Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1261
A detailed introduction to MsMpEng can be found inissue #1252 , so I will skip the background story here.
Through fuzzing, we have discovered a number of ways to crash the service (and specifically code in the mpengine.dll module), by feeding it with malformed input testcases to scan. A summary of our findings is shown in the table below:
+==============+===================================+==========================+=============+====================================================+=============================================+| Name |Type| Requirements | Access Type|Observed symbol |Comments |+==============+===================================+==========================+=============+====================================================+=============================================+| corruption_1 | Heap buffer overflow| PageHeap for MpMsEng.exe |-| free() called by NET_thread_ctx_t__FreeState_void_ | One-byte overflow.|+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+| corruption_2 | Heap corruption | PageHeap for MpMsEng.exe |-| free() called by CRsaPublicKey__Decrypt_uchar| May crash in other ways, e.g. invalid read.|+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+| corruption_3 | Unspecified memory corruption (?)|-|-| netvm_parse_routine_netinvoke_handle_t | Different crashes with/out PageHeap.|+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+| null_1 | NULL Pointer Dereference|-| READ| nUFSP_pdf__handleXFA_PDF_Value ||+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+| null_2 | NULL Pointer Dereference|-| READ| nUFSP_pdf__expandObjectStreams_void||+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+| null_3 | NULL Pointer Dereference|-| READ| NET_context_unsigned ||+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+| null_4 | NULL Pointer Dereference|-| READ| nUFSP_pdf__expandObjectStreams_void_ | Similar to null_2, may be the same bug.|+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+| div_by_zero| Division by zero|-|-| x86_code_cost__get_cost_int||+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+| recursion| Deep/infinite recursion |-|-| __EH_prolog3_catch_GS||+--------------+-----------------------------------+--------------------------+-------------+----------------------------------------------------+---------------------------------------------+
The "corruption_1-3" issues are the most important ones, as they represent memory corruption problems and could potentially lead to execution of arbitrary code. On the other hand,"null_1-4","div_by_zero" and "recursion" are low severity bugs that can only be used to bring the service process down. We have verified that all listed crashes occur on Windows 7 as soon as an offending sample is saved to disk and discovered by MsMpEng.For"corruption_1-2", the PageHeap mechanism must be enabled for the MsMpEng.exe program in order to reliably observe the unhandled exception.
Attached is a ZIP archive (password: "mpengbugs") with up to 3 testcases for each of the 9 unique crashes.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42081.zip