20th Mar 2003 [SBWID-6078]
COMMAND
Windows Script Engine Heap Overflow
SYSTEMS AFFECTED
iDEFENSE has confirmed the existence of the above-described
vulnerability in the following Windows environments:
* Microsoft Windows 98
* Microsoft Windows 98 Second Edition
* Microsoft Windows Me
* Microsoft Windows NT 4.0
* Microsoft Windows NT 4.0 Terminal Server Edition
* Microsoft Windows 2000
* Microsoft Windows XP
with Jscript.dll versions:
* 5.1.0.4615
* 5.5.0.6330
* 5.6.0.6626
PROBLEM
In iDEFENSE Security Advisory [03.19.03] :
http://www.idefense.com/advisory/03.19.03.txt
Discovered by Roland Postle [[email protected]],
--snip--
Microsoft Corp.'s Windows Script Engine within the Windows operating
system (OS) interprets and executes script code written in scripting
languages such as VBscript and JScript. Such script code can be used to
add functionality to web pages, or to automate tasks within the OS or a
program. Script code can be written in several different scripting
languages, such as Visual Basic Script, JScript or JavaScript.
DESCRIPTION
===========
By passing malicious JavaScript via Internet Explorer (IE), Outlook or
Outlook Express, remote attackers can exploit an integer overflow
within the Windows Script Engine causing a corruption of the heap
thereby allowing for arbitrary code execution. Specifically, the
vulnerability lies in the Windows Script Engine's implementation of
JScript that is provided by jscript.dll (located in
%SystemRoot%\system32). The following snippet of JavaScript code
demonstrates the existence of the vulnerability by crashing IE on a
vulnerable Windows system:
<script>
var trigger = [];
i = 1;
do {trigger[i] = 1;} while(i++ < 10000);
trigger[0x3FFFFFFF] = 1;
trigger.sort(new Function("return 1"));
</script>
The internal affected function, JsArrayFunctionHeapSort, creates two
arrays on the heap - one of size 4 * (MaxElementIndex + 1) and one of
size 20 * (MaxElementIndex + 1). In the above example, MaxElementIndex
is 0x3FFFFFFF. When it is incremented and multiplied by four, an
integer overflow occurs, thereby causing the application to allocate
memory for an array of size 0. Indexes within the trigger array can
then be used to overwrite segments of the second array that are filled
with a structure for each element being sorted. Arbitrary code
execution is possible by overwriting the heap control blocks to replace
the stored address of soon-to-be-called functions with the address of
shellcode that is stored in memory.
--snap--
SOLUTION
Microsoft has patched this vulnerability, upgrading jscript.dll to
version 5.6.0.8513. Various incarnations of the fix are available from
http://www.microsoft.com/technet/security/bulletin/MS03-008.asp .
WORKAROUND
==========
Disable active scripting if it is not necessary for day-to-day
operations using the following steps:
1. In IE, click on Tools and select Internet Options from the drop-down menu.
2. Click the Security tab and the Custom Level button.
3. Under Scripting, then Active Scripting, click the Disable radio button.
In the HTML-enabled e-mail scenario, if the user were using Outlook
Express 6.0 or Outlook 2002 in their default configurations, or Outlook
98 or 2000 in conjunction with the Outlook Email Security Update, then
an attack could not be automated and the user would still need to click
on a URL sent in the e-mail. As such, Outlook 98 and 2000 users should
install the update, which is available at
http://office.microsoft.com/Downloads/2000/Out2ksec.aspx