Vulnerability discovered by Piotr Bania of Cisco Talos.
An attacker can craft a malicious portable executable file, which if accessed causes AHCACHE.SYS to attempt to access out of scope memory. This triggers a bugcheck in the Windows kernel causing the system to crash, denying service to the user. Although AHCACHE.SYS is the driver that handles local cache compatibility information, if the vulnerability is exploited the attacker is unable to execute code or elevate user privileges.
During a cache lookup, the ‘AslpFileQueryVersionString’ function is called along with other functions. This function reads the value of EDI from the resource variable (Var->wValueLength ) in the PE without performing any bounds checking. Since the attacker controls the PE content, the threat actor can supply a value that is too large which results in the program attempting to access unavailable memory which results in an access violation that causes whole system to crash
Microsoft patched this vulnerability in security update 3178467 as described in Security Bulletin MS16-110. Talos has released rules that detect attempts to exploit this vulnerability to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.
Snort Rules: 40555-40556
For further 0-day or vulnerability reports and information visit: http://www.talosintelligence.com/vulnerability-reports/