cbcvebase.
CVE-2019-0752
published 2019-04-09

CVE-2019-0752: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory…

PriorityP188high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-08-15
Exploited in the wild
EPSS
81.55%
99.6th percentile
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-0739, CVE-2019-0753, CVE-2019-0862.

Affected

30 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftchakracore< 1.11.81.11.8
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer_10
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11
microsoftinternet_explorer_11

Detection & IOCsextracted from sources · hover to see the quote

domainassurancetemporaireenligne[.]com
domainseemee[.]ddns[.]net
urlhxxp://seemee[.]ddns[.]net/loader/loader2/www
domaindark[.]crypterfile[.]com
filenamec.js
filenameloader.jse
filename2.exe
registryHKCU\Software\loaderName
urlhxxp://seemee[.]ddns[.]net/loader/loader2/www/loader.php
urlhxxp://seemee[.]ddns[.]net/loader/loader2/www/cmd.php
sigma
1009655 – Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2019-0752)
  • The vulnerability is triggered via VBScript using DISPATCH_PROPERTYPUTREF (flag 0x8) to assign an object instance to the scrollLeft property, causing mshtml!CBase::ContextInvokeEx to invoke CElement::get_scrollLeft instead of CElement::put_scrollLeft — monitor for VBScript property-put-by-reference operations on DOM scroll properties.
  • Exploit technique allocates a 0x30000000-byte contiguous VARIANT array anchored at a predictable page-aligned address (0x28281000) to convert the write-what-where into an arbitrary read primitive — large heap allocations of this size in iexplore.exe are a strong exploit indicator.
  • Post-exploitation persistence: c.js drops an encoded JScript file (loader.jse) into the AppData hidden folder and registers it under HKCU\Software\Microsoft\Windows\CurrentVersion\Run with value name 'loaderName' — monitor for new Run key values pointing to .jse files in AppData.
  • The AutoIT downloader (2.exe) checks for the number of logical processors (>=4) as an anti-sandbox check before proceeding to download and execute malware — this is a sandbox evasion indicator to look for in AutoIT-compiled PE samples.
  • The exploit uses WinExec as the final code execution primitive by forging a COM object vtable — monitor for WinExec calls originating from mshtml.dll or iexplore.exe without shellcode (no NX bypass needed).
  • Capesand exploit kit delivered CVE-2019-0752 via a malvertising campaign using a hidden iframe on a page disguised as a blockchain blog discussion — look for hidden iframes on ad-network-served pages as a delivery vector.
  • ·The write-what-where primitive is constrained: the maximum DWORD value that can be written via the scrollLeft exploit is 0x001767dd. Exploit chains must account for this upper bound when constructing arbitrary memory writes.
  • ·The vulnerability is only reachable at IE emulation level IE=8 or lower, where DOM methods are dispatched via the IDispatchEx mechanism and the _FastInvokeTable fast path is active.
  • ·VBScript is required to produce the DISPATCH_PROPERTYPUTREF dispatch flag needed to trigger the type confusion; JavaScript alone cannot trigger this code path.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vulncheck7.5HIGH
cisa7.5HIGH
vendor_msrc6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.