Scripting Engine remote code execution vulnerability handles objects in memory in the way Internet Explorer. That could execute arbitrary code may be in the current context of the user in way that an attacker corrupted memory. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a Web-based attack scenario, an attacker could host a designed to exploit the vulnerability through Internet Explorer specially designed Web site, and then convince a user to view the Web site, for example, by sending an e-mail.
This security update to fix the vulnerability by modifying the script engine handles objects in memory.
The official patch
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367
Restrict access to JScript.dll
For 32-bit systems, enter the following command at an administrative command prompt:
takeown /f %windir%\system32\jscript.dll cacls%windir%\system32\jscript.dll /E /P everyone:N
For 64-bit systems, enter the following command at an administrative command prompt:
takeown /f %windir%\syswow64\jscript.dll cacls %windir%\syswow64\jscript.dll /E /P everyone:N takeown /f %windir%\system32\jscript.dll cacls %windir%\system32\jscript.dll /E /P everyone:N
How to undo the workaround
For 32-bit systems, enter the following command at an administrative command prompt:
cacls %windir%\system32\jscript.dll /E /R everyone
For 64-bit systems, enter the following command at an administrative command prompt:
cacls %windir%\system32\jscript.dll /E /R everyone
cacls %windir%\syswow64\jscript.dll /E /R everyone
Related Learning: Takeown, Cacls, Icacls files, folders seize power usage
takeown
TAKEOWN [/S system [/U username [/P [password]]]]
/F filename [/A] [/R [/D prompt]]
Description:
This tool allows an administrator to recover access to a file that
was denied by re-assigning file ownership.
eg
takeown / f filename
Take ownership of the file
takeown / f / r / dn folders
Take ownership of the entire folder of files and subdirectories below
takeown /f * /a /r /d y
Forces all files and folders in the current directory, change the owner under the subfolder for the administrators group (administrators)
Cacls
NOTE: Cacls is now deprecated, please use Icacls.(For win10)
Displays or modifies access control lists (ACLs) of files
cacls d:\file1\*.* /T /G administrators:F
All d: \ file1 file in the directory, NTFS permission to modify the subfolder (deleting the original set NTFS permissions) to only the Administrators group (administrators) Full Control
cacls d:\file1\*.* /T /E /G administrators:F
In the original d: \ file1 file in the directory, add the Administrators group (administrators) Full Control permissions on NTFS permissions subfolder (do not delete the existing NTFS permissions):
Icacls
Cacls understood as the "alternatives"
icacls c:\windows\* /save AclFile /T
The c: \ windows and ACL save all files in subdirectories to AclFile.
icacls c:\windows\ /restore AclFile
Restore c: \ ACL in the presence of all the files and subdirectories under the windows AclFile.
icacls file /grant Administrator:(D,WDAC)
Deleted files will grant users administrator privileges and write the DAC.
icacls file /grant *S-1-1-0:(D,WDAC)
The grant is defined by the user sid S-1-1-0 for file deletion and write access to the DAC.
Reference links:
https://blog.csdn.net/allway2/article/details/101340735
https://blog.51cto.com/wenzhongxiang/2349272