Analysis of CVE-2021–1722
On 02/09/21, Microsoft published a fix for Windows Fax Services: Windows Fax Service Remote Code Execution Vulnerability. We decided to analyze this one for fun because it was sure to be old school — as the fax service is ancient.
Intro
The Fax Service lives in fxssvc.exe. We used our old pal Laughing Mantis’s patch extractor to take the Windows 10 Version 1803 for x64-based Systems patch apart for the relevant files. We then used winbindex to grab the previous version of fxssvc.exe.
We use Ghidra for all of our RE work, and are using the ghidra binexport plugin to get bindiff output.
Analysis
The result of the fxssvc diff is small, and its pretty clear where the bug probably is.
Looking at the fxssvc!GetJobSize function, the changes look pretty significant!
Checking out the code, we are seeing a lot of inlined junk. Specifically this pattern, seen in old and new versions looks like an inline call to StringSize.
Additionally, in the fixed version, we see what is likely a few calls to ULongAdd.
This is a case where where we took the liberty of using Ghidra’s output to recreate the C code rather then try to fit all that ASM on the screen. The results may be seen below.
The fix is clearly looking for integer overflow in the return value of the fxssvc!GetJobSize function when handling length calculation of several members of the fax job object (eg. RecipientProfile.lptstrName) — as this return value is used as a size for malloc() in a few spots. Below we can see its usage in a subsequent call to pMemAlloc in fxssvc!FAX_GetJob.
Conclusion
This vulnerability in Windows Fax service is due to improper length calculations when handling member of a fax job structure which may result in an integer overflow when subsequently allocating memory.
PS
For proof of concept code, a scanner, or to just hire the team for contract work, hit us up on email contact@streetfight.us or visit https://streetfight.us to join our telegram chat.