
Remotely Exploitable Type Confusion in Windows 8, 8.1, 10, Windows Server, etc - runesoerensen
https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
======
statictype
_NScript is the component of mpengine that evaluates any filesystem or network
activity that looks like JavaScript. To be clear, this is an unsandboxed and
highly privileged JavaScript interpreter that is used to evaluate untrusted
code, by default on all modern Windows systems. This is as surprising as it
sounds._

Double You Tee Eff.

Why would mpengine ever want to evaluate javascript code coming over the
network or file system? Even in a sandboxed environment?

What could they protect against by evaluating the code instead of just trying
to lexically scan/parse it?

(I'm sure they had a reason - wondering what it is)

~~~
ploxiln
This is the standard strategy that every antivirus product has used for most
of their history. Remember the one about Symantec doing exactly this in a
kernel module: [https://googleprojectzero.blogspot.com/2016/06/how-to-
compro...](https://googleprojectzero.blogspot.com/2016/06/how-to-compromise-
enterprise-endpoint.html)

I've known for over a decade that antivirus products are strangely
destabilizing and stayed away from them myself. For the last year or so that
Tavis has been investigating them, we know why. They're just really dumb.
Because the popular commercial computer security product market is a "market
for lemons":
[https://www.schneier.com/blog/archives/2007/04/a_security_ma...](https://www.schneier.com/blog/archives/2007/04/a_security_mark.html)

~~~
Majestic121
I may be misunderstanding, but I would expect the "market for lemon" to be
only valid for a physical market, no ? The principle being that high quality
cars are sold faster and get out of the market, so the average quality
decrease. But for antivirus, selling the antivirus does not get it out of the
market (the inverse is pretty much true since it makes it more famous), hence
the average quality does not decrease.

~~~
ploxiln
You misunderstand the physical car market metaphor - the high quality cars are
_not_ sold faster. They are taken off the market and not sold at all, because
the market price is too low. The market price is too low because the buyers
can't tell good from bad, so they just guess they will get average quality,
and just pay what the average is worth. They don't pay for the high-quality
used cars - even if they did, it would usually be for the wrong cars.

------
to3m
SourceTree is pretty much unusable on my laptop, because every time it does
_anything_ the antimalware service springs into life and uses up anything from
20%-80% of the CPU power available. I've had it take 30 seconds to revert 1
line. It's stupid.

I was very much prepared to blame Atlassian for this, but maybe I need to
start thinking about blaming Microsoft instead, because it sounds like they've
made a few bad decisions here.

(Still, if my options are this, or POSIX, I'll take this, thanks. Dear
Antimalware Service Executable, please, take _all_ of my CPUs; whatever
SourceTree is doing, I can surely wait. Also, please feel free to continue to
run _fucking Javascript_ as administrator... I don't mind. It's a small price
to pay if it means I don't have to think about EINTR or CLOEXEC.)

~~~
Sir_Cmpwn
I'm curious to hear your rationale for preferring Windows over POSIX. It's
interesting to draw that comparision and conclude that Windows is better (most
arguments favor the UI/UX, the large body of software, or the hardware support
- not APIs/standards).

~~~
to3m
1\. Signals are bad. All the bad bits of IRQs, and you're not even working in
assembly language, so they're twice as hard. Just say no.

2\. The forking model is seductive, but wrong-headed. It's hard to make the
file descriptor inheritance behave correctly, and it means the memory
requirements are unpredictable (due to the copy-on-write pages)

3\. Readiness I/O is not really the right way to do things, because there are
obvious race conditions, and the OS can't guarantee one thread woken per
pending operation (because it has no idea which threads will do what). Also,
the process owns the buffer, which really limits what the OS can do... it
needs to be able to own the buffer for the duration of the entire operation
for best results, so it can fill it on any ready thread, map the buffer into
the driver's address space, etc.

4\. Poor multithreading primitives. This really annoyed me... like, you've got
a bunch of pthreads stuff, but it doesn't interact with select & co. The Linux
people aren't dumb, so they give you eventfd - but there's no promise of
single wakeup! NT wakes up one thread per increment, and the wakeup atomically
decrements the semaphore; Linux wakes up every thread waiting on the
semaphore, and they all fight over it, because there's no other option.

(I'm just ignoring POSIX semaphores entirely, because they don't let you wait
on them with select/poll/etc. in the first place.)

(Perhaps this and #3 ought to be the same item, because they are related. And
the end result is that you need to use non-blocking IO for everything... but
the non-blocking IO is crippled, because it still has to copy out into the
caller's buffer. It's just a more inconvenient programming model, for no real
benefit.)

I guess it just boils down to what you want: a beautifully polished turd, or a
carefully engineered system assembled from turds.

