Google Researchers Find Wormable "Crazy Bad" Windows Exploit

Has anyone verified that MsMpEng.exe is running with CFG enabled? The only way I have found to do so is:

https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx

 

Here are the MsMpEng.exe CFG details from 1703 per Process Hacker:

Code:

Binary Characteristics:

Executable, Large address aware, High entropy VA, Dynamic base, 
Force integrity check, NX compatible, Control Flow Guard, Terminal 
server aware

CFG tab:

1, 0x1000, MsMpEng.exe+0x1000,
2, 0x1080, MsMpEng.exe+0x1080,
3, 0x1090, MsMpEng.exe+0x1090,
4, 0x10a0, MsMpEng.exe+0x10a0,
5, 0x10b0, MsMpEng.exe+0x10b0,
6, 0x1160, MsMpEng.exe+0x1160,
7, 0x1170, MsMpEng.exe+0x1170,
8, 0x11a0, MsMpEng.exe+0x11a0,
9, 0x11b0, MsMpEng.exe+0x11b0,
10, 0x11f0, MsMpEng.exe+0x11f0,
11, 0x1210, MsMpEng.exe+0x1210,
12, 0x1220, MsMpEng.exe+0x1220,
13, 0x1290, MsMpEng.exe+0x1290,
14, 0x12a0, MsMpEng.exe+0x12a0,
15, 0x12f0, MsMpEng.exe+0x12f0,
16, 0x1300, MsMpEng.exe+0x1300,
17, 0x1370, MsMpEng.exe+0x1370,
18, 0x1470, MsMpEng.exe+0x1470,
19, 0x32e0, MsMpEng.exe+0x32e0,
20, 0x34f0, MsMpEng.exe+0x34f0,
21, 0x3530, MsMpEng.exe+0x3530,
22, 0x35d0, MsMpEng.exe+0x35d0,
23, 0x35e0, MsMpEng.exe+0x35e0,
24, 0x35f0, MsMpEng.exe+0x35f0,
25, 0x3600, MsMpEng.exe+0x3600,
26, 0x3610, MsMpEng.exe+0x3610,
27, 0x4070, MsMpEng.exe+0x4070,
28, 0x40b0, MsMpEng.exe+0x40b0,
29, 0x4680, MsMpEng.exe+0x4680,
30, 0x46b0, MsMpEng.exe+0x46b0,
31, 0x46c0, MsMpEng.exe+0x46c0,
32, 0x4840, MsMpEng.exe+0x4840,
33, 0x4880, MsMpEng.exe+0x4880,
34, 0x4920, MsMpEng.exe+0x4920,
35, 0x4980, MsMpEng.exe+0x4980,
36, 0x4ee0, MsMpEng.exe+0x4ee0,
37, 0x4f60, MsMpEng.exe+0x4f60,
38, 0x4fe0, MsMpEng.exe+0x4fe0,
39, 0x5250, MsMpEng.exe+0x5250,
40, 0x5b50, MsMpEng.exe+0x5b50,
41, 0x5c50, MsMpEng.exe+0x5c50,
42, 0x5c60, MsMpEng.exe+0x5c60,
43, 0x82e0, MsMpEng.exe+0x82e0,
44, 0x8440, MsMpEng.exe+0x8440,
45, 0x8450, MsMpEng.exe+0x8450,
46, 0x84c0, MsMpEng.exe+0x84c0,
47, 0x8aa0, MsMpEng.exe+0x8aa0,
48, 0x8ac0, MsMpEng.exe+0x8ac0,
49, 0x8af0, MsMpEng.exe+0x8af0,
50, 0x8c00, MsMpEng.exe+0x8c00,
51, 0x8db0, MsMpEng.exe+0x8db0,
52, 0xa200, MsMpEng.exe+0xa200,
53, 0xa250, MsMpEng.exe+0xa250,
54, 0xa9e0, MsMpEng.exe+0xa9e0,
55, 0xaa20, MsMpEng.exe+0xaa20,
56, 0xab90, MsMpEng.exe+0xab90,
57, 0xabd0, MsMpEng.exe+0xabd0,
58, 0xace0, MsMpEng.exe+0xace0,
59, 0xad80, MsMpEng.exe+0xad80,
60, 0xaeb0, MsMpEng.exe+0xaeb0,
61, 0xb5b0, MsMpEng.exe+0xb5b0,
62, 0xb5f0, MsMpEng.exe+0xb5f0,
63, 0xb6e0, MsMpEng.exe+0xb6e0,
64, 0xb7b0, MsMpEng.exe+0xb7b0,
65, 0xb9c0, MsMpEng.exe+0xb9c0,
66, 0xbac0, MsMpEng.exe+0xbac0,
67, 0xbad0, MsMpEng.exe+0xbad0,
68, 0xbb30, MsMpEng.exe+0xbb30,
69, 0xbb50, MsMpEng.exe+0xbb50,
70, 0xbb60, MsMpEng.exe+0xbb60,
71, 0xbba0, MsMpEng.exe+0xbba0,
72, 0xbe40, MsMpEng.exe+0xbe40,
73, 0xc820, MsMpEng.exe+0xc820,
74, 0xc830, MsMpEng.exe+0xc830,
75, 0xc840, MsMpEng.exe+0xc840,
76, 0xc850, MsMpEng.exe+0xc850,

