From BinDiff to 0day: Internet Explorer UAF vulnerability analysis-vulnerability warning-the black bar safety net

The last 6 months, I to Microsoft the report the IE browser in aUAF（after the release of the reused vulnerability vulnerability is the official positioning of the severity levels, numberedCVE-2019-1208, Microsoft in 9 monthsPatch Tuesdayfixes this vulnerability. I byBinDiff a binary code analysis tool that discovered the defect, prepare a PoC to demonstrate how to in Windows 10 RS5 system to exploit the vulnerability.

This article briefly describes the vulnerability research process, and if you want in-depth analysis of the vulnerability, you can refer to this articletechnical briefing.

0x01 CVE-2019-1208
As mentioned earlier, CVE-2019-1208 is a UAF vulnerability. Such security issues would undermine the validity of the data, causing the process to crash, and the attacker can according to the vulnerability trigger to arbitrary code execution or remote code. Once successfully exploited, CVE-2019-1208 vulnerability, the attacker can get the system with the current user the same permissions. If the current user has administrator privileges, then the attacker can hijack the affected system, such as Install or uninstall programs, view and modify data to create a full permissions user accounts etc.

0x02 potential impact
In a relatively straightforward attack scenario, an attacker can through the social engineering way to the unknown user to send phishing messages, inducing users through the IE browser to access that contains the CVE-2019-1208 of the code of the malicious sites can be. In addition, the attacker can also send spam, the Annex contains the vulnerability is the use of the code. These attachments can be enabled for the IE rendering engine, Microsoft Office document, or contains an ActiveX control Application Program Files, and then in the control that contains the exploit code. The attacker can also be compromised and the user interaction data such as advertisement data of a legitimate site, in the above hosting use code.
! [](/Article/UploadPic/2019-9/2019917134346354. png)
Figure 1. VbsJoin code execution flow

0x03 discovery process
The story is derived from BinDiff, when I want to compare the next Microsoft in 5 month and 6 month of vbscript. the dll function which changes the vbscript. the dll is that contains the VBScript engine related API functions of a module to. I found Microsoft in SafeArrayAddRef, the SafeArrayReleaseData and SafeArrayReleaseDescriptor this a few function to do the changes.
After further research, prior to their discovery of another vulnerability, CVE-2018-8373 of inspiration, I by the following steps, using the VBScriptClass trigger a UAF problem:
1, a arr = Array(New MyClass): create a SafeArray that will VBScriptclass: MyClass is saved in arr[0]; and
2, the Callback: arr = Array(0): Join(arr)will trigger MyClass Public Default Property Get callback function. The callback for the variable arr to create a new SafeArray to. As shown in Figure 1, a new SafeArray and not subject to SafeArrayAddRef function of protection. Thus, the browser the normal vision of the Code Stream is the callback function break; and
3, the arr(0) = Join(arr): when from the Public Default Property Get callback function returns, VbsJoin the code execution flow will call SafeArrayReleaseData and SafeArrayReleaseDescriptor to reduce SafeArrayData and SafeArrayDescriptor the reference count. However, a new SafeArray is not affected by SafeArrayAddRef protection, and SafeArrayData and SafeArrayDescriptor the reference count is 0. Therefore, the new SafeArray of SafeArrayData and SafeArrayDescriptor in SafeArrayReleaseData and SafeArrayReleaseDescriptor function is released, as shown in Figure 2.

[1] [2] next