0x00 漏洞描述
該漏洞影響組件為jscript.dll,該動態鏈接庫是微軟Internet Explorer瀏覽器的Javascript引擎之一,其中IE8及以下使用jscript.dll,IE9及以上默認使用jscript9.dll,但網頁可以通過《script》標簽指定在IE8兼容性模式下加載jscript.dll,因此IE9、IE10、IE11都受到此漏洞影響。
從操作系統范圍來看,本漏洞影響范圍橫跨Windows 7至Windows 10中所有的個人操作系統和服務器操作系統。
該漏洞是一個Use-After-Free漏洞,攻擊樣本使用UAF達成類型混淆,進而獲取全局內存讀寫能力並繞過ASLR等漏洞利用緩解技術,並從指定ip地址請求下一步攻擊載荷,最終達到遠程代碼執行。
0x01 影響版本
| 產品 | 平台 |
|---|---|
| Internet Explorer 10 | Windows Server 2012 |
| Internet Explorer 11 | Windows 10 Version 1803 for 32-bit Systems |
| Internet Explorer 11 | Windows 10 Version 1803 for x64-based Systems |
| Internet Explorer 11 | Windows 10 Version 1803 for ARM64-based Systems |
| Internet Explorer 11 | Windows 10 Version 1809 for 32-bit Systems |
| Internet Explorer 11 | Windows 10 Version 1809 for x64-based Systems |
| Internet Explorer 11 | Windows 10 Version 1809 for ARM64-based Systems |
| Internet Explorer 11 | Windows Server 2019 |
| Internet Explorer 11 | Windows 10 Version 1909 for 32-bit Systems |
| Internet Explorer 11 | Windows 10 Version 1909 for x64-based Systems |
| Internet Explorer 11 | Windows 10 Version 1909 for ARM64-based Systems |
| Internet Explorer 11 | Windows 10 Version 1709 for 32-bit Systems |
| Internet Explorer 11 | Windows 10 Version 1709 for x64-based Systems |
| Internet Explorer 11 | Windows 10 Version 1709 for ARM64-based Systems |
| Internet Explorer 11 | Windows 10 Version 1903 for 32-bit Systems |
| Internet Explorer 11 | Windows 10 Version 1903 for x64-based Systems |
| Internet Explorer 11 | Windows 10 Version 1903 for ARM64-based Systems |
| Internet Explorer 11 | Windows 10 for 32-bit Systems |
| Internet Explorer 11 | Windows 10 for x64-based Systems |
| Internet Explorer 11 | Windows 10 Version 1607 for 32-bit Systems |
| Internet Explorer 11 | Windows 10 Version 1607 for x64-based Systems |
| Internet Explorer 11 | Windows Server 2016 |
| Internet Explorer 11 | Windows 7 for 32-bit Systems Service Pack 1 |
| Internet Explorer 11 | Windows 7 for x64-based Systems Service Pack 1 |
| Internet Explorer 11 | Windows 8.1 for 32-bit systems |
| Internet Explorer 11 | Windows 8.1 for x64-based systems |
| Internet Explorer 11 | Windows RT 8.1 |
| Internet Explorer 11 | Windows Server 2008 R2 for x64-based Systems Service Pack 1 |
| Internet Explorer 11 | Windows Server 2012 |
| Internet Explorer 11 | Windows Server 2012 R2 |
| Internet Explorer 9 | Windows Server 2008 for 32-bit Systems Service Pack 2 |
| Internet Explorer 9 | Windows Server 2008 for x64-based Systems Service Pack 2 |
0x02 漏洞復現
IE版本:11.900.18362.0
python:python 3.8
操作系統:windows 10 專業工作站版
0x03 編寫腳本
1.編寫html CVE-2020-0674.html
<head>
<meta http-equiv="X-UA-Compatible" content="IE=11"></meta>
<script language="Jscript.Encode">
document.write("jscript.dll says hello.");</script>
2.編寫py腳本 CVE-2020-0674.py
from selenium import webdriver
ieDriver = "C:\Program Files (x86)\Internet Explorer\IEDriverServer.exe"
browser = webdriver.Ie(ieDriver)
browser.get('file:///D:\My_hacker_tool kil\cve-jiance\CVE-2020-0674\cve-2020-0674.html') '''這里路徑是存放html的路徑'''
0x04 復現成功
0x05 修復意見
32位系統
takeown /f %windir%\system32\jscript.dll cacls %windir%\system32\jscript.dll /E /P everyone:N
64位系統
takeown /f %windir%\syswow64\jscript.dll cacls %windir%\syswow64\jscript.dll /E /P everyone:N takeown /f %windir%\system32\jscript.dll cacls %windir%\system32\jscript.dll /E /P everyone:N