As far as I recall, Defender also runs as a Protected Process as well.

 

Why is it good to see MS to get some credit for patching this one?

This kind of vulnerability seems closer related with a "logic bomb" or a "backdoor" than with a "bug"...

If (hypothetically) this "bug?" was in reality known to microsoft and security agencies it means that for the last decade they could penetrate any windows system connected to the net...

And we should praise MS for this... ?

Panagiotis

 

I assume the same applies to ver. 1607?

 

1607 as well, correct. It's quite possible that Defender could be protected by CFG mitigation on Windows 8.1 as well but I cannot confirm that. What I do know for sure, though, is that with each platform iteration (Eg. Windows 8.1 - 10 - 10 AU - 10 CU, etc.) the CFG mitigation was strengthened. Particularly in Anniversary Update the CFG was strengthened significantly. Although unfortunately MS never backports these strengthened CFG back to previous platforms which already support CFG.

 

Not for patching, but for how fast they were able to duplicate and verify the problem, develop a patch (that didn't break something else), test the patch, and then release the patch for distribution after it was reported to them. They get credit for reacting so quickly.

No one is. As I noted earlier, the vulnerability should not have been there in the first place.

But depending on which version of Windows you have, there are at least 30 million lines of code in the OS. It is also important to understand that of the estimated 1.5 billion Windows computers out there (with nearly 400 million of those being W10 systems) that each and every one becomes a unique system within the first few minutes of it being booted the very first time. This happens as users configure their unique user accounts, networking settings, attached devices/peripherals, security setups, desktop personalizations, installed programs and more.

It is simply unreasonable to expect perfection every time with 30 million lines of code and so many unique configurations.

This makes no sense. What is a bug? A bug is simply a very general term for "an error, flaw, failure or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways."

Logic bombs are intentionally inserted code, typically for malicious intent. NO ONE has suggested some Microsoft developer intentionally inserted this code.

And backdoors are also normally intentionally written and may or may not be for malicious intent. And once again, NO ONE has suggested some Microsoft developer intentionally inserted this code. So regardless, if this vulnerability created a backdoor, it was still unintentional and the result of a programming "error, flaw, failure, or fault" - in other words, a "bug".

 

Exactly, verifying the problem, debugging the code, identifying the programming error, fixing it, testing it and releasing a stable fix in only three days is in the limit of surreal...
Unless they knew exactly, (a) why it was triggered and (b) where to search for fixing it.

I agree that this was a bug... but is it a random bug that resulted in a backdoor, or is it a bug in a specific backdoor that was triggered unexpectedly from a code/script that shouldn't have?
Anyway this is something that only Microsoft knows and I doubt that they will tell us.

Panagiotis

 

Thanks TonyW for the information turns out the engine has been updated.
Thanks itman for sharing your experience and glad you managed to get the updated version. I wonder if Microsoft will provide an update via windows update later to make sure everyone has the patch?

I think google should be careful with project zero especially since when Microsoft provides a patch all the users can get it quickly unlike most users with android vulnerabilities.

I do wonder if someone has windows defender disabled but runs the manual definition update would it update the engine and definitions anyway?

 

Embedded in the Microsoft advisory link I posted previously is this:

In other words, you need to keep WD enabled w/the periodic scan option to get updates to Malware Protection Engine. Once defs. have downloaded, you should have the latest MPE update also. You can then disable periodic scanning if you so wish.

 

You can still bypass WD self-defense and other AVs via handle hijacking regardless of the driver protection lol

On W7 you can use csrss.exe and on W8+ use svchost.exe/lsass.exe

 

Well, it's a bit funny, because not that long ago certain "security experts" advised to dump third party AV's, and now it turns out that Win Defender is just as easy exploitable. Luckily it's the first thing I turn off.

