From VBScript to ChakraCore : Adventure with Script Engines on Windows System

From VBScript to ChakraCore : Adventure with Script Engines on Windows System === :::info - **Date:** Oct.29th 19:00-19:40 - **Speaker:** Yuki_Chen - **Category:** Technical - Main Track > In the development of the windows operating system, there are several major script engines: VBScript, JScript, JScript9 in Internet Explorer; and Chakra in Microsoft Edge. While the oldest engines (vbscript/jscript) are already nearly 20 years old, we can still see active in-the-wild 0day attacks in these legacy engines this year.<br>In this presentation, I want to take these major script engines as a whole from a bug hunter's point of view. For each engine we will first have a simple introduction on the basic architecture of the engine, then discuss some typical attack surfaces in it with bugs (sometimes new bug classes) we discovered in it. We will also demo RCE in each engine by exploiting our bugs. Some of these bugs are caused by-design, and are really difficult to be fixed completely, for example, since the first time we reported a certain class of vbscript bugs 4 years ago (which took Microsoft more than 6 months to release a fix), today we are still able to discover dozens of such bugs.<br>Script engines on windows are never alone. By reviewing all the engines in a whole picture, you can see how they can have relationship with each other. We will show you examples such as a single bug can be triggered in different engines, or such a bug fixed in one engine but still triggerable in another engine. Script engines can also have relationship with other components such as DOM, system Apps or even third-party software, which bring us new attack scenarios. We will also introduce such new attack scenarios with real cases, including: A feature in one script engine can cause dozens of vulnerabilities in DOM/ActiveX/other script engine; How script bug helps us to achieve RCE in other system App or break application sandboxes.<br>Let’s start to dive into this 20-year history of windows script engines! ::: ###### tags: `CODEBLUE2019`,`CODEBLUE`