ZDI-CAN-6135: A Remote Code Execution Vulnerability in the Microsoft Windows Jet Database Engine

September 20, 2018 | Simon Zuckerbraun

Today, we are releasing additional information regarding a bug report that has exceeded the 120-day disclosure timeline. More details on this process can be found here in our disclosure policy.

An out-of-bounds (OOB) write in the Microsoft JET Database Engine that could allow remote code execution was initially reported to Microsoft on May 8, 2018. An attacker could leverage this vulnerability to execute code under the context of the current process, however it does require user interaction since the target would need to open a malicious file. As of today, this bug remains unpatched.

The Vulnerability

The root cause of this issue resides in the Microsoft JET Database Engine. Microsoft patched two other issues in JET in the September Patch Tuesday updates. While the patched bugs are listed as buffer overflows, this additional bug is actually an out-of-bounds write, which can be triggered by opening a Jet data source via OLEDB. Here’s a look at the resulting crash:

To trigger this vulnerability, a user would need to open a specially crafted file containing data stored in the JET database format. Various applications use this database format. An attacker using this would be able to execute code at the level of the current process.

If you’d like to test this out for yourself, you can find the proof of concept code here .

Recommendation

Our investigation has confirmed this vulnerability exists in Windows 7, but we believe that all supported Windows version are impacted by this bug, including server editions. You can view our advisory here. Microsoft continues to work on a patch for this vulnerability, and we hope to see it in the regularly scheduled October patch release. In the absence of a patch, the only salient mitigation strategy is to exercise caution and not open files from untrusted sources.

As always, I can be found on Twitter at @HexKitchen, and follow the team for the latest in exploit techniques and security patches.

Disclosure Timeline:

05/08/18 - ZDI reported vulnerability to vendor and the vendor acknowledged that same day
05/14/18 – The vendor replied that they successfully reproduced the issue ZDI reported
09/09/18 – The vendor reported an issue with the fix and that the fix might not make the September release
09/10/18 – ZDI cautioned potential 0-day
09/11/18 – The vendor confirmed the fix did not make the build
09/12/18 – ZDI confirmed to the vendor the intention to 0-day on 09/20/18
09/20/18 - Coordinated public release of advisory