Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674) (Deprecated) - Nessus

High   Plugin ID: 133147

---

This page contains detailed information about the Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674) (Deprecated) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 133147
Name: Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674) (Deprecated)
Filename: smb_internet_explorer_cve_2020_0674.nasl
Vulnerability Published: 2020-01-20
This Plugin Published: 2020-01-22
Last Modification Time: 2021-11-30
Plugin Version: 1.7
Plugin Type: local
Plugin Family: Windows
Dependencies: smb_hotfixes.nasl
Required KB Items [?]: SMB/IE/Version, SMB/Registry/Enumerated

Vulnerability Information

---

Severity: High
Vulnerability Published: 2020-01-20
Patch Published: 2020-01-20
CVE [?]: CVE-2020-0674
CPE [?]: cpe:/a:microsoft:ie, cpe:/o:microsoft:windows
Exploited by Malware: True

Synopsis

This plugin has been deprecated.

Description

This plugin was a workaround for unpatched vulnerability CVE-2020-0674 which was patched in the Feb 2020 rollups. The plugin smb_nt_ms20_feb_internet_explorer.nasl (plugin ID 133619) includes the check for the new patch for this vulnerability.

Public Exploits

---

Target Network Port(s): 139, 445
Target Asset(s): N/A
Exploit Available: True (Exploit-DB, GitHub)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674) (Deprecated) vulnerability:

1. Exploit-DB: exploits/windows/local/49062.txt
   [EDB-49062: Microsoft Internet Explorer 11 - Use-After-Free]
2. Exploit-DB: exploits/windows/local/49541.html
   [EDB-49541: Microsoft Internet Explorer 11 32-bit - Use-After-Free]
3. Exploit-DB: exploits/windows_x86-64/local/49863.js
   [EDB-49863: Microsoft Internet Explorer 11 and WPAD service 'Jscript.dll' - Use-After-Free]
4. Exploit-DB: exploits/windows_x86-64/local/49864.js
   [EDB-49864: Firefox 72 IonMonkey - JIT Type Confusion]
5. GitHub: https://github.com/Ken-Abruzzi/CVE-2020-0674
   [CVE-2020-0674]
6. GitHub: https://github.com/Mr-xn/Penetration_Testing_POC
   [CVE-2020-0674]
7. GitHub: https://github.com/Neko-chanQwQ/CVE-2020-0674-PoC
   [CVE-2020-0674: 随便放点自己弄的小东西]
8. GitHub: https://github.com/forrest-orr/DoubleStar
   [CVE-2020-0674]
9. GitHub: https://github.com/maxpl0it/CVE-2019-17026-Exploit
   [CVE-2020-0674]
10. GitHub: https://github.com/wugedz/CVEs
    [CVE-2020-0674]
11. GitHub: https://github.com/yukiNeko114514/CVE-2020-0674-PoC
    [CVE-2020-0674: 随便放点自己弄的小东西]
12. GitHub: https://github.com/binaryfigments/CVE-2020-0674
    [CVE-2020-0674: Info about CVE-2020-0674]
13. GitHub: https://github.com/maxpl0it/CVE-2020-0674-Exploit
    [CVE-2020-0674: This is an exploit for CVE-2020-0674 that runs on the x64 version of IE 8, 9, 10, ...]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS Score Source [?]: CVE-2020-0674
CVSS V2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C

CVSS Base Score:	7.6 (High)
Impact Subscore:	10.0
Exploitability Subscore:	4.9
CVSS Temporal Score:	6.6 (Medium)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	6.6 (Medium)

CVSS V3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CVSS Base Score:	7.5 (High)
Impact Subscore:	5.9
Exploitability Subscore:	1.6
CVSS Temporal Score:	7.2 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	7.2 (High)

Go back to menu.

Plugin Source

---

This is the smb_internet_explorer_cve_2020_0674.nasl nessus plugin source code. This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.

#
# (C) Tenable Network Security, Inc.
#
# @DEPRECATED@
#
# Disabled on 13/02/2020 Deprecated by smb_nt_ms20_feb_internet_explorer.nasl
#
# The descriptive text and package checks in this plugin were  
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#
include('compat.inc');

if (description)
{
  script_id(133147);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/11/30");

  script_cve_id("CVE-2020-0674");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");

  script_name(english:"Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674) (Deprecated)");
  script_summary(english:"Checks the Internet Explorer version and the file permissions of jscript.dll");

  script_set_attribute(attribute:"synopsis", value:
"This plugin has been deprecated.");
  script_set_attribute(attribute:"description", value:
"This plugin was a workaround for unpatched vulnerability CVE-2020-0674 which was patched in the Feb 2020 rollups.
The plugin smb_nt_ms20_feb_internet_explorer.nasl (plugin ID 133619) includes the check for the new patch for this 
vulnerability.");
  # https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0ef3f446");
  script_set_attribute(attribute:"solution", value:
"n/a");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-0674");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/01/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:ie");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated", "SMB/IE/Version");
  script_require_ports(139, 445);

  exit(0);
}
exit(0, "This plugin has been deprecated. Use smb_nt_ms20_feb_internet_explorer.nasl (plugin ID 133619) instead.");

include('audit.inc');
include('global_settings.inc');
include('misc_func.inc');
include('smb_func.inc');
include('smb_hotfixes_fcheck.inc');
include('smb_hotfixes.inc');

