{"id":7131,"date":"2018-09-22T00:08:00","date_gmt":"2018-09-21T22:08:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=7131"},"modified":"2018-09-21T23:15:57","modified_gmt":"2018-09-21T21:15:57","slug":"windows-0-day-vulnerability-in-jet-engine-sept-2018","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2018\/09\/22\/windows-0-day-vulnerability-in-jet-engine-sept-2018\/","title":{"rendered":"Windows 0-day vulnerability in Jet Engine (Sept. 2018)"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2018\/09\/21\/windows-zero-day-schwachstelle-in-jet-engine-sept-2018\/\" target=\"_blank\">German<\/a>]There is a zero day vulnerability in Microsoft's Jet Engine, which is used in applications under Windows. The vulnerability is unpatched, but not critical.<\/p>\n<p><!--more--><\/p>\n<p><a href=\"https:\/\/en.wikipedia.org\/wiki\/Microsoft_Jet_Database_Engine\" rel=\"noopener\" target=\"_blank\">Jet Engine<\/a> is a database interface from Microsoft that can be used in Access, Visual Basic or other software via the Jet Engine data source drivers. <\/p>\n<h2>Vulnerability published after 120 days<\/h2>\n<p>The vulnerability was discovered by Trend Micro and described in <a href=\"https:\/\/www.zerodayinitiative.com\/blog\/2018\/9\/20\/zdi-can-6135-a-remote-code-execution-vulnerability-in-the-microsoft-windows-jet-database-engine\" target=\"_blank\">this blog post<\/a>. At the same time, the vulnerability was reported to Microsoft on 8 May 2018. After the 120-day standstill period expired, the information was released this week.&nbsp; <\/p>\n<h2>The vulnerability<\/h2>\n<p>When writing to a database using the Microsoft JET database engine, an out-of-bounds (OOB) operation is possible. This could be exploited to execute remote code. However, this code will only be executed in the context of the current process. To do this, however, the user must be persuaded to open a malicious file. And the jet engine only runs in 32-bit mode. The exploitability is therefore very limited, the reason why Microsoft takes its time with a patch. Specifically, the vulnerability seems to be in the index manager of the jet engine. On <a href=\"https:\/\/github.com\/thezdi\/PoC\/tree\/master\/ZDI-18-1075\" rel=\"noopener\" target=\"_blank\">GitHub<\/a> there is a Proof of Concept (PoC) in form of an example database and a JavaScript program, which uses the OLEDB provider 4.0 for the write accesses. Mitja Kolsek from 0patch has posted something about it on Twitter. <\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p lang=\"en\" dir=\"ltr\">A bit about this unpatched remote code execution i Windows Jet Database Engine:<\/p>\n<p>1) First of all, a nice find, <a href=\"https:\/\/twitter.com\/thezdi?ref_src=twsrc%5Etfw\">@thezdi<\/a> and <a href=\"https:\/\/twitter.com\/_wmliang_?ref_src=twsrc%5Etfw\">@_wmliang_<\/a>! (Btw, Lucas' Twitter handle in the article &#8211; <a href=\"https:\/\/twitter.com\/wmliang?ref_src=twsrc%5Etfw\">@wmliang<\/a> &#8211; is wrong!) 2) Jet only exists in 32bits, so launching poc.js won't work on 64bit Windows <a href=\"https:\/\/t.co\/57okiFs7S7\">https:\/\/t.co\/57okiFs7S7<\/a> \u2014 Mitja Kolsek (@mkolsek) <a href=\"https:\/\/twitter.com\/mkolsek\/status\/1042820055686365184?ref_src=twsrc%5Etfw\">20. September 2018<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>  <\/p>\n<p>According to the blog post, the existence of the vulnerability in Windows 7 has been confirmed. However, security researchers believe that all supported Windows versions are vulnerable. Microsoft is working internally on a patch, but it is still unknown when it will be released. The Register has <a href=\"https:\/\/www.theregister.co.uk\/2018\/09\/20\/microsoft_jet_database_zero_day\/\" target=\"_blank\">reported<\/a> on this in the meantime.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]There is a zero day vulnerability in Microsoft's Jet Engine, which is used in applications under Windows. The vulnerability is unpatched, but not critical.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[69,194],"class_list":["post-7131","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/7131","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=7131"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/7131\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=7131"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=7131"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=7131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}