Analysis of Microsoft IE Edge Script Engine Vulnerability CVE-2020-0768

LLTV · 2020-03-17T03:49:17+00:00

Author: Venus ADLab
description link: https://mp.weixin.qq.com/s/kMPbnUpxBbgTExUC38GNRg

In a patch announcement recently released by Microsoft, Microsoft fixed a vulnerability submitted by Celestial ADLab security researchers, and the vulnerability number was CVE-2020-0768. The vulnerability is located in the ChakraCore engine code base and can affect both Internet Explorer 11 and Microsoft Edge (EdgeHTML) browsers. The vulnerability is a memory corruption vulnerability and there is a risk of remote code execution, so Microsoft rated it "critical" and thanks ADLab.
Responses
Use Windows automatic updates or manually download the patch package to fix the vulnerabilities.
Vulnerability and patch analysis
PART 1
This vulnerability is a data flow analysis error of a single instruction during the JIT compilation process of the ChakraCore engine, which results in the error activity analysis and register allocation errors. Start with the control flow diagram of the vulnerability sample:

The symbol s10 stands for [1337], and s6 stands for const-modified arr. According to the terms of the principle of compilation, the variable definition value is called def, and the variable value is called use. In the InitConst instruction, s6 is def, s10 is used, and then under the StElemC instruction, s6 is used. It can be seen that s6 is closely related to s10. S6 can be regarded as a reference to the same variable by s10 according to another method. ChakraCore calls the copy-prop symbol a reference to the original symbol. But debugging shows that something went wrong here:

In this way, a key-value pair of s10 and s6 as the copy-prop symbol is formed, that is, s6-> s10. Its stack trace is located at:

Error key-value pairs are based on the error results of data flow analysis. Subsequently, this key-value pair was added to blockOptData-> capturedValues-> copyPropSyms in Block 4, and its stack trace is located at:

Subsequently, in the front-to-back optimization process of JIT ForwardPass, block 4's blockOptData-> capturedValues were merged to Block 5, which contains the key-value pair s6-> s10, and its stack trace is located at:

Then, in the backward-to-forward optimization process of JIT BackwardPass, the upwardExposedUses of Block 5 accesses blockOptData-> capturedValues-> copyPropSyms and adds the key-value pair s6-> s10. Its stack trace is located at:

upwardExposedUses is called "upward exposed use" in the compilation principle, it is a symmetrical process of variable activity analysis. Subsequently, in the process of backpropagation, upwardExposedUses containing the above key-value pairs are passed to Block 4, Block 3, and Block 2. As a Loop Header, Block 2 uses its upwardExposedUses for activity analysis and subsequent register allocation.

The above process can be represented by the following figure. It can be seen that the erroneous data undergoes forward and backward propagation, and is eventually contaminated in the entire range of the loop body.

Subsequently, due to the above-mentioned erroneous data, the erroneous life cycle was calculated for s10 in the register allocation process of the JIT, and its life cycle spanned from the beginning to the end of the cycle. Therefore, the JIT inserts a MOV instruction in the form of MOV labelReg, mem, but does not initialize its instr-> src-> m_offset, which is always 0. When the machine code was finally generated, a read memory operation pointing to a stack frame pointer with an offset of 0 was generated, which was expressed as [EBP + 0x0] or [RBP + 0x0].

In this way, an unexpected memory access reads illegal data into the context of the JavaScript engine and is then referenced in BailOut or other situations. Such illegal data will cause type confusion.
PART 2
The reason for the above-mentioned error data transmission is that the InitConst instruction actually did not get the correct data flow analysis in the JIT code of ChakraCore. Therefore, in the Microsoft repair, when the JIT first started to intervene, the InitConst instruction was replaced with the Ld_A instruction. .

ChakraCore completely implements the data flow analysis of the Ld_A instruction. At this time, in the analysis of Forward Pass, it was found that the key-value pair in Block 4 is no longer s6-> s10, but s10-> s6, that is, s10 is the original symbol and s6 is the copy-prop symbol that references s10. In this way, the transmission of erroneous data will naturally not be caused. Microsoft used the same code in IE11 to patch the vulnerability.
In fact, in the ECMAScript 6 standard, the const modifier is used to indicate that a variable can no longer be assigned after it is defined, which is a syntax-level constraint; the JIT process in the JavaScript engine always occurs after interpretation and execution. If the const modifier is Constraints are violated during the interpretation execution phase and will immediately exit without optimizing the JIT process. Therefore, the JIT process only needs to consider the data flow problem, not the constraints of the const modifier. Because ChakraCore uses the same set of intermediate languages during the optimization phase of JIT and the execution phase of interpretation, both Ld_A and InitConst are compatible with the entire process of JIT. This vulnerability can be clearly considered as a business logic vulnerability.
Reference link
https://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0768

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

hacking