Jscript Unexpected exceptions

After Windows Server patch Vulnerability (CVE-2019-1367) released in 23. September

• Windows Server 2019 (KB4522015) https://support.microsoft.com/en-us/help/4522015/windows-10-update-kb4522015
• Windows Server 2016 (KB4522010)
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (KB4522007)
• Windows Server 2012 (KB4522007)
• Windows Server 2012 R2 (KB4522007)

Updated 07.10.2019 Also "Preview of Monthly Rollup" and "Monthly Rollup" packages are affected and doesn't fix the specific Jscript Workflow issues

• Windows Server 2019: KB4516077, KB4524148
• Windows Server 2016: KB4516061, KB4524152
• Windows Server 2012 R2: KB4516041, KB4524156

in the classic ASP application on several workflow cases are occurring jscript Unexpected errors in server side:

• Active Server Pages error 'ASP 0115'
• A trappable error (C0000005) occurred in an external object. The script cannot continue running
• Active Server Pages error 'ASP 0240'
• A ScriptEngine threw exception 'C0000005' in 'IActiveScript::Close()' from 'CActiveScriptEngine::FinalRelease()'.

Patch

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221. https://www.cvedetails.com/cve/CVE-2019-1367/

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could run arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email. The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory. https://blog.qualys.com/laws-of-vulnerabilities/2019/09/24/microsoft-releases-out-of-band-security-updates

Patch is said to address issue in Memory management. Doesn't specify what exactly changes, what are the new limitations. But seems that it causes some side-effect failure cases.

Error nature

• The errors cannot be handled by regular try-catch approach
• The errors causes workflow interruptions
• The exception seemingly happens only one time entering the specific workflow, and on repeated web-request for the same routine the code succeeds (Until App-pool restarted).
• Sometimes exceptions is entering the workflow first, second or third time.
• The exception only happens if IIS ASP Debugging Properties - Enable Server-side Debugging is set to False

Background

Verified that the issue is present on all tested Server instances with the patch. Also isolated the patch by checking the State before and after applying the patch (Server 2012 R2, Server 2016, Windows 10 - 1809)

• From Classic ASP Server cannot handle the issue, with try-catch,
• General error is returned - Script Error Message Or if turned off (ASP - Send Errors To Browser) ASP error codes with page where they happen
• Event Viewer also registers those errors, but without additional information
• Global.asa doesn't offer global error handling, ASP Server object Server.GetLastError() doesn't catch the exception

Explored exceptions with

• DebugDiag
• Sysinternals Process Monitor
• IIS - Failed Request Tracing

Environment

• App-Pool: Classic pipeline mode, Enable 32-Bit Applications: True
• Application: ASP
• ClientL IE 11 Enterprise mode, with ActiveX enabled
• Application pool identity is Impersonated in Web request calls

Issues, identified

1 In w3wp__V...__First chance exception 0XC0000005.dmp the assembly

instruction at msvcrt!memcpy+198 ### in C:\Windows\System32\msvcrt.dll from Microsoft Corporation has caused an access violation exception (0xC0000005) when trying to read from memory location 0x0000000a on thread 33 Instruction Address Source

[0x7532a2d8] msvcrt!memcpy+198    
[0x6ac17deb] jscript!AString::CopyToBuffer+4b    
[0x6ac10524] jscript!AString::ConvertToBSTR+1bb74    
[0x6abdf6b7] jscript!PrepareInvoke+277    
[0x6abf52df] jscript!InvokeDispatch+8f    
[0x6abe2f03] jscript!VAR::InvokeByDispID+523    
[0x6abdbde0] jscript!NameTbl::InvokeInternal+270    
[0x6abe2b17] jscript!VAR::InvokeByDispID+137    
[0x6abe6083] jscript!CScriptRuntime::Run+2db3
...

Followed by - Microsoft Corporation has caused an access violation exception (0xC0000005) when trying to read from memory location 0x00000000

[0x6b7c2d77] jscript!VarStack::ScavengeRoots+27    
[0x6b7c2b89] jscript!GcContext::CollectCore+79    
[0x6b7c2af4] jscript!GcContext::Collect+1b    
[0x6b7bca21] jscript!GcContext::ExhaustiveCollect+21    
[0x6b7a604a] jscript!CSession::Close+18a    
[0x6b7a32d9] jscript!COleScript::CloseInternal+13b    
[0x6b7a2d36] jscript!COleScript::Close+16    
[0x6b8a71ce] asp!CActiveScriptEngine::FinalRelease+1be 
...

Not identified the exact line that causes the issue, the FailedRequestTrace last record is assigning string variable from Application Scope xml object attribute. (CurrentStatement return attrib.text)

Similar case - access violation exception (0xC0000005) when trying to read from memory location 0x00000000

[0x6b907e09] jscript!AString::CopyToBuffer+69    
[0x6b900524] jscript!AString::ConvertToBSTR+1bb74    
[0x6b8e49a7] jscript!VAR::ConvertASTRtoBSTR+13    
[0x6b8c49e8] jscript!VAR::GetValue+58    
[0x6b8e0f34] jscript!ConvertToString+58    
[0x6b922fbf] jscript!JsString+4f    
[0x6b8d92e6] jscript!NatFncObj::Call+e6 
...

