Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674)

2020-01-22T00:00:00
ID SMB_INTERNET_EXPLORER_CVE_2020_0674.NASL
Type nessus
Reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-02-02T00:00:00

Description

The Internet Explorer installation on the remote host is missing a security update. It is, therefore, affected by the following vulnerability :

  • A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-0674)

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#
include('compat.inc');

if (description)
{
  script_id(133147);
  script_version("1.4");
  script_cvs_date("Date: 2020/02/05");

  script_cve_id("CVE-2020-0674");

  script_name(english:"Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674)");
  script_summary(english:"Checks the Internet Explorer version and the file permissions of jscript.dll");

  script_set_attribute(attribute:"synopsis", value:
"The Internet Explorer installation on the remote host is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Internet Explorer installation on the remote host is
missing a security update. It is, therefore, affected by the
following vulnerability :

  - A remote code execution vulnerability exists in the way that
    the scripting engine handles objects in memory in Internet
    Explorer. The vulnerability could corrupt memory in such a way
    that an attacker could execute arbitrary code in the context 
    of the current user. An attacker who successfully exploited 
    the vulnerability could gain the same user rights as the current user. 
    (CVE-2020-0674)");
  # https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0ef3f446");
  script_set_attribute(attribute:"solution", value:
"Refer to mitigation steps in Microsoft advisory ADV200001.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-0674");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/01/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated", "SMB/IE/Version");
  script_require_ports(139, 445);

  exit(0);
}
include('audit.inc');
include('global_settings.inc');
include('misc_func.inc');
include('smb_func.inc');
include('smb_hotfixes_fcheck.inc');
include('smb_hotfixes.inc');

##
# Gets the DACL of the given file
#
# @anonparam fh handle of the file to obtain the DACL for
#
# @return DACL associated with 'fh'
# Taken from smb_insecure_service_permissions.nasl
##
function _get_dacl()
{
  local_var fh, sd, dacl;
  fh = _FCT_ANON_ARGS[0];

  sd = GetSecurityInfo(handle:fh, level:DACL_SECURITY_INFORMATION);
  if (isnull(sd))
    return NULL;

  dacl = sd[3];
  if (isnull(dacl))
    return NULL;

  dacl = parse_pdacl(blob:dacl);
  if (isnull(dacl))
    return NULL;

  return dacl;
}

##
# Checks if any user has access to jscript.dll
# Returns TRUE if yes, which indicates incomplete mitigation.
##
function _insecure_file_perms()
{
  local_var arch, path, perm_to_check, allowed, fh, dacl, ace, rights, type, sid, groups;
  local_var sysroot, path32, path64, paths, full_path, files;

  arch = get_kb_item('SMB/ARCH');
  sysroot = hotfix_get_systemroot();
  path32 = '\\System32\\jscript.dll';
  path64 = '\\SysWOW64\\jscript.dll';
  files = make_array();

  # default to checking both, since not finding syswow64 is
  # functionally the same as not having access here. 
  if(isnull(arch) || arch == 'x64')
    paths = [path32, path64];
  else paths = [path32];

  foreach path (paths)
  {
    allowed = make_array();
    full_path = sysroot + path;
    path =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:full_path);
    perm_to_check = FILE_READ_DATA;

    if (isnull(path)) continue;

    fh = CreateFile(
      file:path,
      desired_access:STANDARD_RIGHTS_READ,
      file_attributes:FILE_ATTRIBUTE_NORMAL,
      share_mode:FILE_SHARE_READ,
      create_disposition:OPEN_EXISTING
    );
    if (isnull(fh)) continue;

    dacl = _get_dacl(fh);
    CloseFile(handle:fh);
    if (isnull(dacl)) continue;

    foreach ace (dacl)
    {
      ace = parse_dacl(blob:ace);
      if (isnull(ace)) continue;

      rights = ace[0];
      type = ace[3];
      sid = sid2string(sid:ace[1]);
      if (isnull(sid)) continue;
      if (
        type == ACCESS_ALLOWED_ACE_TYPE && rights & perm_to_check == perm_to_check &&
        (sid == '1-1-0' ||     # Everyone
        sid == '1-5-32-545' || # Users
        sid == '1-5-11')       # Authenticated Users
        )
        {
          allowed[sid] = TRUE;
        }
      else if (
        type == ACCESS_DENIED_ACE_TYPE && rights & perm_to_check == perm_to_check &&
        (sid == '1-1-0' ||      # Everyone
         sid == '1-5-32-545' || # Users
         sid == '1-5-11')       # Authenticated Users
        )
        {
          allowed[sid] = FALSE;
        }
    }
    # Owner of the file can see result for EVERYONE group when scanning
    # and only when the mitigation is active (i.e. EVERYONE = FALSE)
    # Other admins can't necessarily see that (even when mitigation active)
    # so we could be vuln if 1-1-0 isnull && 1-5-32-545 is allowed
    if(isnull(allowed['1-1-0']) && maxlen(allowed)>0)
    {
      files[full_path] = TRUE;
    }
    else if(allowed['1-1-0']==TRUE)
      files[full_path] = TRUE;
  }
  
  if(maxlen(files)>0)
    return files;
  return NULL;
}

get_kb_item_or_exit('SMB/Registry/Enumerated');
version = get_kb_item_or_exit('SMB/IE/Version');

#Checking IE Version
if (version !~ "^(9|10|11)\.")
    audit(AUDIT_HOST_NOT, 'affected');

#Login & access share to system
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();
port    =  kb_smb_transport();

if(! smb_session_init(report_access_trouble:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');

report = NULL;
share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

ret = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (isnull(ret) || ret == -1 || ret == 0)
{
    NetUseDel();
    audit(AUDIT_MISSING_CREDENTIALS, 'valid');
}

#Check if we have access to any file in system32
root = hotfix_get_systemroot();
kernel_path = root + '\\system32\\kernel32.dll';
kernel_path =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:kernel_path);
fh = CreateFile(
    file:kernel_path,
    desired_access:STANDARD_RIGHTS_READ,
    file_attributes:FILE_ATTRIBUTE_NORMAL,
    share_mode:FILE_SHARE_READ,
    create_disposition:OPEN_EXISTING
  ); 

if (isnull(fh))
{
  NetUseDel();
  audit(AUDIT_FN_FAIL, 'insecure_file_perms', 'No access granted for system32.');
}

#Check if anyone has read access to the files
files = _insecure_file_perms();

if (!empty_or_null(files))
{
    report = 'Access to the following files is permitted for a user or group on the system:\n\n';
    report += '  Internet Explorer Version: ' + version + '\n';
    foreach file (keys(files)){
      report += '  '+file+'\n';
    }
    report += '\nThis configuration indicates that Internet Explorer is vulnerable to CVE-2020-0674.\n';
    report += 'Refer to Microsoft advisory ADV200001 for more information and mitigation steps.\n';
}

NetUseDel();

if (isnull(report))
  audit(AUDIT_HOST_NOT, 'affected');

security_hole(port:port, extra:report);