September 20, 2018, Zero Day Initiative are releasing additional information regarding a bug report that has exceeded the 120-day disclosure timeline. More details on this process can be found here in their disclosure policy.

An out-of-bounds (OOB) write in the Microsoft JET Database Engine that could allow remote code execution was initially reported to Microsoft on May 8, 2018. An attacker could leverage this vulnerability to execute code under the context of the current process, however it does require user interaction since the target would need to open a malicious file. As of today, this bug remains unpatched.

The Vulnerability
   The root cause of this issue resides in the Microsoft JET Database Engine. Microsoft patched two-other issues in JET in the September Patch Tuesday updates. While the patched bugs are listed as buffer overflows, this additional bug is actually an out-of-bounds write, which can be triggered by opening a Jet data source via OLEDB. Here’s a look at the resulting crash:

   To trigger this vulnerability, a user would need to open a specially crafted file containing data stored in the JET database format. Various applications use this database format. An attacker using this would be able to execute code at the level of the current process.

   If you’d like to test this out for yourself, you can find the proof of concept code here:

Recommendation
   Our investigation has confirmed this vulnerability exists in Windows 7, but Zero Day Initiative believe that all supported Windows version are impacted by this bug, including server editions. You can view their advisory here. Microsoft continues to work on a patch for this vulnerability, and Zero Day Initiative hope to see it in the regularly scheduled October patch release. In the absence of a patch, the only salient mitigation strategy is to exercise caution and not open files from untrusted sources. 

   As always, As always, Simon Zuckerbraun can be found on Twitter at @HexKitchen, and follow the team for the latest in exploit techniques and security patches.

Disclosure Timeline:
 * 05/08/18 - ZDI reported vulnerability to vendor and the vendor acknowledged that same day
 * 05/14/18 – The vendor replied that they successfully reproduced the issue ZDI reported
 * 09/09/18 – The vendor reported an issue with the fix and that the fix might not make the September release
 * 09/10/18 – ZDI cautioned potential 0-day
 * 09/11/18 – The vendor confirmed the fix did not make the build
 * 09/12/18 – ZDI confirmed to the vendor the intention to 0-day on 09/20/18
 * 09/20/18 - Coordinated public release of advisory

And have something to say about GitHackTools or ZDI-CAN-6135? Comment below or share this post from GitHackTools FacebookGitHackTools Twitter and GitHackTools Google Plus.

Post a Comment

Previous Post Next Post