# CVE-2020-0674: Internet Explorer use-after-free in JScript *Maddie Stone, Project Zero (Originally posted on [Project Zero blog](https://googleprojectzero.blogspot.com/p/rca.html) 2020-08-05)* ## The Basics **Disclosure or Patch Date:** 11 February 2020 **Product:** Microsoft Internet Explorer **Advisory:** https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0674 **Affected Versions:** For Windows 10 1903/1909, [KB4528760](https://support.microsoft.com/en-us/help/4528760) and previous **First Patched Version:** For Windows 10 1903/1909, [KB4532693](https://support.microsoft.com/en-us/help/4532693/windows-10-update-kb4532693) **Issue/Bug Report:** N/A **Patch CL:** N/A **Bug-Introducing CL:** N/A **Reporter(s):** Yi Huang([@C0rk1_H](https://twitter.com/C0rk1_H)) & Kang Yang([@dnpushme](https://twitter.com/dnpushme)) of Qihoo 360 ATA, Clément Lecigne of Google’s Threat Analysis Group ## The Code **Proof-of-concept:** https://github.com/maxpl0it/CVE-2020-0674-Exploit by [@maxpl0it](https://twitter.com/maxpl0it) **Exploit sample:** [1ad754caa89e08bb10ce538257879d0775bddd8a74b8ff14aaa3d92a2c35b543](https://www.virustotal.com/gui/file/1ad754caa89e08bb10ce538257879d0775bddd8a74b8ff14aaa3d92a2c35b543/detection) **Did you have access to the exploit sample when doing the analysis?** Yes ## The Vulnerability **Bug class:** JScript *variable* (VAR) object not tracked by garbage collector, use-after-free **Vulnerability details:** This vulnerability is almost exactly the same as [CVE-2019-1367](../2019/CVE-2019-1367.md) except that named arguments aren’t tracked rather than the arguments array. The vulnerability is a member of the use-after-free bug class in JScript where variables (represented by the VAR structure) aren’t properly tracked by the garbage collector. In this case, the named arguments are not tracked by the garbage collector during the Array.sort callback. Thus, during the Array.sort callback, it is possible to assign a variable to one of the named arguments, have it garbage-collected (as long as it is not referenced anywhere else) and still access it later, causing the use-after-free. **Patch analysis:** N/A **Thoughts on how this vuln might have been found _(fuzzing, code auditing, variant analysis, etc.)_:** Code auditing/variant analysis on the other JScript bugs (CVE-2018-8653, CVE-2019-1367, CVE-2019-1429) that have been recently disclosed. **(Historical/present/future) context of bug:** This vulnerability is a trivial variant of [CVE-2019-1367](../2019/CVE-2019-1367.md)/CVE-2019-1429 and thus shares the long history with that bug. There are now 4 JScript vulnerabilities (CVE-2018-8653, CVE-2019-1367, CVE-2019-1429, and CVE-2020-0674) of the same bug class, using the same exploitation method, that all have been exploited in the wild. [Google Threat Analysis Group (TAG) has stated](https://www.blog.google/threat-analysis-group/identifying-vulnerabilities-and-protecting-you-phishing/) that all four were used by the same actor. [Qihoo Core Security team said](https://blogs.360.cn/post/apt-c-06_0day.html) that they saw this vulnerability exploited in-the-wild with [CVE-2019-17026](CVE-2019-17026.md) by Dark Hotel. ## The Exploit **Is the exploit method known?** Yes **Exploit method:** This exploit uses the exact same exploit method as CVE-2019-1367, CVE-2020-1429, and CVE-2018-8653. Please see the [CVE-2019-1367 root cause analysis](../CVE-2019-1367.md) for more details on the exploit method. ## The Next Steps ### Variant analysis **Areas/approach for variant analysis (and why):** In all JScript callbacks, check that all of their variables are tracked by the GarbageCollector. **Found variants:** * [CVE-2020-0968](https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2020-0968): During string concatenation, one of the two strings is temporarily stored on the stack and is not correctly tracked by the garbage collector. ### Structural improvements * Bug classes should be fixed comprehensively, not just fixing each vulnerability individually. * Quality and complete patches need to be prioritized. CVE-2019-1367 was not fixed the first time or the second time and the trivial variant also wasn’t patched. This gave the attackers 3 distinct opportunities to exploit the vulnerability against the users, which they apparently did. Sharing proposed patches with the reporter could help identify these issues earlier. * JScript and Internet Explorer are now considered “legacy” software. Removing them from being accessible by default in the Windows operating system would reduce the attack surface. ### 0-day detection methods * Look for any scripts that want to use JScript as their JS engine outside of a local intranet. * Look for scripts that use the Enumerator object due to that being Microsoft specific and one of the known methods for exploiting the UAF to get remote code execution. * Look for scripts that attempt to trigger CollectGarbage. ## Other References * February 2020: [“Darkhotel (APT-C-06) uses the "Double Star" 0Day vulnerability (CVE-2019-17026, CVE-2020-0674) to analyze the APT attack launched by China (translated)”](https://blogs.360.cn/post/apt-c-06_0day.html) by Qihoo 360 Core Security Team * May 2020: [Proof of concept exploit for CVE-2020-0674](https://github.com/maxpl0it/CVE-2020-0674-Exploit) by maxpl0it * May 2020: [“Internet Exploiter: Understanding Vulnerabilities in Internet Explorer”](https://labs.f-secure.com/blog/internet-exploiter-understanding-vulnerabilities-in-internet-explorer) by F-Secure Labs * June 2020: [“The exploits of a Google TAG analyst chasing in the wild”](https://labs.f-secure.com/blog/internet-exploiter-understanding-vulnerabilities-in-internet-explorer) by Clément Lecigne at SSTIC [[slides](https://www.sstic.org/media/SSTIC2020/SSTIC-actes/cloture_2020/SSTIC2020-Slides-cloture_2020-lecigne.pdf)] * July 2020: [“Internet Explorer CVE-2019-1367 In the Wild Exploitation - prelude”](https://blog.confiant.com/internet-explorer-cve-2019-1367-in-the-wild-exploitation-prelude-ef546f19cd30) includes detailed timeline about this family of vulnerabilities/exploits by Taha Karim