Microsoft Screws Up Open Source Code, Gets AV Vulnerability

Fri, Apr 6, 2018

There is a new security vulnerability, affecting pretty much all Windows versions (CVE-2018-09886), which combines all things that make up for a great failure story. Using outdated open source software, not updating it despite the open source community basically handing you updates on a silver platter, fucking up the code yourself, and then mixing this with anti virus. What could possibly go wrong?

Microsoft has forked a very old version of the open source tool unrar, which is - as the name suggests - used to unpack rar files. They then incorporated the unrar code into their own anti virus solution Windows Defender. However, before doing so they changed parts of the code, in particular they modified signed integers into unsigned integers and removed some checks against values having negative values, even if those values were still unsigned integers.

What this means is that you can tell the software to start writing at address + offset, and if you set offset to -2 you end up in the memory space before your allocated buffer memory. With this you can not only make the av engine crash, but you can also execute arbitrary code. This code then gets executed with the rights of the av engine which runs as LocalSystem and can basically do pretty much everything that is of interest.

All you need is a compromised raw file that sets a negative offset and the victim only has to download it. No manual execution is required afterwards as the av engine will automatically scan the rar file, get its memory corrupted, and things proceed from there. If you do not use av, you are safe. Even if you open the rar manually with winrar, or anything that uses the official open source unrar code, you are safe because that bug is not present there and the code stops if offset < 0. This only works with the av engine enabled.

It also looks like this bug might have been around since 2012 and Sophos av was affected back then as well. Fun times with anti virus software, the modern version of snake oil. And some people even pay for this shit.