ZDI-CAN-6135: A Remote Code Execution Vulnerability In The Microsoft Windows JET Database Engine


#1

ZDI-CAN-6135: A Remote Code Execution Vulnerability In The Microsoft Windows JET Database Engine (Sep 20, 2018)

A bug has been identified in Microsoft JET Database Engine that could allow remote execution. This bug is an out-of-bounds write (when software writes data past the end, or before the beginning of the intended buffer, hence “out-of-bounds”) that can be triggered through opening a Jet data source via OLEDB. A threat actor could take advantage of this vulnerability by creating a specific file that contains data that is stored in the JET database format, and having the targeted user open it, which would then allow for remote code execution at the level of the current process. At the time of the article’s publication, a patch has yet to be released.

Recommendation: This vulnerability appears to only be present in Windows 7 systems, but it could impact any Windows operating system, including servers. As a patch has yet to be released, the only effective mitigation currently is to be cognizant of possible phishing attempts and to avoid opening an attachment sent from unknown persons or sources. Furthermore, proof-of-concept code is publicly available for this vulnerability which indicates that even unsophisticated threat actors will be capable of attempting to exploit it future campaigns.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.