~~~
comex
> The Linux people aren't dumb, so they give you eventfd - but there's no
> promise of single wakeup! NT wakes up one thread per increment, and the
> wakeup atomically decrements the semaphore; Linux wakes up every thread
> waiting on the semaphore, and they all fight over it, because there's no
> other option.

You can get Linux to only wake up one thread using epoll and either
EPOLLEXCLUSIVE or EPOLLONESHOT.

Though I don't really understand why you'd want to wait on a semaphore and
other waitables at the same time… probably this is just my Unix bias/lack of
Windows experience showing.

~~~
marcosdumay
> Though I don't really understand why you'd want to wait on a semaphore and
> other waitables at the same time…

This. I probably also lack some specific kind of experience because I never
understood why you would lock a lot of threads on a semaphore, and only want
one of them to execute after a signal.

I just never saw the use case for that. Yet people complain about it a lot.

------
jeffy
Contents of the PoC are a ".zip" file that is actually plain-text (the engine
ignores extension/mime types) and contains just this line of JS and 90kb of
nonsense JS for entropy.

(new Error()).toString.call({message: 0x41414141 >> 1})

It's hard to imagine MS doesn't receive tons of watson crash reports of
MsMpEng from trying to run bits of random JS. If they haven't looked at them,
they probably should start now.

------
pierrec
I think this sentence sums up the severity pretty well:

 _The attached proof of concept demonstrates this, but please be aware that
downloading it will immediately crash MsMpEng in its default configuration and
possibly destabilize your system. Extra care should be taken sharing this
report with other Windows users via Exchange, or web services based on IIS,
and so on._

And I think the intended formulation was "care should be taken sharing this
report with other Windows users _or_ via Exchange, or web services based on
IIS..." (because they're afraid it could crash the servers even if sharing
between non-Windows users!)

------
scarybeast
Props on the fast fix; anti-props on running an unsandboxed JavaScript engine
at SYSTEM privileges and feeding it files from remote.

~~~
inlined
I'm really surprised here. When I worked on Windows we used the STRIDE model
and had to do formal threat model analysis for every component. The reviews I
was in was in for win 8 took a full day. A TMA should have immediately showed
that a security boundary was needed.

~~~
gpvos
TMA = ? (I'm guessing Threat Model Analysis?)

~~~
inlined
Yes. It's a formal doc that models information following between different
actors separated by security boundaries

------
e12e
Did anyone manage to figure out a simple powershell-incantation to figure out
if a system is properly patched/secure?

[https://technet.microsoft.com/en-
us/library/security/4022344](https://technet.microsoft.com/en-
us/library/security/4022344)

Simply lists: "Verify that the update is installed

Customers should verify that the latest version of the Microsoft Malware
Protection Engine and definition updates are being actively downloaded and
installed for their Microsoft antimalware products.

For more information on how to verify the version number for the Microsoft
Malware Protection Engine that your software is currently using, see the
section, "Verifying Update Installation", in Microsoft Knowledge Base Article
2510781.

For affected software, verify that the Microsoft Malware Protection Engine
version is 1.1.10701.0 or later."

As far as I can figure out, if:

 _Get-MpComputerStatus|where -Property AMEngineVersion -ge
[version]1.1.10701.0|select AMEngineVersion_

prints something like:

    
    
      AMEngineVersion
      ---------------
      1.1.13704.0
    

according to MS one should be patched-up and good to go? (The command should
print nothing on vulnerable systems).

 _However_ a hyper-vm last patched before Christmas (it's not networked),
lists it's version as: 1.1.12805.0 -- which certainly _seems_ to be a higher
version than 1.1.10701.0?

I'll _also_ note that using "[version]x.y.z.a" apparently does _not_ force
some kind of magic "version compare"-predicate, based on some simple tests.

Any powershell gurus that'd care to share a one-liner to check if one has the
relevant patches installed?

Am I looking at the wrong property?

~~~
spydum
You have the right idea but wrong version number.. 1.1.13701, not 10701.

~~~
e12e
That makes more sense, thanks. Still can't get powershell to compare in away
that makes 1.1.12805.0 be less than 1.1.13701.0, but at least manual
inspection makes sense now:

    
    
      # On old hyper-v vm:
      Get-MpComputerStatus \
      |where -Property  AMEngineVersion \
        -gt [version]1.1.13701.0 \
      |select AMEngineVersion
    
      AMEngineVersion
      ---------------
      1.1.12805.0
    

I guess one out of two isn't bad...

