, Windows 10, and Windows Server 2016, and which is the core of many of Microsoft security tools, such as:

  • Windows Defender
  • Microsoft Security Essentials
  • Microsoft Endpoint Protection
  • Microsoft System Center Endpoint Protection
  • Windows Intune Endpoint Protection
  • Microsoft Forefront Security for SharePoint Service Pack 3
  • Microsoft Forefront Endpoint Protection 2010

The vulnerability is trivially exploitable, with no user interaction needed, including scenarios such as sending an email with the exploit included in the message’s body, hosting malicious JavaScript code inside a web page, or by delivering a JS exploit via ads on reputable sites:

[embed]https://twitter.com/natashenka/status/861748397409058816[/embed]

here a Proof-Of-Concept, but please be aware that downloading it will immediately crash MsMpEng in it’s default configuration and possibly destabilize your system:

[embed]https://gist.github.com/andreafortuna/74513804dc9130a7dd4bb49b632f73fc[/embed]


Issue was patched within days

This time Microsoft has behaved well: given the severity of the vulnerability, the patch was released in no time, earning even the compliments of Google’s security researchers:

[embed]https://twitter.com/taviso/status/861751140437839872[/embed]

The first version of the Microsoft Malware Protection Engine affected by this flaw is v1.1.13701.0 and the issue has been patched in v1.1.13704.0.