cbcvebase.
CVE-2019-13720
published 2019-11-25

CVE-2019-13720: Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

PriorityP189high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-13
Exploited in the wild
EPSS
72.98%
99.4th percentile
Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Affected

9 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 78.0.3904.87-178.0.3904.87-1
chromiumchromium>= 0 < 78.0.3904.87-178.0.3904.87-1
chromiumchromium>= 0 < 78.0.3904.87-178.0.3904.87-1
chromiumchromium>= 0 < 78.0.3904.87-178.0.3904.87-1
debianchromium< chromium 78.0.3904.87-1 (bookworm)chromium 78.0.3904.87-1 (bookworm)
googlechrome< 78.0.3904.8778.0.3904.87
googlechrome>= unspecified < 78.0.3904.8778.0.3904.87
googlechrome_chrome
opensuseleap

Detection & IOCsextracted from sources · hover to see the quote

domainbehindcorona[.]com
domaincode.jquery.cdn.behindcorona[.]com
urlhxxp://code.jquery.cdn.behindcorona[.]com/
hash8f3cd9299b2f241daf1f5057ba0b9054
hash35373d07c2e408838812ff210aa28d90e97e38f2d0132a86085b0d54256cc1cd
hash27e941683d09a7405a9e806cc7d156c9
hash8fb2558765cf648305493e1dfea7a2b26f4fc8f44ff72c95e9165a904a9a6a48
hashf614909fbd57ece81d00b01958338ec2
hashcafe8f704095b1f5e0a885f75b1b41a7395a1c62fd893ef44348f9702b3a0deb
filenameupdata.exe
filenameworst.jpg
filenameiohelper.exe
filenamemsdisp64.exe
pathxxxxxxx.php
filename.charlie.XXXXXXXX.js
snort
SID 52068
snort
SID 52069
  • For persistence, the malware installs tasks in Windows Task Scheduler; hunt for scheduled tasks created by msdisp64.exe or updata.exe.
  • The exploit uses WebAssembly (WASM) JIT pages with RWX permissions to execute shellcode; detection can look for Chrome renderer processes writing shellcode to RWX WASM pages.
  • The C2 next-stage modules are placed in folders named after victim computer names on the C2 server; hunting for outbound connections from msdisp64.exe to hardcoded C2 servers can identify infected hosts.
  • ·The exploit only targets Chrome versions 76.0.3809.87 and 77.0.3865.75 specifically; it includes version checks to prevent execution on other versions (including 78) to avoid crashes, so detections tied to version checks may miss future variants.
  • ·The exploit code is heavily obfuscated; the .charlie.XXXXXXXX.js filename pattern uses random characters (XXXXXXXX), so static filename matching alone is insufficient.
  • ·Attribution is uncertain; there are weak code similarities with Lazarus but these could be false flags, and the targeting profile also aligns with DarkHotel.
  • ·The PartitionAlloc FreeList mitigation (byteswapping freed pointers) was bypassed by the exploit; detections relying solely on heap corruption signals may not fire before exploitation completes.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.