20th Mar 2003 [SBWID-6078]
COMMAND
	Windows Script Engine Heap Overflow
SYSTEMS AFFECTED
	iDEFENSE  has   confirmed   the   existence   of   the   above-described
	vulnerability in the following Windows environments:
	    * Microsoft Windows 98
	    * Microsoft Windows 98 Second Edition
	    * Microsoft Windows Me
	    * Microsoft Windows NT 4.0
	    * Microsoft Windows NT 4.0 Terminal Server Edition
	    * Microsoft Windows 2000
	    * Microsoft Windows XP
	with Jscript.dll versions:
	    * 5.1.0.4615 
	    * 5.5.0.6330 
	    * 5.6.0.6626 
PROBLEM
	In iDEFENSE Security Advisory [03.19.03] :
	
	 http://www.idefense.com/advisory/03.19.03.txt
	
	Discovered by Roland Postle [[email protected]],
	--snip--
	Microsoft Corp.'s Windows Script Engine  within  the  Windows  operating
	system (OS) interprets and executes script  code  written  in  scripting
	languages such as VBscript and JScript. Such script code can be used  to
	add functionality to web pages, or to automate tasks within the OS or  a
	program. Script code can  be  written  in  several  different  scripting
	languages, such as Visual Basic Script, JScript or JavaScript.
	 DESCRIPTION
	 ===========
	By passing malicious JavaScript via Internet Explorer (IE),  Outlook  or
	Outlook Express,  remote  attackers  can  exploit  an  integer  overflow
	within the Windows Script  Engine  causing  a  corruption  of  the  heap
	thereby  allowing  for  arbitrary  code  execution.  Specifically,   the
	vulnerability lies in the  Windows  Script  Engine's  implementation  of
	JScript    that    is    provided    by    jscript.dll    (located    in
	%SystemRoot%\system32).  The  following  snippet  of   JavaScript   code
	demonstrates the existence of the vulnerability  by  crashing  IE  on  a
	vulnerable Windows system:
	
	<script>
	    var trigger = [];
	    i = 1;
	    do {trigger[i] = 1;} while(i++ < 10000);
	    trigger[0x3FFFFFFF] = 1;
	    trigger.sort(new Function("return 1"));
	</script> 
	
	The internal affected  function,  JsArrayFunctionHeapSort,  creates  two
	arrays on the heap - one of size 4 * (MaxElementIndex + 1)  and  one  of
	size 20 * (MaxElementIndex + 1). In the above  example,  MaxElementIndex
	is 0x3FFFFFFF. When  it  is  incremented  and  multiplied  by  four,  an
	integer overflow occurs, thereby causing  the  application  to  allocate
	memory for an array of size 0. Indexes  within  the  trigger  array  can
	then be used to overwrite segments of the second array that  are  filled
	with  a  structure  for  each  element  being  sorted.  Arbitrary   code
	execution is possible by overwriting the heap control blocks to  replace
	the stored address of soon-to-be-called functions with  the  address  of
	shellcode that is stored in memory.
	--snap--
SOLUTION
	Microsoft has  patched  this  vulnerability,  upgrading  jscript.dll  to
	version 5.6.0.8513. Various incarnations of the fix are  available  from
	http://www.microsoft.com/technet/security/bulletin/MS03-008.asp .
	 WORKAROUND
	 ==========
	Disable  active  scripting  if  it  is  not  necessary  for   day-to-day
	operations using the following steps:
	
	1. In IE, click on Tools and select Internet Options from the drop-down menu.
	2. Click the Security tab and the Custom Level button.
	3. Under Scripting, then Active Scripting, click the Disable radio button.
	
	In the HTML-enabled e-mail scenario, if  the  user  were  using  Outlook
	Express 6.0 or Outlook 2002 in their default configurations, or  Outlook
	98 or 2000 in conjunction with the Outlook Email Security  Update,  then
	an attack could not be automated and the user would still need to  click
	on a URL sent in the e-mail. As such, Outlook 98 and 2000  users  should
	install the update, which is available at
	
	 http://office.microsoft.com/Downloads/2000/Out2ksec.aspx