Windows Defender
Exploiting the Windows Defender `AsProtect` Heap Overflow Vulnerability
In the security updates of June 2021, Microsoft patched a heap buffer overflow in the Windows Defender mpengine.dll assigned as CVE-2021-31985. The vulnerability was found by Google Project Zero (GP0) and reported on May 25, 2021.
The Windows Defender Antivirus scans packed binaries by emulating them in its virtual machine, the Defender Emulator, and takes over the unpacking when certain signatures are detected. One of these is AsProtect. To execute AsProtect packer bytecode, it has to reconstruct an embedded VM DLL supplied by this “external” packed binary. A lack of sanitization on the sections relative-virtual-address (RVA) allows a memcpy-style heap overflow with controllable data, size and offset. These primitives could lead to remote code execution as NT Authority\SYSTEM privileges.
In this blog post, first we recap the root-cause analysis of this vulnerability from the original GP0 issue tracker1. Next we discuss how CVE-2021-31985 can be exploited based on the in-the-wild (ITW) sample of CVE-2021-1647. Finally we end this blog post with a parting remark on how a change in an object layout from mpengine.dll 1.1.18100 onwards breaks the exploitation technique used here.