Maddie Stone, Project Zero (Originally posted on Project Zero blog 2020-08-05)

The Basics

Disclosure or Patch Date: 11 February 2020

Product: Microsoft Internet Explorer


Affected Versions: For Windows 10 1903/1909, KB4528760 and previous

First Patched Version: For Windows 10 1903/1909, KB4532693

Issue/Bug Report: N/A

Patch CL: N/A

Bug-Introducing CL: N/A

Reporter(s): Yi Huang(@C0rk1_H) & Kang Yang(@dnpushme) of Qihoo 360 ATA, Clément Lecigne of Google’s Threat Analysis Group

The Code

Proof-of-concept: by @maxpl0it

Exploit sample: 1ad754caa89e08bb10ce538257879d0775bddd8a74b8ff14aaa3d92a2c35b543

Did you have access to the exploit sample when doing the analysis? Yes

The Vulnerability

Bug class: JScript variable (VAR) object not tracked by garbage collector, use-after-free

Vulnerability details:

This vulnerability is almost exactly the same as CVE-2019-1367 except that named arguments aren’t tracked rather than the arguments array.

The vulnerability is a member of the use-after-free bug class in JScript where variables (represented by the VAR structure) aren’t properly tracked by the garbage collector. In this case, the named arguments are not tracked by the garbage collector during the Array.sort callback. Thus, during the Array.sort callback, it is possible to assign a variable to one of the named arguments, have it garbage-collected (as long as it is not referenced anywhere else) and still access it later, causing the use-after-free.

Patch analysis: N/A

Thoughts on how this vuln might have been found (fuzzing, code auditing, variant analysis, etc.):

Code auditing/variant analysis on the other JScript bugs (CVE-2018-8653, CVE-2019-1367, CVE-2019-1429) that have been recently disclosed.

(Historical/present/future) context of bug:

This vulnerability is a trivial variant of CVE-2019-1367/CVE-2019-1429 and thus shares the long history with that bug. There are now 4 JScript vulnerabilities (CVE-2018-8653, CVE-2019-1367, CVE-2019-1429, and CVE-2020-0674) of the same bug class, using the same exploitation method, that all have been exploited in the wild.

Google Threat Analysis Group (TAG) has stated that all four were used by the same actor. Qihoo Core Security team said that they saw this vulnerability exploited in-the-wild with CVE-2019-17026 by Dark Hotel.

The Exploit

Is the exploit method known? Yes

Exploit method:

This exploit uses the exact same exploit method as CVE-2019-1367, CVE-2020-1429, and CVE-2018-8653. Please see the CVE-2019-1367 root cause analysis for more details on the exploit method.

The Next Steps

Variant analysis

Areas/approach for variant analysis (and why): In all JScript callbacks, check that all of their variables are tracked by the GarbageCollector.

Found variants:

  • CVE-2020-0968: During string concatenation, one of the two strings is temporarily stored on the stack and is not correctly tracked by the garbage collector.

Structural improvements

  • Bug classes should be fixed comprehensively, not just fixing each vulnerability individually.
  • Quality and complete patches need to be prioritized. CVE-2019-1367 was not fixed the first time or the second time and the trivial variant also wasn’t patched. This gave the attackers 3 distinct opportunities to exploit the vulnerability against the users, which they apparently did. Sharing proposed patches with the reporter could help identify these issues earlier.
  • JScript and Internet Explorer are now considered “legacy” software. Removing them from being accessible by default in the Windows operating system would reduce the attack surface.

0-day detection methods

  • Look for any scripts that want to use JScript as their JS engine outside of a local intranet.
  • Look for scripts that use the Enumerator object due to that being Microsoft specific and one of the known methods for exploiting the UAF to get remote code execution.
  • Look for scripts that attempt to trigger CollectGarbage.

Other References