Shulou(Shulou.com)06/02 Report--

In this issue, the editor will bring you a notice about how the JScript script engine executes vulnerabilities remotely. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

Document information number QiAnXinTI-SV-2019-0022 keyword IE JScript RCE remote command execution CVE-2019-1367 release date September 24, 2019 update date September 25, 2019 TLPWHITE analysis team Chianxin threat Intelligence Center Red Raindrop Security Research team notice background

On September 23, 2019, Microsoft issued an emergency official security update that fixed a remote code execution vulnerability in the 9-10-11 version of Internet Explorer on the Windows platform, which was discovered by Cl é mentLecigne, a security researcher at the Google threat analysis team. An attacker could exploit this vulnerability to gain control of the user's system by inducing the user to visit a malicious web page to trigger the vulnerability.

According to Microsoft's description, the vulnerability has been exploited in the field.

At present, Microsoft has issued special external patches and announcements for this vulnerability, and the relevant technical details have been notified to the security partner. Qianxin threat Intelligence Center confirms the existence of the vulnerability. Users are strongly advised to update software patches to resist the impact of this threat.

From different intelligence dimensions, whether it is a default retweet by the discoverer of the vulnerability, a tweet attributing the vulnerability to the Darkhotel APT organization

Tweets from GReAT, the head of Kaspersky's senior threat research team, all show that the opposition 0day vulnerability is highly likely to be exploited by DarkHotel organizations.

Therefore, after learning about the incident, the Qianxin threat Intelligence Center conducted a research and judgment, and the results show that among the national cyber armies that carry out targeted attacks, DarkHotel is one of the APT organizations that like to use 0day vulnerabilities to attack, from the previous vbscript 0day CVE-2018-8174 and CVEMART 2018-8373, it can be made clear that the organization will target targets, purchase or produce customized network vulnerability weapons, and this vulnerability exposure needs to be paid attention to. Especially the key units.

DarkHotel, according to Kaiyuan Intelligence, an APT organization from South Korea, initially targeted business people staying in high-end hotels or relevant national dignitaries, and the entrance to the attack was the hotel WiFi network. Today, Darkhotel has used a variety of ways to carry out sustained attacks on the target, including China, Russia, North Korea, Japan and so on. It is an APT organization with high combat strength.

Vulnerability summary vulnerability name Microsoft IE script engine remote code execution vulnerability

Threat type remote code execution threat level critical vulnerability IDCVE-2019-1367 an attacker may control the user's system by deceiving a user of an unpatched version of IE to visit a maliciously crafted web page and trigger a memory corruption vulnerability to obtain arbitrary code execution. The following windows operating system Internet Explorer 11 version Windows 10 Windows 8.1 Windows 7 Windows Server 2012/R2 Windows Server 2008 Windows Server 2016 Windows Server 2019 only affects Windows Server 2012 IE 10 affects Windows Server 2008 SP2 IE 9 vulnerability description

The vulnerability lies in the script engine jscript.dll in IE, which can cause memory corruption when it triggers a vulnerability in the processing of memory objects, which can result in remote code execution vulnerabilities.

It is possible for an attacker to trick a user of an unpatched version of IE into visiting a maliciously crafted web page or website, successfully triggering a vulnerability to gain the same user privileges as the current user, and installing malicious programs to add, delete, change or view data.

Impact area assessment

According to Baidu browser market share data, IE 11 currently accounts for about 7.26% of the market, which is actually astonishing when combined with the Chinese netizen base.

For the domestic, in most government and enterprise intranet, many people still use IE, just because the office system compatibility is not enough, and also use jscript as the script engine website.

Disposal suggestion

Update system patches:

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367

Mitigation measures

Restrict access to JScript.dll

For 32-bit systems, enter the following command at the management command prompt:

Takeown / f% windir%\ system32\ jscript.dllcacls% windir%\ system32\ jscript.dll / E / Peveryone:N

For 64-bit systems, enter the following command at the management command prompt:

Takeown / f% windir%\ syswow64\ jscript.dllcacls% windir%\ syswow64\ jscript.dll / E / Peveryone:Ntakeown / f% windir%\ system32\ jscript.dllcacls% windir%\ system32\ jscript.dll / E / Peveryone:N

Implementing these steps may result in reduced functionality of components that depend on jscript.dll. For full protection, it is recommended that you install this update as soon as possible. Before installing the update, restore the mitigation steps to return to the full state.

How to withdraw interim measures

For 32-bit systems, enter the following command at the management command prompt:

Cacls% windir%\ system32\ jscript.dll / E / Reveryone

For 64-bit systems, enter the following command at the management command prompt:

Cacls% windir%\ system32\ jscript.dll / E / Reveryonecacls% windir%\ syswow64\ jscript.dll / E / Reveryone above is the notification of vulnerabilities in remote code execution of JScript script engine shared by Xiaobian. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.