On January 12, 2021, Google Project Zero published a six-part report on hacking operation targeted for Windows and Android devices. Exploit servers in the hacking operation contained 4 Google chrome vulnerabilities, 2 sandbox escape exploits and publicly known privilege escalation n-day exploits. Of these, 4 were still zero-day at the time of its discovery.
Following are the Zero-days discovered in these series:
- CVE-2020-6418 – Chrome Vulnerability in TurboFan
- CVE-2020-0938 – Font Vulnerability on Windows
- CVE-2020-1020 – Font Vulnerability on Windows
- CVE-2020-1027 – Windows CSRSS Vulnerability
These vulnerabilities are fixed by their vendors.
As per the report, these attacks were carried out via watering hole attacks using two different exploit servers. One is Android and the other is Windows server, and both used Chrome vulnerabilities to gain the initial foothold on the victims’ devices. Researchers said,
“They are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks,”
Technical Details
- CVE-2020-6418
Type confusion in V8 in Google Chrome’s open-source JavaScript and WebAssembly engine, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.Researchers explained in Exploit report of CVE-2020-6418 ,
“The changed function, NodeProperties::InferReceiverMapsUnsafe is called through the MapInference::MapInference constructor. It is used to walk the effect chain of the compiled function backward from the use of an object as a receiver for a function call and find the set of possible maps that the object can have. In the case of the JSCreate node indicated in the vulnerability, if it creates the receiver the compiler tries to infer the possible maps for, the initial map of the created object is returned. However, if the JSCreate is for a different object than the receiver, it is assumed that it cannot change the map of the receiver. The vulnerability results from this oversight, as JSCreate accesses the prototype of the new target, which can be intercepted by a Proxy. This can cause arbitrary user JS code to execute”
Potential attackers can try and couple this bug with sandbox escape; however, researchers shared the exploit without any sandbox escape vulnerability.
2. CVE-2020-0938
A remote code execution vulnerability in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially crafted multi-master font – Adobe Type 1 PostScript format. This issue found in /VToHOrigin PostScript object.The Windows GDI interface supports an old format of fonts called Type 1, and the parsing of these fonts takes place in the kernel driver called atmfd.dll, which is accessible through win32k.sys graphical syscall. Researchers also shared the technical details of CVE-2020-0938.
3. CVE-2020-1020
A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially crafted multi-master font – Adobe Type 1 PostScript format, issue found in the processing of the /BlendDesignPositions object. Researchers shared the deep analysis on CVE-2020-1020.
4. CVE-2020-1027
An elevation of privilege vulnerability discovered in the side-by-side assembly component of CSRSS, the way that the Windows Kernel handles objects in memory. The affected function sxssrv!BaseSrvSxsCreateActivationContext parses an XML manifest into a binary data structure called an activation context. By default, the function is accessible from any Windows process through ALPC.
Apart from these zero-days, researchers have shared multiple Chrome Exploits and Android Exploits used by the attackers.
Overall, Google described the exploit series as “designed for efficiency & flexibility through their modularity.”
As a part of these exploit series, Google posted root cause analysis of the 4 zero-day vulnerabilities.
Detailed exploit series reports are:
- Introduction
- Chrome: Infinity Bug
- Chrome Exploits
- Android Exploits
- Android Post-Exploitation
- Windows Exploits
Detection
Qualys customers can scan their network with QID 372408, 91622, and 91617 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.
References and Sources
https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html
https://googleprojectzero.blogspot.com/p/rca-cve-2020-1027.html
https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-infinity-bug.html
https://googleprojectzero.blogspot.com/2021/01/in-wild-series-chrome-exploits.html
https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-exploits.html
https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-post-exploitation.html
https://www.zdnet.com/article/google-reveals-sophisticated-windows-android-hacking-operation/