Very High
Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium
Add Reference
Description
URL
Type
Very High
(3 users assessed)
Low
(3 users assessed)Unknown
Unknown
Unknown
Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.
Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityLow
Technical Analysis
Based on the technical analysis by Kaspersky, this is a very effective exploit, and is able to leverage an info leak, heap grooming, and the malware deployed via watering-hole injection on a Korean-language news portal, establishes persistence via a dropped file on disk.
An attacker does need to leverage a few items in advance for this and any client-side attack, that is a watering hole injection or some other delivery method. Chrome’s quick patching mechanism means these vulns typically have a short shelf life, though the inability to force users to actually update is a limiting factor.
Ratings
-
Attacker ValueHigh
-
ExploitabilityLow
Technical Analysis
Judging by the Kaspersky writeup, it looks like the vulnerability exists for a relatively large number of Chrome versions. Fix was released for 78.0.3904.87, and the exploit checks the range from 65-77. Despite the seemingly difficult development and execution of this exploit, this is an important one to patch.
Technical Analysis
Reported as exploited in the wild as part of Google’s 2020 0day vulnerability spreadsheet they made available at https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786. Original tweet announcing this spreadsheet with the 2020 findings can be found at https://twitter.com/maddiestone/status/1329837665378725888
Though honestly you can just Google “WizardOpium” and find lots of articles such as https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/. This attack got a lot of news attention at the time due to its sophistication and the fact that it was used with a Windows kernel privilege elevation (see https://attackerkb.com/topics/2i67dR7P4e/cve-2019-1458 for more details on the kernel exploit), something that tends to only occur in advanced attacks due to the development effort required. Therefore its not hard to find articles discussing it being used in the wild.
General Information
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
What do we mean by "exploited in the wild"?
By selecting this, you are verifying to the AttackerKB community that either you, or a reputable source (example: a security vendor or researcher), has observed an active attempt by attackers, or IOCs related, to exploit this vulnerability outside of a research environment.
A vulnerability should also be considered "exploited in the wild" if there is a publicly available PoC or exploit (example: in an exploitation framework like Metasploit).