------
pedrow
Quick question on the timings of this. The report says that "This bug is
subject to a 90 day disclosure deadline." \- does that mean it was discovered
90 days ago and has been published now, or it was discovered on May 6 (as
dates on the comments seem to suggest) and Microsoft has responded very
quickly? In either case it seems strange not to have waited a couple more days
because (for my system, anyway) I was still running the vulnerable version
even after the report was made public.

~~~
mattcoles
It was discovered May 6th. MS has responded and fixed very quickly. I'm not
overly familiar with Windows but I've seen multiple people saying that
Defender patched itself without requiring any action on their part.

------
icf80
The affected products:

Microsoft Forefront Endpoint Protection 2010

Microsoft Endpoint Protection

Microsoft Forefront Security for SharePoint Service Pack 3

Microsoft System Center Endpoint Protection

Microsoft Security Essentials

Windows Defender for Windows 7

Windows Defender for Windows 8.1

Windows Defender for Windows RT 8.1

Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows
Server 2016, Windows 10 1703

Windows Intune Endpoint Protection

Last version of the Microsoft Malware Protection Engine affected by this
vulnerability Version 1.1.13701.0

First version of the Microsoft Malware Protection Engine with this
vulnerability addressed Version 1.1.13704.0

[https://technet.microsoft.com/en-
us/library/security/4022344](https://technet.microsoft.com/en-
us/library/security/4022344)

------
arca_vorago
I'm pretty close to just saying saying I refuse to work on Windows systems
anymore.

~~~
michaelmcmillan
Not a fan either, but it would be silly to think that there does not exist
equally harmful vulnerabilities in similar software for other platforms. They
just remain to be discovered.

------
NKCSS
Turn of Windows Defender:

    
    
        Windows Registry Editor Version 5.00
        [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
        "DisableAntiSpyware"=dword:00000001
    

Then reboot.

On the other hand: Microsoft has already issued a fix:
[https://twitter.com/msftsecresponse/status/86173436019355238...](https://twitter.com/msftsecresponse/status/861734360193552385)

But still; the auto-unpack of archives leaves me wanting to just disable it
completely.

~~~
vesinisa
How do you use that snippet?

~~~
NKCSS
Save as .reg and run it or use regedt32.exe to go to that registry location
and do it manually.

~~~
mtrycz
Shame that there's no mechanism to automatically execute a script from the
internet someway...

------
jonstewart
Does MsMpEng actually do file analysis itself, unpacking, unarchiving, &c?
That's the kind of stuff that should usually be sandboxed. If its
zip/rar/7zip/cab/whatever support hasn't been formally verified and those
components run as SYSTEM, es no bueño.

------
windsurfer
This also includes Windows 7 and anything running Microsoft Security
Essentials, but does not include any Windows Server other than 2016.

------
dboreham
It only took two days to fix this and release the patch? Impressed.

~~~
andremat
Not to belittle MSFT's ability but a high quality repro helps immensely.

~~~
dboreham
Hmm...I guess I was assuming they had fixed all the potential vulnerabilities
allowed by running a virus scanner as root, not just the specific
vulnerability described in the example exploit.

------
caf
_As mpengine will unpack arbitrarily deeply nested archives..._

Surely not - what happens if you feed it the zipfile quine?

~~~
Terr_
If that broke it, I imagine it would've been discovered by now. A simple
mitigation would be to check if the newly-unpacked file is the same.

However... suppose someone crafted an alternating version -- where A.zip
contains B.zip contains A.zip etc. -- I bet there are systems out there which
only do one tier of checking.

~~~
qb45
There exists a much simpler way, it is for example how C++ compilers deal with
recursion in template instantiation:

    
    
      for level = 1 to arbitrary_depth:
        do_some_work_which_may_produce_more_work()
    

You just have to select _arbitrary_depth_ large enough that nobody notices and
there you have it - arbitrarily deep recursion without infinite loop ;)

Totally wouldn't be surprised if MS did it this way too. Otherwise you are
right - they would need to remember at least hashes of all "outer" archives
unpacked so far.

~~~
nathan_f77
Haha, that's how I like to write all my code now. Sometimes I'll write a
function that generates a random id, and checks the database to make sure that
it doesn't already exist. I always like to add a counter and throw an error
(or just return some default value) if it gets up to 100 or so. It might not
ever happen in this universe, but I like to imagine there's a parallel
universe out there where I saved some server from going into an infinite loop.

I actually did this recently for a random phone number generator, using the
phony Ruby library to validate numbers. It was just for some test fixtures,
but it's nice to know that it will always fallback to a default test number in
case something goes wrong and it runs out of attempts. Or I'm in some universe
where my random number generator suddenly starts producing an endless stream
of zero bits.

This is just a little 'tick'. I also find myself using 12px and 14px a lot
more frequently than 13px.

