Security News

Scripting Engine Memory Corruption Vulnerability CVE-2020-0674

By

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka ‘Scripting Engine Memory Corruption Vulnerability’. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Observing the exploit code the parameter in sort function is not added to the garbage collection hence it can be used later to achieve arbitrary code execution.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The attacker connects to following malicious domains.

The IE crashes indicating the vulnerable dll

SonicWall Capture Labs Threat Research team provides protection against this vulnerability with the following signature:

  • IPS 14744 Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674)

Microsoft hasa issued a patch for this vulnerability.

IoCs :

12e976a740b85e6a388d05e7f2a7cf718c74542ae5ecf920018c3ed4622704b9
7bd93ca00a16d87be656d1aab6a551f9e95d8001bc402de66402df49dbd999fd
c22379c184b5d40cdd49cda83208c71aee423d69890826a7c738f709bda0dc6c
77fb4527f2a0d5671bff164bb0e845275eb2559b3941a9a289fc778bc918a6c0
1efbf18887f7ffbbb7d6fb4436154e5558ff9ffea5b963b496bd354a47359b40
c170d81cce2fd67e21aa18623395c7eb457026ac41208df7b9821013117ce465
ebd8162e8966197c9fd72b51d49318d96155e6a6b18cc14c17c227e104fa6f46
437b49242ee018a3ef407d2aa0838dfcdb55013bf7a599ad2bbd2db4fa48aca5
202.122.128.28

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Ivanti Server-Side Request Forgery to Auth-Bypass
Malicious Microsoft office macros downloading Dridex trojan (January 12, 2015)
SSH ProxyCommand Command Injection
VMware Workspace ONE Access & Identity Manager (vIDM) RCE Vulnerability
GuLoader Demystified: Unraveling its Vectored Exception Handler Approach
ImageMagick mogrify buffer overflow vulnerability (Oct 21 2016)
FakeRansom: Deletes files then demands payment for nothing (Jul 15th, 2016)
Novell File Reporter FSFUI Arbitrary File Retrieval (Nov 27, 2012)