Windows Secure Channel RCE Vulnerability


A recent analysis of a security vulnerability in Microsoft’s Secure Channel revealed a critical flaw that could be exploited for remote code execution.

The vulnerability was initially identified as an integer overflow issue. However, further investigation determined it to be a Use-After-Free (UAF) vulnerability.

EHA

This type of vulnerability occurs when a program continues to use a pointer after the memory it references has been freed, leading to unpredictable behavior and potential exploitation.

To rewrite the sentence in a more professional tone:

The researcher who discovered and reported the vulnerability to Microsoft has published a technical analysis today. Let’s review the details.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

Technical Analysis

The vulnerability was found in the CSsl3TlsContext::CSsl3TlsContext function. A patch was released by Microsoft, which introduced a conditional check to prevent an assignment operation:

if ( !(unsigned __int8)wil::details::FeatureImpl<__WilFeatureTraits_Feature_2612696381>::__private_IsEnabled(&`wil::Feature<__WilFeatureTraits_Feature_2612696381>::GetImpl'::`2'::impl) )
{
  *(_QWORD *)(this + 472) = *(_QWORD *)(a2 + 472);
  *(_QWORD *)(a2 + 472) = 0i64;
}

This patch effectively blocked the assignment operation of a specific field when a certain feature was enabled.

Using IDA for binary analysis, it was discovered that a new memory allocation (denoted as M1) was assigned to the field at offset 472 (hex: 1D8h) within the function CSsl3TlsServerContext::ProcessRecord. The CTlsMessageFragment::Initialize function was found to assign a pointer to this newly allocated memory, leading to a potential UAF scenario.

void __fastcall CTlsMessageFragment::Initialize(CTlsMessageFragment *this, struct CSsl3TlsContext *a2)
{
  int v2; // eax
  int v3; // edx
  unsigned int v4; // edx
  unsigned int v5; // eax

  *(_QWORD *)this = a2;
  ......
  v3 = 1536;
LABEL_9:
  *((_DWORD *)this + 3) = v3;
  v5 = *((_DWORD *)this + 2);
  if ( v5 > 0xFFFFFF )
    v5 = 0xFFFFFF;
  *((_DWORD *)this + 2) = v5;
}

The analysis revealed that while the patch set the 472nd field of the a2 structure to zero, the first field of M1 was not updated. This oversight allowed the first field of M1 to still point to a2, creating a UAF vulnerability during the release process.

“Finally, after actual testing, it is indeed the UAF problem at this location. From the location used, it can be seen that it will use the virtual table of the structure. If the position is occupied properly, the rip can be directly controlled. With reasonable gadgets, remote code execution can be achieved.” Reearcher said.

The vulnerability’s potential for harm is significant. If exploited correctly, it could allow for unauthenticated remote code execution. This means that an attacker could potentially execute arbitrary code on a remote system without needing prior authentication, posing a severe security risk.

The researcher who discovered the flaw noted that their initial oversight was due to inexperience and a focus on bytecode parsing rather than the UAF issue. This case underscores the importance of thorough analysis and patience in cybersecurity research.

While the vulnerability has been patched, the revelation of its true nature as a UAF issue serves as a reminder of the complexities involved in software security. It also highlights the need for continuous vigilance and detailed examination of security patches to ensure all potential vulnerabilities are addressed.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download



Source link