[VulnWatch] iDEFENSE Security Advisory 03.19.03: Heap Overflow in Windows Script Engine

From: iDEFENSE Labs (labs@idefense.com)
Date: 03/20/03

  • Next message: CORE Security Technologies Advisories: "[VulnWatch] CORE-20030304-02: Vulnerability in Mutt Mail User Agent"
    From: "iDEFENSE Labs" <labs@idefense.com>
    To: vulnwatch@vulnwatch.org
    Date: Wed, 19 Mar 2003 18:57:46 -0500
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 03.19.03:
    http://www.idefense.com/advisory/03.19.03.txt
    Heap Overflow in Windows Script Engine
    March 19, 2003

    I. BACKGROUND

    Microsoft Corp.'s Windows Script Engine within the Windows operating
    system (OS) interprets and executes script code written in scripting
    languages such as VBscript and JScript. Such script code can be used to
    add functionality to web pages, or to automate tasks within the OS or a
    program. Script code can be written in several different scripting
    languages, such as Visual Basic Script, JScript or JavaScript.

    II. DESCRIPTION

    By passing malicious JavaScript via Internet Explorer (IE), Outlook or
    Outlook Express, remote attackers can exploit an integer overflow within
    the Windows Script Engine causing a corruption of the heap thereby
    allowing for arbitrary code execution. Specifically, the vulnerability
    lies in the Windows Script Engine's implementation of JScript that is
    provided by jscript.dll (located in %SystemRoot%\system32). The following
    snippet of JavaScript code demonstrates the existence of the vulnerability
    by crashing IE on a vulnerable Windows system:

    <script>
        var trigger = [];
        i = 1;
        do {trigger[i] = 1;} while(i++ < 10000);
        trigger[0x3FFFFFFF] = 1;
        trigger.sort(new Function("return 1"));
    </script>

    The internal affected function, JsArrayFunctionHeapSort, creates two
    arrays on the heap - one of size 4 * (MaxElementIndex + 1) and one of size
    20 * (MaxElementIndex + 1). In the above example, MaxElementIndex is
    0x3FFFFFFF. When it is incremented and multiplied by four, an integer
    overflow occurs, thereby causing the application to allocate memory for an
    array of size 0. Indexes within the trigger array can then be used to
    overwrite segments of the second array that are filled with a structure
    for each element being sorted. Arbitrary code execution is possible by
    overwriting the heap control blocks to replace the stored address of
    soon-to-be-called functions with the address of shellcode that is stored
    in memory.

    III. ANALYSIS

    Exploitation requires an attacker first create a malicious JavaScript
    snippet containing shellcode. Once accomplished, any of a number of attack
    vectors are possible. Some include social engineering a user into browsing
    to a malicious web page, sending a malicious HTML-enabled e-mail to the
    target user, redirecting the user to the malicious script by leveraging
    numerous cross-site scripting (XSS) vulnerabilities that are in existence,
    or exploiting the browser directly using an XSS attack with embedded
    JavaScript. iDEFENSE has verified these issues with working exploit code.

    This is a serious issue because, given working exploit code under the
    above scenarios, an attacker can cause any command to execute under the
    privileges of the targeted user. The problem is further magnified when
    taking into consideration the countless number of applications that
    utilize the IE browsing engine, such as Outlook and Outlook Express.

    IV. DETECTION

    iDEFENSE has confirmed the existence of the above-described vulnerability
    in the following Windows environments:

        * Microsoft Windows 98
        * Microsoft Windows 98 Second Edition
        * Microsoft Windows Me
        * Microsoft Windows NT 4.0
        * Microsoft Windows NT 4.0 Terminal Server Edition
        * Microsoft Windows 2000
        * Microsoft Windows XP

    with Jscript.dll versions:

        * 5.1.0.4615
        * 5.5.0.6330
        * 5.6.0.6626

    V. WORKAROUND

    Disable active scripting if it is not necessary for day-to-day operations
    using the following steps:

    1. In IE, click on Tools and select Internet Options from the drop-down
    menu.
    2. Click the Security tab and the Custom Level button.
    3. Under Scripting, then Active Scripting, click the Disable radio button.

    In the HTML-enabled e-mail scenario, if the user were using Outlook
    Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98
    or 2000 in conjunction with the Outlook Email Security Update, then an
    attack could not be automated and the user would still need to click on a
    URL sent in the e-mail. As such, Outlook 98 and 2000 users should install
    the update, which is available at
    http://office.microsoft.com/Downloads/2000/Out2ksec.aspx .

    VI. VENDOR FIX

    Microsoft has patched this vulnerability, upgrading jscript.dll to version
    5.6.0.8513. Various incarnations of the fix are available from
    http://www.microsoft.com/technet/security/bulletin/MS03-008.asp .

    VII. CVE INFORMATION

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    assigned the identification number CAN-2003-0010 to this issue.

    VIII. DISCLOSURE TIMELINE

    07/07/2002 Microsoft initially notified
    12/07/2002 Issue disclosed to iDEFENSE
    01/09/2003 iDEFENSE notification sent to Microsoft (secure@microsoft.com)
    01/10/2003 Response received from secure@microsoft.com
    01/10/2003 iDEFENSE clients notified
    01/11/2003 to 03/18/2003 No less than eight e-mails requesting status
    reports on patch status
    03/19/2003 Public disclosure

    IX. CREDIT

    Roland Postle (mail@blazde.co.uk) discovered this vulnerability.

    Get paid for security research
    http://www.idefense.com/contributor.html

    Subscribe to iDEFENSE Advisories:
    send email to listserv@idefense.com, subject line: "subscribe"

    About iDEFENSE:

    iDEFENSE is a global security intelligence company that proactively
    monitors sources throughout the world from technical
    vulnerabilities and hacker profiling to the global spread of viruses
    and other malicious code. Our security intelligence services provide
    decision-makers, frontline security professionals and network
    administrators with timely access to actionable intelligence
    and decision support on cyber-related threats. For more information,
    visit http://www.idefense.com .

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA/AwUBPnkDcfrkky7kqW5PEQL+fACg01awKreePU4Xn+F7cmmU0qZvG7oAoPX2
    PwP5JPQ8yomJWstofKnHgxxV
    =KPqR
    -----END PGP SIGNATURE-----


  • Next message: CORE Security Technologies Advisories: "[VulnWatch] CORE-20030304-02: Vulnerability in Mutt Mail User Agent"

    Relevant Pages