{"id":96131,"date":"2019-07-30T08:53:30","date_gmt":"2019-07-30T15:53:30","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=96131"},"modified":"2024-02-18T19:05:38","modified_gmt":"2024-02-19T03:05:38","slug":"jet-database-engine-flaw-may-lead-to-exploitation-analyzing-cve-2018-8423","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/jet-database-engine-flaw-may-lead-to-exploitation-analyzing-cve-2018-8423\/","title":{"rendered":"Jet Database Engine Flaw May Lead to Exploitation: Analyzing CVE-2018-8423"},"content":{"rendered":"

In September 2018, the Zero Day Initiative published a proof of concept<\/a> for a vulnerability in Microsoft\u2019s Jet Database Engine. Microsoft released a patch in October 2018. We investigated this flaw at that time to protect our customers. We were able to find some issues with the patch and reported that to Microsoft, which resulted in another vulnerability, CVE-2019-0576<\/a>, which was fixed on 8-Jan-2018 (Microsoft Jan 2019 Patch Tuesday).<\/p>\n

The vulnerability exploits the Microsoft Jet Database Engine, a component used in many Microsoft applications, including Access. The flaw allows an attacker to execute code to escalate privileges or to download malware. We do not know if the vulnerability is used in any attacks; however, the proof of concept code is widely available.<\/p>\n

Overview<\/h3>\n

To exploit this vulnerability, an attacker needs to use social engineering techniques to convince a victim to open a JavaScript file which uses an ADODB connection object to access a malicious Jet Database file. Once the malicious Jet database file is accessed, it calls the vulnerable function in msrd3x40.dll which can lead to exploitation of this vulnerability.<\/p>\n

Although the available proof of concept causes a crash in wscript.exe, any application using this DLL is susceptible to the attack.<\/p>\n

The following error message indicates the vulnerability was successfully triggered:<\/p>\n

\"\"<\/p>\n

The message shows an access violation occurred in the vulnerable DLL. This vulnerability is an \u201cout-of-bounds write<\/a>,\u201d which can be triggered via OLE DB, the API used to access data in many Microsoft applications. This type of vulnerability indicates that data can be written outside of the intended buffer, resulting in a crash. The cause of the crash is the maliciously crafted Jet database file. The file exploits an index field in the Jet database file format with an unexpectedly large number, resulting in an out-of-bounds write and, ultimately, the preceding crash.<\/p>\n

The following diagram provides a high-level view of how the exploit works:<\/p>\n

\"\"<\/p>\n

Exploit in Action<\/h3>\n

The proof of concept code contains one JavaScript file (poc.js), which calls a second file (group1). This is the Jet database file. By running poc.js through wscript.exe, we can trigger the crash.<\/p>\n

\"\"<\/p>\n

As we see in the preceding image, we can review debug information to determine the function that crashes is \u201cmsrd3x40!TblPage::CreateIndexes.\u201d Furthermore, we can determine that the program is trying to write data and failing. Specifically, we can see that the program is using the \u201cesi\u201d register to write to the location [edx+ecx*4+574h], but that location is not accessible.<\/p>\n

We need to understand how this location is constructed to provide clues to the root cause. The debug information shows that register ecx contains the value 0x00002300. Edx is a pointer to memory that we will see again later. Finally, they are added together with an offset of 574 hexadecimal bytes to reference the memory location. From this information, we can guess the type of data that is stored there. It appears to be an array in which each variable is 4 bytes long and starts at the location edx+574h. While tracking the program, we determined the value 0x00002300 comes from the proof-of-concept file group1.<\/p>\n

\"\"<\/p>\n

We know that the program attempts to write out of bounds and we know where the attempt occurs. Now we need to determine why the program attempts to write at that location. We investigate the user-provided data of 0x00002300 to understand its purpose. To do this we must understand the Jet database file.<\/p>\n

Analyzing the Jet Database File<\/h2>\n

Many researchers have extensively analyzed the Jet database file structure. Some of the details of previous work can be found at the following links:<\/p>\n