[THIN] [Fwd: iDEFENSE Security Advisory 03.19.03: Heap Overflow in WindowsScript Engine (fwd)]

  • From: George Yobst <george2@xxxxxxxxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Wed, 19 Mar 2003 16:57:33 -0800

It'd be helpful if I added the actual message  ;-)

---------- Forwarded message ----------
Date: Wed, 19 Mar 2003 18:57:46 -0500
From: iDEFENSE Labs <labs@xxxxxxxxxxxx>
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: iDEFENSE Security Advisory 03.19.03: Heap Overflow in Windows
     Script Engine

Hash: SHA1

iDEFENSE Security Advisory 03.19.03:
Heap Overflow in Windows Script Engine
March 19, 2003


Microsoft Corp.'s Windows Script Engine within the Windows operating
system (OS) interprets and executes script code written in scripting
languages such as VBscript and JScript. Such script code can be used to
add functionality to web pages, or to automate tasks within the OS or a
program. Script code can be written in several different scripting
languages, such as Visual Basic Script, JScript or JavaScript.


By passing malicious JavaScript via Internet Explorer (IE), Outlook or
Outlook Express, remote attackers can exploit an integer overflow within
the Windows Script Engine causing a corruption of the heap thereby
allowing for arbitrary code execution. Specifically, the vulnerability
lies in the Windows Script Engine's implementation of JScript that is
provided by jscript.dll (located in %SystemRoot%\system32). The following
snippet of JavaScript code demonstrates the existence of the vulnerability
by crashing IE on a vulnerable Windows system:

     var trigger = [];
     i = 1;
     do {trigger[i] = 1;} while(i++ < 10000);
     trigger[0x3FFFFFFF] = 1;
     trigger.sort(new Function("return 1"));

The internal affected function, JsArrayFunctionHeapSort, creates two
arrays on the heap - one of size 4 * (MaxElementIndex + 1) and one of size
20 * (MaxElementIndex + 1). In the above example, MaxElementIndex is
0x3FFFFFFF. When it is incremented and multiplied by four, an integer
overflow occurs, thereby causing the application to allocate memory for an
array of size 0. Indexes within the trigger array can then be used to
overwrite segments of the second array that are filled with a structure
for each element being sorted. Arbitrary code execution is possible by
overwriting the heap control blocks to replace the stored address of
soon-to-be-called functions with the address of shellcode that is stored
in memory.


Exploitation requires an attacker first create a malicious JavaScript
snippet containing shellcode. Once accomplished, any of a number of attack
vectors are possible. Some include social engineering a user into browsing
to a malicious web page, sending a malicious HTML-enabled e-mail to the
target user, redirecting the user to the malicious script by leveraging
numerous cross-site scripting (XSS) vulnerabilities that are in existence,
or exploiting the browser directly using an XSS attack with embedded
JavaScript.  iDEFENSE has verified these issues with working exploit code.

This is a serious issue because, given working exploit code under the
above scenarios, an attacker can cause any command to execute under the
privileges of the targeted user. The problem is further magnified when
taking into consideration the countless number of applications that
utilize the IE browsing engine, such as Outlook and Outlook Express.


iDEFENSE has confirmed the existence of the above-described vulnerability
in the following Windows environments:

     * Microsoft Windows 98
     * Microsoft Windows 98 Second Edition
     * Microsoft Windows Me
     * Microsoft Windows NT 4.0
     * Microsoft Windows NT 4.0 Terminal Server Edition
     * Microsoft Windows 2000
     * Microsoft Windows XP

with Jscript.dll versions:



Disable active scripting if it is not necessary for day-to-day operations
using the following steps:

1. In IE, click on Tools and select Internet Options from the drop-down
2. Click the Security tab and the Custom Level button.
3. Under Scripting, then Active Scripting, click the Disable radio button.

In the HTML-enabled e-mail scenario, if the user were using Outlook
Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98
or 2000 in conjunction with the Outlook Email Security Update, then an
attack could not be automated and the user would still need to click on a
URL sent in the e-mail. As such, Outlook 98 and 2000 users should install
the update, which is available at
http://office.microsoft.com/Downloads/2000/Out2ksec.aspx .


Microsoft has patched this vulnerability, upgrading jscript.dll to version Various incarnations of the fix are available from
http://www.microsoft.com/technet/security/bulletin/MS03-008.asp .


The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2003-0010 to this issue.


07/07/2002      Microsoft initially notified
12/07/2002      Issue disclosed to iDEFENSE
01/09/2003      iDEFENSE notification sent to Microsoft (secure@xxxxxxxxxxxxx)
01/10/2003      Response received from secure@xxxxxxxxxxxxx
01/10/2003      iDEFENSE clients notified
01/11/2003 to 03/18/2003        No less than eight e-mails requesting status
reports on patch status
03/19/2003      Public disclosure


Roland Postle (mail@xxxxxxxxxxxx) discovered this vulnerability.

Get paid for security research

Subscribe to iDEFENSE Advisories:
send email to listserv@xxxxxxxxxxxx, subject line: "subscribe"


iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world ? from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .

Version: PGP 8.0


George Yobst, Library Technology Analyst        phone: 503.723.4890
Library Information Network of Clackamas County   fax: 503.794.8238
16239 SE McLoughlin Blvd, Suite 208         web: http://www.lincc.lib.or.us
Oak Grove, OR 97267-4654                  email: george@xxxxxxxxxxxxxxx
"...it is impossible for anyone to begin to learn
  what he thinks he already knows."  - Epictetus

This Week's Sponsor - RTO Software / TScale
TScale increases terminal server capacity. 
Get 30-40% more users per server to save $$$ and time. 
Add users now! - not more servers. If you're using Citrix, 
you must learn about TScale!  Free 30-day eval:

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:

Other related posts: