This page has been moved to our new site. Please click here to go to the new location.
Posted by Maddie Stone, Project Zero (2020-08-05)
Disclosure or Patch Date: 11 February 2020
Product: Microsoft Internet Explorer
Issue/Bug Report: N/A
Patch CL: N/A
Bug-Introducing CL: N/A
Proof-of-Concept: https://github.com/maxpl0it/CVE-2020-0674-Exploit
Exploit Sample: 1ad754caa89e08bb10ce538257879d0775bddd8a74b8ff14aaa3d92a2c35b543
Exploit Sample: 1ad754caa89e08bb10ce538257879d0775bddd8a74b8ff14aaa3d92a2c35b543
Access to the exploit sample? Yes
Reporter(s):
Yi Huang(@C0rk1_H) & Kang Yang(@dnpushme) of Qihoo 360 ATA, Clément Lecigne of Google’s Threat Analysis Group
Bug Class: use-after-free (UAF)
Vulnerability Details: This vulnerability is almost exactly the same as CVE-2019-1367 except that named arguments aren’t tracked rather than the arguments array.
The vulnerability is a member of the use-after-free bug class in JScript where variables (represented by the VAR structure) aren’t properly tracked by the garbage collector. In this case, the named arguments are not tracked by the garbage collector during the Array.sort callback. Thus, during the Array.sort callback, it is possible to assign a variable to one of the named arguments, have it garbage-collected (as long as it is not referenced anywhere else) and still access it later, causing the use-after-free.
Is the exploit method known? Yes
Exploit method: This exploit uses the exact same exploit method as CVE-2019-1367, CVE-2020-1429, and CVE-2018-8653. Please see the CVE-2019-1367 root cause analysis for more details on the exploit method.
Exploit method: This exploit uses the exact same exploit method as CVE-2019-1367, CVE-2020-1429, and CVE-2018-8653. Please see the CVE-2019-1367 root cause analysis for more details on the exploit method.
How do you think you would have found this bug? Code auditing/variant analysis on the other JScript bugs that have been recently disclosed.
(Historical/present/future) context of bug: This vulnerability is a trivial variant of CVE-2019-1367/CVE-2019-1429 and thus shares the long history with that bug. There are now 4 JScript vulnerabilities (CVE-2018-8653, CVE-2019-1367, CVE-2019-1429, and CVE-2020-0674) of the same bug class, using the same exploitation method, that all have been exploited in the wild.
Areas/approach for variant analysis: In all JScript callbacks, check that all of their variables are tracked by the GarbageCollector.
Found variants: N/A
Structural improvements:
- Bug classes should be fixed comprehensively, not just fixing each vulnerability individually.
- Quality and complete patches need to be prioritized. CVE-2019-1367 was not fixed the first time or the second time and the trivial variant also wasn’t patched. This gave the attackers 3 distinct opportunities to exploit the vulnerability against the users, which they apparently did. Sharing proposed patches with the reporter could help identify these issues earlier.
- JScript and Internet Explorer are now considered “legacy” software. Removing them from being accessible by default in the Windows operating system would reduce the attack surface.
Potential detection methods for similar 0-days:
- Look for any scripts that want to use JScript as their JS engine outside of a local intranet.
- Look for scripts that use the Enumerator object due to that being Microsoft specific and one of the known methods for exploiting the UAF to get remote code execution.
Other references:
- February 2020: “Darkhotel (APT-C-06) uses the "Double Star" 0Day vulnerability (CVE-2019-17026, CVE-2020-0674) to analyze the APT attack launched by China (translated)” by Qihoo 360 Core Security Team
- June 2020: “The exploits of a Google TAG analyst chasing in the wild” by Clément Lecigne at SSTIC [slides]
- July 2020: “Internet Explorer CVE-2019-1367 In the Wild Exploitation - prelude” includes detailed timeline about this family of vulnerabilities/exploits by Taha Karim
No comments:
Post a Comment