##
# Gets the DACL of the given file
#
# @anonparam fh handle of the file to obtain the DACL for
#
# @return DACL associated with 'fh'
# Taken from smb_insecure_service_permissions.nasl
##
function _get_dacl()
{
  local_var fh, sd, dacl;
  fh = _FCT_ANON_ARGS[0];

  sd = GetSecurityInfo(handle:fh, level:DACL_SECURITY_INFORMATION);
  if (isnull(sd))
    return NULL;

  dacl = sd[3];
  if (isnull(dacl))
    return NULL;

  dacl = parse_pdacl(blob:dacl);
  if (isnull(dacl))
    return NULL;

  return dacl;
}

##
# Checks if any user has access to jscript.dll
# Returns TRUE if yes, which indicates incomplete mitigation.
##
function _insecure_file_perms()
{
  local_var arch, path, perm_to_check, allowed, fh, dacl, ace, rights, type, sid, groups;
  local_var sysroot, path32, path64, paths, full_path, files;

  arch = get_kb_item('SMB/ARCH');
  sysroot = hotfix_get_systemroot();
  path32 = '\\System32\\jscript.dll';
  path64 = '\\SysWOW64\\jscript.dll';
  files = make_array();

  # default to checking both, since not finding syswow64 is
  # functionally the same as not having access here. 
  if(isnull(arch) || arch == 'x64')
    paths = [path32, path64];
  else paths = [path32];

  foreach path (paths)
  {
    allowed = make_array();
    full_path = sysroot + path;
    path =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:full_path);
    perm_to_check = FILE_READ_DATA;

    if (isnull(path)) continue;

    fh = CreateFile(
      file:path,
      desired_access:STANDARD_RIGHTS_READ,
      file_attributes:FILE_ATTRIBUTE_NORMAL,
      share_mode:FILE_SHARE_READ,
      create_disposition:OPEN_EXISTING
    );
    if (isnull(fh)) continue;

    dacl = _get_dacl(fh);
    CloseFile(handle:fh);
    if (isnull(dacl)) continue;

    foreach ace (dacl)
    {
      ace = parse_dacl(blob:ace);
      if (isnull(ace)) continue;

      rights = ace[0];
      type = ace[3];
      sid = sid2string(sid:ace[1]);
      if (isnull(sid)) continue;
      if (
        type == ACCESS_ALLOWED_ACE_TYPE && rights & perm_to_check == perm_to_check &&
        (sid == '1-1-0' ||     # Everyone
        sid == '1-5-32-545' || # Users
        sid == '1-5-11')       # Authenticated Users
        )
        {
          allowed[sid] = TRUE;
        }
      else if (
        type == ACCESS_DENIED_ACE_TYPE && rights & perm_to_check == perm_to_check &&
        (sid == '1-1-0' ||      # Everyone
         sid == '1-5-32-545' || # Users
         sid == '1-5-11')       # Authenticated Users
        )
        {
          allowed[sid] = FALSE;
        }
    }
    # Owner of the file can see result for EVERYONE group when scanning
    # and only when the mitigation is active (i.e. EVERYONE = FALSE)
    # Other admins can't necessarily see that (even when mitigation active)
    # so we could be vuln if 1-1-0 isnull && 1-5-32-545 is allowed
    if(isnull(allowed['1-1-0']) && maxlen(allowed)>0)
    {
      files[full_path] = TRUE;
    }
    else if(allowed['1-1-0']==TRUE)
      files[full_path] = TRUE;
  }
  
  if(maxlen(files)>0)
    return files;
  return NULL;
}

get_kb_item_or_exit('SMB/Registry/Enumerated');
version = get_kb_item_or_exit('SMB/IE/Version');

#Checking IE Version
if (version !~ "^(9|10|11)\.")
    audit(AUDIT_HOST_NOT, 'affected');

#Login & access share to system
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();
port    =  kb_smb_transport();

if(! smb_session_init(report_access_trouble:FALSE)) audit(AUDIT_FN_FAIL, 'smb_session_init');

report = NULL;
share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

ret = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (isnull(ret) || ret == -1 || ret == 0)
{
    NetUseDel();
    audit(AUDIT_MISSING_CREDENTIALS, 'valid');
}

#Check if we have access to any file in system32
root = hotfix_get_systemroot();
kernel_path = root + '\\system32\\kernel32.dll';
kernel_path =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:kernel_path);
fh = CreateFile(
    file:kernel_path,
    desired_access:STANDARD_RIGHTS_READ,
    file_attributes:FILE_ATTRIBUTE_NORMAL,
    share_mode:FILE_SHARE_READ,
    create_disposition:OPEN_EXISTING
  ); 

if (isnull(fh))
{
  NetUseDel();
  audit(AUDIT_FN_FAIL, 'insecure_file_perms', 'No access granted for system32.');
}

