Public Vulnerability Reports

Heap Overflow in Windows Script Engine

03.19.03

BACKGROUND

Microsoft Corp.'s Windows Script Engine within the Windows operating system (OS) interprets and executes script code written in scripting languages such as VBscript and JScript. Such script code can be used to add functionality to web pages, or to automate tasks within the OS or a program. Script code can be written in several different scripting
languages, such as Visual Basic Script, JScript or JavaScript.

DESCRIPTION

By passing malicious JavaScript via Internet Explorer (IE), Outlook or Outlook Express, remote attackers can exploit an integer overflow within the Windows Script Engine causing a corruption of the heap thereby allowing for arbitrary code execution. Specifically, the vulnerability lies in the Windows Script Engine's implementation of JScript that is provided by jscript.dll (located in %SystemRoot%system32). The following snippet of JavaScript code demonstrates the existence of the vulnerability
by crashing IE on a vulnerable Windows system:

<script>
    var trigger = [];
    i = 1;
    do {trigger[i] = 1;} while(i++ < 10000);
    trigger[0x3FFFFFFF] = 1;
    trigger.sort(new Function("return 1"));
</script>

The internal affected function, JsArrayFunctionHeapSort, creates two arrays on the heap - one of size 4 * (MaxElementIndex + 1) and one of size 20 * (MaxElementIndex + 1). In the above example, MaxElementIndex is 0x3FFFFFFF. When it is incremented and multiplied by four, an integer overflow occurs, thereby causing the application to allocate memory for an array of size 0. Indexes within the trigger array can then be used to
overwrite segments of the second array that are filled with a structure for each element being sorted. Arbitrary code execution is possible by overwriting the heap control blocks to replace the stored address of soon-to-be-called functions with the address of shellcode that is stored in memory.

ANALYSIS

Exploitation requires an attacker first create a malicious JavaScript snippet containing shellcode. Once accomplished, any of a number of attack vectors are possible. Some include social engineering a user into browsing to a malicious web page, sending a malicious HTML-enabled e-mail to the target user, redirecting the user to the malicious script by leveraging numerous cross-site scripting (XSS) vulnerabilities that are in existence, or exploiting the browser directly using an XSS attack with embedded
JavaScript.  iDEFENSE has verified these issues with working exploit code.

This is a serious issue because, given working exploit code under the above scenarios, an attacker can cause any command to execute under the privileges of the targeted user. The problem is further magnified when taking into consideration the countless number of applications that utilize the IE browsing engine, such as Outlook and Outlook Express. 

DETECTION

iDEFENSE has confirmed the existence of the above-described vulnerability in the following Windows environments:

    * Microsoft Windows 98
    * Microsoft Windows 98 Second Edition
    * Microsoft Windows Me
    * Microsoft Windows NT 4.0
    * Microsoft Windows NT 4.0 Terminal Server Edition
    * Microsoft Windows 2000
    * Microsoft Windows XP

with Jscript.dll versions:

    * 5.1.0.4615
    * 5.5.0.6330
    * 5.6.0.6626

WORKAROUND

Disable active scripting if it is not necessary for day-to-day operations using the following steps:

1. In IE, click on Tools and select Internet Options from the drop-down
menu.
2. Click the Security tab and the Custom Level button.
3. Under Scripting, then Active Scripting, click the Disable radio button.

In the HTML-enabled e-mail scenario, if the user were using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, then an attack could not be automated and the user would still need to click on a URL sent in the e-mail. As such, Outlook 98 and 2000 users should install the update, which is available at http://office.microsoft.com/Downloads/2000/Out2ksec.aspx .

VENDOR RESPONSE

Microsoft has patched this vulnerability, upgrading jscript.dll to version 5.6.0.8513. Various incarnations of the fix are available from http://www.microsoft.com/technet/security/bulletin/MS03-008.asp .

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2003-0010 to this issue.

DISCLOSURE TIMELINE

07/07/2002 Microsoft initially notified
12/07/2002 Issue disclosed to iDEFENSE
01/09/2003 iDEFENSE notification sent to Microsoft (secure@microsoft.com)
01/10/2003 Response received from secure@microsoft.com
01/10/2003 iDEFENSE clients notified
01/11/2003 -03/18/2003 No less than eight e-mails requesting status reports on patch status
03/19/2003 Public disclosure

CREDIT

Roland Postle (mail@blazde.co.uk) discovered this vulnerability.