Try Quaxar on aws marketplace💥 Learn more

Resources

[Report] Fuzzing the Shield: CVE-2022–24548

Date 2022. 12. 13

Introduction

  • Antiviruses act as a last mitigation for regular users and a challenge for attackers. It can provide cloud, emulator, signature based mitigation systems for malware detection. To bypass such detection mechanisms, attackers can apply various heuristic tricks like binary packing, custom obfuscation, etc. However, these tricks are limited in that they only provide temporary bypass or are OS-dependent. A more potent threat is to bypass the antivirus itself by using a vulnerability in the antivirus software. To mitigate and remediate these cases, such vulnerabilities should be fixed before it is weaponized. So, we decided to venture into one of the most widely used antiviruses: Windows Defender.

    In this post, we analyze Windows Defender and the root cause of the bug that we found through fuzz testing.




Basic Information 
    • Tested OS: Windows 10 1809, 2009 x64, Windows 11 x64
    • Severity: Important
    • Target module version: <1.1.19100.5(mpengine.dll)
    • First updated version: 1.1.19100.5(mpengine.dll)
    • This vulnerability allows remote attackers to trigger heap out-of-bounds read on default installation of Windows Defender.
    • We tested this vulnerability with full pageheap enabled.