Musings tagged as microsoft

There is a new exploit out in the wild that can pretty much crash most windows computers within seconds.

Actually, this bug has been around at least since July 2017 and consists of a malformed NTFS image which, when placed on a USB thumb drive and inserting it into a Windows computer will crash it within seconds. One of the reasons this automatic BSOD generation works is due to the auto-play functionality. But even if it is disabled, manually opening the file, or having it opened by anti virus software snake oil will achieve the same effect.

Marius Tivadar, a researcher that has discovered this flaw in 2017, told Microsoft about it. Microsoft declined to classify the issue as a security bug and also downgraded the bug’s severity because

exploiting it requires either physical access or social engineering (tricking the user)

Now, when did “tricking the user” ever work? And of course Microsoft apparently has never heard of malware which can just download additional features such as this to your pc for your bluescreening pleasures.

A proof of concept code is available on github so everyone can have fun with this now. Also Marius published two videos of the exploit in action, showing that it can also crash locked pcs.

There is a new security vulnerability, affecting pretty much all Windows versions (CVE-2018-09886), which combines all things that make up for a great failure story. Using outdated open source software, not updating it despite the open source community basically handing you updates on a silver platter, fucking up the code yourself, and then mixing this with anti virus. What could possibly go wrong?

Microsoft has forked a very old version of the open source tool unrar, which is - as the name suggests - used to unpack rar files. They then incorporated the unrar code into their own anti virus solution Windows Defender. However, before doing so they changed parts of the code, in particular they modified signed integers into unsigned integers and removed some checks against values having negative values, even if those values were still unsigned integers.

What this means is that you can tell the software to start writing at address + offset, and if you set offset to -2 you end up in the memory space before your allocated buffer memory. With this you can not only make the av engine crash, but you can also execute arbitrary code. This code then gets executed with the rights of the av engine which runs as LocalSystem and can basically do pretty much everything that is of interest.

All you need is a compromised raw file that sets a negative offset and the victim only has to download it. No manual execution is required afterwards as the av engine will automatically scan the rar file, get its memory corrupted, and things proceed from there. If you do not use av, you are safe. Even if you open the rar manually with winrar, or anything that uses the official open source unrar code, you are safe because that bug is not present there and the code stops if offset < 0. This only works with the av engine enabled.

It also looks like this bug might have been around since 2012 and Sophos av was affected back then as well. Fun times with anti virus software, the modern version of snake oil. And some people even pay for this shit.

1