 

The day you find an un-bypassable/exploitable AVs, Gods will walk on Earth...AVs are bypassable by design...but beginners needs them, so...

 

@Rasheed187 @guest This is why several of the Google developers are quite often talking about how AV software in general (any of them) has the potential to open up more attack space based on the fact that there is so much higher privileged code running. The recommendation by some of these developers is for these AV developers to add sandboxing mechanisms to their parsers and such which are quite often running within the kernel. It would be great to see use of AppContainer for different AV components. Although I assume that there would be some "overhead" potential here as far as performance goes.

 

Exact.

That would be nice, indeed , not sure they are willing to do it ; look how patchguard put some of them out of the businesss. most products would need total rewrite of their code.

 

In regards to Win 10, a number of the major AV vendors are employing the same self protection mechanism that Windows Defender uses. That is, they are using the ELAM driver to load their kernel process in protected mode. So if sandbox containment is a viable solution, Microsoft should be the first to employ it for Windows Defender. The current vulnerability with many AV solutions is that their GUI's can be accessed via RDP by malware. This can be mitigated by password protecting any GUI modification activity. Note that Windows Defender does not have this protection feature.

The vulnerability with some AV solutions is they are still relying on hooks to determine process modification. Not only can AV hooks be disabled by malware but the hooking process can be hijacked.

 

Right. Because your AV is bullet proof and infallible - even though you just said it is "just as easy (sic) exploitable".

It should also be pointed out that "exploitable vulnerabilities" is really an extreme exaggeration. If I leave a $1000 cash sitting exposed on my desk, it certainly is possible someone can steal it. That is an exploitable vulnerability. All the bad guy has to do is sneak up to my door without my neighbors seeing. Break through my door lock and dead bolt without attracting any attention, get past my dogs, and steal my money then sneak away with it while avoiding any security cameras along the way. So yeah, it's exploitable alright.

In the case of this Google report, it ignores the fact a bad guy still must get past the router, through the browser's security, and the running security apps before changes to the files could occur.

Did you also notice where the discoverer of this bug is also known for "discovering zero-days and unpatched vulnerabilities in products such as CloudFlare, LastPass, Bromium's micro-virtualization technology, and multiple antivirus engines such as Kaspersky, ESET, FireEye, Malwarebytes, AVG, Avast, Symantec, Trend Micro, and Comodo"? So when you quickly turn off Windows Defender, good luck replacing it with something that has achieved perfection!

Exactly

"Bypassable by design"? Not buying that. They can be disabled by design, but not bypassable.

Windows Defender has one distinct advantage for its users no other security app provides - it is enabled from the earliest boot stages the very first time Windows is booted after installation.

Again, where are all these infected systems if Windows Defender is so bad? Even the testing labs call Windows Defender the "base line" solution. "Base line" is what all other solutions are expected to live up to. Base line does not mean bad. Nor does exceeding the base line mean you are safer.

 

Wow! Now here's another kudo for Microsoft. Yesterday, they issued a security patch for XP! Yes, XP for the WannaCrypt malware.

See https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

 

Missed that. Thanks stapp.

 

Actually, I'm not using any AV at all, I have stopped using them since 2006. But this is not recommended for the other 90% of the world, so AV's will always be needed. I'm just saying that third party AV's took a beating a couple of months ago, and most of them deserved it, but turns out Win Defender isn't doing any better. So yes it's funny to me.

 

"Kudo" a firm for acting in the only way on a crisis that includes life-or-death situations and avoid any potential legal liabilities/entanglements stemming from that? Most of the idiots are in the corporate sector of any given firm, but they all know a thing or two about self-preservation.

Right on!

 

What would you expect WD to do better? no one cares that it does better than others, people just need it to do what it is supposed to do.

 

Do I need to spell everything out? WD is just as easy exploitable as others, so apparently it's hardly more secure. But yes, I'm sure other AV's that offer more features and do a better job in keeping the system safe have a larger attack surface. Haven't heard about any big-time holes in third party AV's recently though.

 

https://threatpost.com/microsoft-quietly-patches-another-critical-malware-protection-engine-flaw

 

Yeah, I posted about this here: https://www.wilderssecurity.com/threads/windows-defender-vulnerabilities.394302/ .

A note for folks that don't use WD as their primary AV. To get the patch which BTW is a WD engine update, you have to enable WD periodic scanning in Win 10. Then run a definition update that will in turn, update the WD engine. You can then disable periodic scanning.

Personally, I would "pitch" any AV that has had vulnerabilities in it's kernel component such as these.