Example Sins

Flaw in Windows Script Engine Could Allow Code Execution

From the CVE (CAN-2003-0010) description:

Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack.

The interesting thing about this overflow is that it allows for arbitrary code execution by a scripting language that doesnt allow for direct memory access. The Microsoft bulletin can be found at www.microsoft.com/technet/security/bulletin/MS03-008.mspx.

Integer Overflow in the SOAPParameter Object Constructor

Another scripting language attack, CVE entry CAN-2004-0722, is more thoroughly described on the Red Hat Linux web site (www.redhat.com) as:

Zen Parse reported improper input validation to the SOAPParameter object constructor leading to an integer overflow and controllable heap corruption. Malicious JavaScript could be written to utilize this flaw and could allow
arbitrary code execution.

In the same report, the following was also detailed:

During a source code audit, Chris Evans discovered a buffer overflow and integer overflows, which affect the libpng code inside Mozilla. An attacker could create a carefully crafted PNG file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image was viewed .

Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise

Shortly after this problem was announced in June, 2002, widespread attacks were seen against affected IIS servers. More details can be found at www.microsoft.com/ technet/security/Bulletin/MS02-028.mspx, but the root cause was because the HTR handler accepted a length of 64K - 1 from the user , added 1after all, we needed room for the null terminatorand then asked the memory allocator for zero bytes. Its not known whether Bill Gates really said 64K ought to be enough for anybody or if thats an Internet legend, but 64K worth of shell code ought to be enough for any hacker to cause mayhem!