#Check if anyone has read access to the files
files = _insecure_file_perms();

if (!empty_or_null(files))
{
    report = 'Access to the following files is permitted for a user or group on the system:\n\n';
    report += '  Internet Explorer Version: ' + version + '\n';
    foreach file (keys(files)){
      report += '  '+file+'\n';
    }
    report += '\nThis configuration indicates that Internet Explorer is vulnerable to CVE-2020-0674.\n';
    report += 'Refer to Microsoft advisory ADV200001 for more information and mitigation steps.\n';
}

NetUseDel();

if (isnull(report))
  audit(AUDIT_HOST_NOT, 'affected');

security_hole(port:port, extra:report);

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/smb_internet_explorer_cve_2020_0674.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\smb_internet_explorer_cve_2020_0674.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/smb_internet_explorer_cve_2020_0674.nasl

Go back to menu.

How to Run

---

Here is how to run the Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674) (Deprecated) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select Windows plugin family.
6. On the right side table select Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674) (Deprecated) plugin ID 133147.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl smb_internet_explorer_cve_2020_0674.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a smb_internet_explorer_cve_2020_0674.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - smb_internet_explorer_cve_2020_0674.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state smb_internet_explorer_cve_2020_0674.nasl -t <IP/HOST>

Go back to menu.

References

---

See also:

• https://www.tenable.com/plugins/nessus/133147
• http://www.nessus.org/u?0ef3f446
• https://vulners.com/nessus/SMB_INTERNET_EXPLORER_CVE_2020_0674.NASL

Similar and related Nessus plugins:

• 133608 - KB4532691: Windows 10 Version 1809 and Windows Server 2019 February 2020 Security Update
• 133609 - KB4532693: Windows 10 Version 1903 and Windows 10 Version 1909 February 2020 Security Update
• 133610 - KB4537762: Windows 10 Version 1803 February 2020 Security Update
• 133611 - KB4537764: Windows 10 Version 1607 and Windows Server 2016 February 2020 Security Update
• 133612 - KB4537776: Windows 10 February 2020 Security Update
• 133613 - KB4537789: Windows 10 Version 1709 February 2020 Security Update
• 134863 - KB4537822: Windows Server 2008 February 2020 Security Update
• 133614 - KB4537794: Windows Server 2012 February 2020 Security Update
• 134864 - KB4537813: Windows 7 and Windows Server 2008 R2 February 2020 Security Update
• 133615 - KB4537803: Windows 8.1 and Windows Server 2012 R2 February 2020 Security Update
• 133619 - Security Updates for Internet Explorer (February 2020)
• 109730 - 7-Zip < 18.05 Memory Corruption Arbitrary Code Execution
• 59785 - ACDSee Pro < 5.2 Multiple Memory Corruption Vulnerabilities
• 52671 - Adobe Acrobat 9.x / 10.x Unspecified Memory Corruption (APSB11-06)
• 57042 - Adobe Acrobat < 9.4.7 Multiple Memory Corruption Vulnerabilities (APSB11-30)
• 52755 - Adobe AIR < 2.6 Unspecified Memory Corruption (APSB11-05)
• 59179 - Adobe Illustrator CS5 / CS5.5 Multiple Memory Corruption Vulnerabilities (APSB12-10)
• 55815 - Adobe Photoshop CS5 GIF File Memory Corruption (APSB11-22)
• 52672 - Adobe Reader 9.x / 10.x Unspecified Memory Corruption (APSB11-06)
• 57043 - Adobe Reader < 9.4.7 Multiple Memory Corruption Vulnerabilities (APSB11-30)
• 52673 - Flash Player < 10.2.153.1 Unspecified Memory Corruption (APSB11-05)
• 70923 - Google Chrome < 31.0.1650.57 Multiple Memory Corruptions
• 76766 - IBM General Parallel File System OpenSSH Memory Corruption
• 72721 - ImageMagick < 6.8.7-6 WritePSDImage PSD Handling Memory Corruption
• 100300 - Apple iTunes < 12.6.1 WebKit Memory Corruption RCE (credentialed check)
• 59180 - LibreOffice < 3.5.3 Multiple Memory Corruption Vulnerabilities
• 40663 - Pidgin < 2.5.9 'msn_slplink_process_msg()' Memory Corruption
• 31418 - RealPlayer ActiveX (rmoc3260.dll) Console Property Memory Corruption Arbitrary Code Execution
• 54990 - Tom Sawyer Software GET Extension Factory COM Object Instantiation Memory Corruption
• 103968 - Trend Micro OfficeScan cgiShowClientAdm Remote Memory Corruption
• 72985 - Oracle VM VirtualBox < 3.2.22 / 4.0.24 / 4.1.32 / 4.2.24 / 4.3.8 Multiple Memory Corruption

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file smb_internet_explorer_cve_2020_0674.nasl version 1.7. For more plugins, visit the Nessus Plugin Library.

Go back to menu.