A heap buffer overflow vulnerability exists within the windows search service. This results in out of bounds memory reads and writes, corrupting data and memory, which then causes a Denial of Service.
- A remote attacker sends malicious (GetRowsIn) Windows search protocol messages (wrapped in SMB2) to the vulnerable server targeting a searchable and indexed share.
- The server tries to process the request. However, it results in an out of bounds read beyond the bookmark array. Subsequently, out of bounds writes beyond the end of the result array cause a DOS situation or possibly target RCE under SYSTEM privilege.
Attacker must have access to the search service, potentially through an unauthenticated SMB share.
A heap buffer overflow vulnerability exists within the windows search service protocol dll ‘tquery.dll’ function CRowSeekByBookmark::_SetStatus when processing malicious GetRows Requests containing SeekByBookmark information (eType is set to 0x00000004). This occurs after receiving and processing valid WSP Connect, CreateQuery, and SetBindings messages. This occurs specifically when the cRowsToTransfer variable is larger than the number of bookmark entries ‘cbookmarks’. Heap memory is allocated to contain the HRESULT of each bookmark operation (in this case, 2*4 bytes), however the loop which iterates over the function which writes this result in the array doesn’t check that the row index is less than the number of bookmarks, only that it is less than the value indicated as ‘rows to transfer’. This results in out of bounds reads beyond the bookmark array, and subsequently out of bounds writes beyond the end of the result array – corrupting the heap control structures and subsequent data in its path.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
- Disable the WSearch service.
- Implement the security update provided by Microsoft which addresses the vulnerability by correcting how Windows Search handles objects in memory.