------
dagaci
I am not happy that Google has published a full exploit well before it has
been possible to anyone to actually deploy the patch and within just 3 days of
notifying the vendor.

It seems that Google is eager for someone to use this exploit to attack as
many systems as possible before they can be patched against it.

~~~
yAak
Google only made it publicly visible after Microsoft publicly published this:
[https://technet.microsoft.com/en-
us/library/security/4022344](https://technet.microsoft.com/en-
us/library/security/4022344)

~~~
dagaci
I know but the exploit, a template virus, has been published before i could
actually install the fix, and this applies to everyone. I actually think this
behaviour is appalling. This kind of exploit could propagate very quickly.

------
ezoe
So MS's anti malware software does:

1\. Execute NScript, a JavaScript-like language.

2\. Run as high privileged, non-sandboxed process.

3\. Intercept filesystem changes and run NScript code written to anywhere,
including browser cache.

4\. Do not check code signing.

This is unbelievably ridiculous. It shall not happen to the software which
claims to improve "security".

As I always said, there is no good anti malware software. Everything sucks.

An additional software is an additional security risk.

~~~
speps
"NScript is the component of mpengine that evaluates any filesystem or network
activity that looks like JavaScript."

It's the name of the component.

------
rubatuga
Congratulations Microsoft, on your best exploit yet!

~~~
krylon
Remember the RPC vulnerabilities from ~2003? Back then, a machine connected to
the Internet without some firewall in front of it would get infected before
the installation routine was finished.

This one is really bad, of course, but historically, it's not the worst.

------
btb
Good that it was fixed. But now bad actors will be looking very hard for other
bugs in the unsandboxed javascript interpreter. Tempting to just disable
windows defender completely.

------
jbergstroem
Exploitability Assessment for Latest Software Release: 2 - Exploitation Less
Likely

Exploitability Assessment for Older Software Release: 2 - Exploitation Less
Likely

Anyone with ideas on how they came to this conclusion? Yes, I read the linked
document but felt that the index assessment didn't really reflect that google
(Natalie?) seems to have found this "in the wild".

~~~
sigmar
Not sure but the last comment on the bug report says: "RCE risk should be
lowered due to CFG (on platforms where CFG is in effect)."

>the index assessment didn't really reflect that google (Natalie?) seems to
have found this "in the wild".

Did she? How do you know this?

edit: MS seems to explicitly say they are not aware of it being used.
"Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers when this security
advisory was originally issued."

~~~
jbergstroem
> Did she? How do you know this?

Left column says: Finder-natashenka

twitter.com/natashenka -> Natalie

I added a "seems" since I wasn't sure, but let me use it again: there sure
seems to be a connection.

~~~
ajdlinux
That doesn't address the "in the wild" part of your claim.

~~~
jbergstroem
You are right. That comment was based on this quote:

"The debugging session below was captured after visiting a website that did
this:"

In hindsight: It can be interpreted in many ways and my standpoint was too
pessimistic/bold from a security standpoint.

------
polskibus
I wonder how does it affect Azure? Can such security hole affect Azure
security?

------
binome
At least the good guys found this one first, and it is in Windows Defender,
and the definitions should automatically update in 24hrs or less silently
without a reboot.

~~~
janwillemb
> the good guys found this one first

Not necessarily

------
ms_skunkworks
Was mpengine developed by Microsoft Research?

------
nathan_f77
This is amazing work. Does anyone know how much someone like Tavis Ormandy
would be getting paid? Would it be 7 figures?

~~~
lawnchair_larry
It wouldn't be close to that. Closer to the 250-350 range for engineers at
that level at Google. Also, Tavis didn't find this one.

~~~
mixologic
Looks like a joint discovery?
[https://twitter.com/taviso/status/860679110728622080](https://twitter.com/taviso/status/860679110728622080)

------
nthcolumn
malware injection service lol.

------
madshiva
Hey Tavis,

if you read this, could you tell to Microsoft for fix the issue with
definition updates that won't remove after update? The definition kept growing
and waste space. (the problem auto solve if the computer is rebooted).

Thanks :)

~~~
imipak
This may help...

$ /cygdrive/c/Program\ Files/Windows\ Defender/MpCmdRun.exe /h Windows
Defender Command Line Utility (c)2006-2008 Microsoft Corp Use this tool to
automate and troubleshoot Windows Defender

[...]

~~~
madshiva
Thanks, it's strange how hackernews users are so agressive with downvote...

------
Kenji
Me, almost a year ago:

[https://news.ycombinator.com/item?id=12184173](https://news.ycombinator.com/item?id=12184173)

Despite getting all the downvotes, who is looking stupid now?

~~~
xxxxxxxx
You listed a lot of bad experiences, but none of them related to security.

