Windows Defender mpengine remote code execution [CVE-2021-1647]

We discussed this vulnerability during Episode 73 on 20 April 2021

Heap overflow in Windows Defender (mpengine.dll). Overflow happens while unpacking an ASProtect packed executable. While iterating over the section table it looks for the next highest virtual address. So if you have two entries with the same vaddr, one with a 0size it’ll ignore the second occurrence, resulting in the section being allocated with the wrong size, and then when data is copied into it, overflowing.