[NT] Heap Overflow in Windows Script Engine

From: support@securiteam.com
Date: 03/23/03

  • Next message: support@securiteam.com: "[EXPL] Ptrace Exploit Code Released" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 23 Mar 2003 15:40:00 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      Heap Overflow in Windows Script Engine
    ------------------------------------------------------------------------

    SUMMARY

    As we reported in our previous article:
    <http://www.securiteam.com/windowsntfocus/5YP0M0U9FG.html> Flaw in Windows
    Script Engine Could Allow Code Execution, a flaw in Microsoft's Scripting
    support allows remote attackers to cause it to execute arbitrary code. The
    following will provide additional information about the issue.

    DETAILS

    Vulnerable systems:
    iDEFENSE has confirmed the existence of the above-described vulnerability
    in the following Windows environments:
     * Microsoft Windows 98
     * Microsoft Windows 98 Second Edition
     * Microsoft Windows Me
     * Microsoft Windows NT 4.0
     * Microsoft Windows NT 4.0 Terminal Server Edition
     * Microsoft Windows 2000
     * Microsoft Windows XP

    With Jscript.dll versions:
     * 5.1.0.4615
     * 5.5.0.6330
     * 5.6.0.6626

    Immune systems:
    By passing malicious JavaScript via Internet Explorer (IE), Outlook or
    Outlook Express, remote attackers can exploit an integer overflow within
    the Windows Script Engine causing a corruption of the heap thereby
    allowing for arbitrary code execution. Specifically, the vulnerability
    lies in the Windows Script Engine's implementation of JScript that is
    provided by jscript.dll (located in %SystemRoot%\system32). The following
    snippet of JavaScript code demonstrates the existence of the vulnerability
    by crashing IE on a vulnerable Windows system:

    < script>
        var trigger = [];
        i = 1;
        do {trigger[i] = 1;} while(i++ < 10000);
        trigger[0x3FFFFFFF] = 1;
        trigger.sort(new Function("return 1"));
    < /script>

    The internal affected function, JsArrayFunctionHeapSort, creates two
    arrays on the heap - one of size 4 * (MaxElementIndex + 1) and one of size
    20 * (MaxElementIndex + 1). In the above example, MaxElementIndex is
    0x3FFFFFFF. When it is incremented and multiplied by four, an integer
    overflow occurs, thereby causing the application to allocate memory for an
    array of size 0. Indexes within the trigger array can then be used to
    overwrite segments of the second array that are filled with a structure
    for each element being sorted. Arbitrary code execution is possible by
    overwriting the heap control blocks to replace the stored address of
    soon-to-be-called functions with the address of shellcode that is stored
    in memory.

    Analysis:
    Exploitation requires an attacker first create a malicious JavaScript
    snippet containing shellcode. Once accomplished, any of a number of attack
    vectors is possible. Some include social engineering a user into browsing
    to a malicious web page, sending a malicious HTML-enabled e-mail to the
    target user, redirecting the user to the malicious script by leveraging
    numerous cross-site scripting (XSS) vulnerabilities that are in existence,
    or exploiting the browser directly using an XSS attack with embedded
    JavaScript. iDEFENSE has verified these issues with working exploit code.

    This is a serious issue because, given working exploit code under the
    above scenarios, an attacker can cause any command to execute under the
    privileges of the targeted user. The problem is further magnified when
    taking into consideration the countless number of applications that
    utilize the IE browsing engine, such as Outlook and Outlook Express.

    Workaround:
    Disable active scripting if it is not necessary for day-to-day operations
    using the following steps:

    1. In IE, click on Tools and select Internet Options from the drop-down
    menu.
    2. Click the Security tab and the Custom Level button.
    3. Under Scripting, then Active Scripting, click the Disable radio button.

    In the HTML-enabled e-mail scenario, if the user were using Outlook
    Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98
    or 2000 in conjunction with the Outlook Email Security Update, then an
    attack could not be automated and the user would still need to click on a
    URL sent in the e-mail. As such, Outlook 98 and 2000 users should install
    the update, which is available at
    <http://office.microsoft.com/Downloads/2000/Out2ksec.aspx>
    http://office.microsoft.com/Downloads/2000/Out2ksec.aspx.

    Vendor fix:
    Microsoft has patched this vulnerability, upgrading jscript.dll to version
    5.6.0.8513. Various incarnations of the fix are available from:
    <http://www.securiteam.com/windowsntfocus/5YP0M0U9FG.html>
    http://www.securiteam.com/windowsntfocus/5YP0M0U9FG.html.

    Disclosure timeline:
    07/07/2002 Microsoft initially notified
    12/07/2002 Issue disclosed to iDEFENSE
    01/09/2003 iDEFENSE notification sent to Microsoft (secure@microsoft.com)
    01/10/2003 Response received from secure@microsoft.com
    01/10/2003 iDEFENSE clients notified
    01/11/2003 to 03/18/2003 No less than eight e-mails requesting status
    reports on patch status
    03/19/2003 Public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:listserv@idefense.com>
    iDEFENSE Labs, the vulnerability was discovered by
    <mailto:mail@blazde.co.uk> Roland Postle.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: support@securiteam.com: "[EXPL] Ptrace Exploit Code Released"