Recently, Kaspersky discovered a new exploit that took advantage of an unknown flaw in Chrome, which Google has confirmed there is a zero-day vulnerability in your browser and that it is already cataloged as CVE-2019-13720.
This vulnerability can be exploited using an attack using an injection similar to an attack of "Watering Hole". This type of attack refers to a predator that, instead of looking for prey, prefers to wait in a place where it is sure it will come (in this case, in a point of water to drink).
As the attack was discovered on an information portal in Korean, in which malicious JavaScript code has been inserted into the main page, which in turn loads a profiling script from a remote site.
A small insert of JavaScript code was housed in the index of the web page which loaded a remote script from code.jquery.cdn.behindcrown
The script then loads another script. This script checks if the victim's system can be infected by making a comparison with the browser user agent, which must be running on a 64-bit version of Windows and not be a WOW64 process.
As well try to get the name and version of the browser. The vulnerability tries to exploit the bug in the Google Chrome browser and the script checks if the version is greater than or equal to 65 (the current version of Chrome is 78).
Chrome version verifies profiling script. If the browser version is validated, the script starts executing a series of AJAX requests on the attacker's controlled server, where the name of a path points to the argument passed to the script.
The first request is necessary for important information for later use. This information includes multiple hex encoded strings that tell the script how many chunks of the actual exploit code to download from the server, as well as a URL to the image file that incorporates a key for the final upload and an RC4 Key to decrypt chunks of code. of the exploit.
Most of the code uses various classes related to a certain vulnerable browser component. Since this bug had not yet been fixed at the time of writing, Kaspersky decided not to include details about the specific vulnerable component.
There are some large tables with numbers representing a shellcode block and an embedded PE image.
The exploit used a race condition error between two threads due to lack of proper timing among them. This gives the attacker a very dangerous use-after-release (UaF) condition because it can lead to code execution scenarios, which is exactly what happens in this case.
The exploit first tries to make UaF lose important information 64-bit address (like a pointer). This results in several things:
- if an address is disclosed successfully, it means that the exploit is working properly
- a revealed address is used to find out where the heap / stack is located and that overrides the Address Space Format Randomization (ASLR) technique
- some other useful pointers for further exploitation could be located by looking near this direction.
After that, you try to create a large group of objects using a recursive function. This is done to create a deterministic heap layout, which is important for successful exploitation.
At the same time, you are trying to use a heap-spraying technique that aims to reuse the same pointer that was previously released in the UaF part.
This trick could be used to confuse and give the attacker the ability to operate on two different objects (from a JavaScript point of view), even though they are in fact in the same memory region.
Google has released a Chrome update which fixes the flaw on Windows, macOS, and Linux, and users are encouraged to update to Chrome version 78.0.3904.87.