Maddie Stone, Project Zero (Originally posted on Project Zero blog 2020-08-05)
Disclosure or Patch Date: 11 February 2020
Product: Microsoft Internet Explorer
Affected Versions: For Windows 10 1903/1909, KB4528760 and previous
First Patched Version: For Windows 10 1903/1909, KB4532693
Issue/Bug Report: N/A
Patch CL: N/A
Bug-Introducing CL: N/A
Exploit sample: 1ad754caa89e08bb10ce538257879d0775bddd8a74b8ff14aaa3d92a2c35b543
Did you have access to the exploit sample when doing the analysis? Yes
Bug class: JScript variable (VAR) object not tracked by garbage collector, use-after-free
This vulnerability is almost exactly the same as CVE-2019-1367 except that named arguments aren’t tracked rather than the arguments array.
The vulnerability is a member of the use-after-free bug class in JScript where variables (represented by the VAR structure) aren’t properly tracked by the garbage collector. In this case, the named arguments are not tracked by the garbage collector during the Array.sort callback. Thus, during the Array.sort callback, it is possible to assign a variable to one of the named arguments, have it garbage-collected (as long as it is not referenced anywhere else) and still access it later, causing the use-after-free.
Patch analysis: N/A
Thoughts on how this vuln might have been found (fuzzing, code auditing, variant analysis, etc.):
Code auditing/variant analysis on the other JScript bugs (CVE-2018-8653, CVE-2019-1367, CVE-2019-1429) that have been recently disclosed.
(Historical/present/future) context of bug:
This vulnerability is a trivial variant of CVE-2019-1367/CVE-2019-1429 and thus shares the long history with that bug. There are now 4 JScript vulnerabilities (CVE-2018-8653, CVE-2019-1367, CVE-2019-1429, and CVE-2020-0674) of the same bug class, using the same exploitation method, that all have been exploited in the wild.
Google Threat Analysis Group (TAG) has stated that all four were used by the same actor. Qihoo Core Security team said that they saw this vulnerability exploited in-the-wild with CVE-2019-17026 by Dark Hotel.
Is the exploit method known? Yes
This exploit uses the exact same exploit method as CVE-2019-1367, CVE-2020-1429, and CVE-2018-8653. Please see the CVE-2019-1367 root cause analysis for more details on the exploit method.
The Next Steps
Areas/approach for variant analysis (and why): In all JScript callbacks, check that all of their variables are tracked by the GarbageCollector.
- CVE-2020-0968: During string concatenation, one of the two strings is temporarily stored on the stack and is not correctly tracked by the garbage collector.
- Bug classes should be fixed comprehensively, not just fixing each vulnerability individually.
- Quality and complete patches need to be prioritized. CVE-2019-1367 was not fixed the first time or the second time and the trivial variant also wasn’t patched. This gave the attackers 3 distinct opportunities to exploit the vulnerability against the users, which they apparently did. Sharing proposed patches with the reporter could help identify these issues earlier.
- JScript and Internet Explorer are now considered “legacy” software. Removing them from being accessible by default in the Windows operating system would reduce the attack surface.
0-day detection methods
- Look for any scripts that want to use JScript as their JS engine outside of a local intranet.
- Look for scripts that use the Enumerator object due to that being Microsoft specific and one of the known methods for exploiting the UAF to get remote code execution.
- Look for scripts that attempt to trigger CollectGarbage.
- February 2020: “Darkhotel (APT-C-06) uses the "Double Star" 0Day vulnerability (CVE-2019-17026, CVE-2020-0674) to analyze the APT attack launched by China (translated)” by Qihoo 360 Core Security Team
- May 2020: Proof of concept exploit for CVE-2020-0674 by maxpl0it
- May 2020: “Internet Exploiter: Understanding Vulnerabilities in Internet Explorer” by F-Secure Labs
- June 2020: “The exploits of a Google TAG analyst chasing in the wild” by Clément Lecigne at SSTIC [slides]
- July 2020: “Internet Explorer CVE-2019-1367 In the Wild Exploitation - prelude” includes detailed timeline about this family of vulnerabilities/exploits by Taha Karim