Followed by - access violation exception (0xC0000005) when trying to read from memory location 0x004e0049

[0x6b8e2d77] jscript!VarStack::ScavengeRoots+27    
[0x6b8e2b89] jscript!GcContext::CollectCore+79    
[0x6b8e2af4] jscript!GcContext::Collect+1b    
[0x6b8dca21] jscript!GcContext::ExhaustiveCollect+21    
[0x6b8c604a] jscript!CSession::Close+18a    
[0x6b8c32d9] jscript!COleScript::CloseInternal+13b    
[0x6b8c2d36] jscript!COleScript::Close+16    
[0x6bfb71ce] asp!CActiveScriptEngine::FinalRelease+1be
...

2 In w3wp__...__Second_Chance_Exception_C0000005.dmp the assembly instruction at asp!CResponseBuffer::Write+3a

in \?\C:\Windows\System32\inetsrv\asp.dll from Microsoft Corporation has caused an access violation exception (0xC0000005) when trying to read from memory location 0x00000014 on thread 32

[0x6f042e88] asp!CResponseBuffer::Write+3a    
[0x6f0452ea] asp!CResponse::WriteSz+4c    
[0x6f02dd3b] asp!CErrInfo::LogErrortoBrowser+ff    
[0x6f02d4c9] asp!CErrInfo::LogErrortoBrowserWrapper+d7    
[0x6f02d047] asp!CErrInfo::LogError+e8    
[0x6f02e241] asp!HandleError+116    
[0x6f02f009] asp!HandleErrorMissingFilename+df    
[0x6f04941b] asp!CActiveScriptEngine::Call+bb    
[0x6f030eff] asp!CallScriptFunctionOfEngine+4d    
[0x6f02f99f] asp!ExecuteRequest+173    
[0x6f02f828] asp!Execute+23d    
[0x6f035c6f] asp!CHitObj::ViperAsyncCallback+467    
[0x6f05df53] asp!CViperAsyncRequest::OnCall+73    
[0x6eefd325] comsvcs!CSTAActivityWork::STAActivityWorkHelper+45    
[0x77098346] combase!EnterForCallback+16e [onecore\com\combase\dcomrem\crossctx.cxx @ 2072 + 2]   onecore\com\combase\dcomrem\crossctx.cxx @ 2072 + 2 
[0x7709816d] combase!SwitchForCallback+206 [onecore\com\combase\dcomrem\crossctx.cxx @ 1694]   onecore\com\combase\dcomrem\crossctx.cxx @ 1694 
[0x7709bae4] combase!PerformCallback+bc [onecore\com\combase\dcomrem\crossctx.cxx @ 1573 + 16]   onecore\com\combase\dcomrem\crossctx.cxx @ 1573 + 16 
[0x7709b7f9] combase!CObjectContext::InternalContextCallback+119 [onecore\com\combase\dcomrem\context.cxx @ 4421 + 1a]   onecore\com\combase\dcomrem\context.cxx @ 4421 + 1a 
[0x77198e66] combase!CObjectContext::DoCallback+26 [onecore\com\combase\dcomrem\context.cxx @ 4254]   onecore\com\combase\dcomrem\context.cxx @ 4254 
[0x6eefd015] comsvcs!CSTAActivityWork::DoWork+175    
[0x6eeff0e0] comsvcs!CSTAThread::DoWork+26    
[0x6eeff599] comsvcs!CSTAThread::ProcessQueueWork+48    
[0x6eeff8dd] comsvcs!CSTAThread::WorkerLoop+13d    
[0x76577e71] msvcrt!_callthreadstartex+25    
[0x76577f31] msvcrt!_threadstartex+61    
[0x765f0419] kernel32!BaseThreadInitThunk+19    
[0x77d5662d] ntdll!__RtlUserThreadStart+2f    
[0x77d565fd] ntdll!_RtlUserThreadStart+1b
...

• Most likely comes from writing to log file

  ioo_fso = Server.CreateObject("Scripting.FileSystemObject"); ... loo_file = loo_fso.OpenTextFile(ls_filename,8,true); ... try { loo_file.WriteLine("[" + str + "]")} catch (ee) {}

• Proces-Monitor shows "SHARING VIOLATION" log records for w3wp.exe on accessing the log file

3 Also experienced ASP 0115 right after custom Server custom component creation

var pbkdf2;
try {
    pbkdf2 = Server.CreateObject("Pbkdf2");
    pbkdf2.hashPassword(ls_newpassword, 100000);
} catch (e) {
    addToLogg("Login:CreateObject failed for Pbkdf2, " + e.description);
}

from FailedReqLogFiles logs, but not identified yet in DebugDiag

Questions

I know ASP Jscript is an old, out-phasing technology, but there should be plenty of Enterprise solution still out there, so could be someone else also runs into these issues. I would expect the Jscript to fall in regular way, so that the error situation could be handled

• Has someone else come upon similar situation?
• What are the new restrictions on jscript code?
• Are there ways to handle these fails in server-side, prior to returning response to client?
• Maybe there is some ASP/jscript environment settings, memory management settings, Windows privileges, permissions that can potentially solve the issues?

Solution

As hinted by @Max (below) the last Microsoft KBs fixes the Jscript Workflow issues.

• The only comment in KB that reflects jscript is

Addresses an issue with applications and printer drivers that utilize the Windows JavaScript engine (jscript.dll) for processing print jobs.

So apparently the fix in common jscript handling

The summary of KBs that fix the issue

• Server 2019 1809: KB4519338
• Server 2019 1903: KB4517389
• Server 2016: KB4519998
• Server 2012 R2 : KB4520005
• Server 2012: KB4520007
• Server 2008 R2: KB4519976
• Server 2008 (with SP2): KB4520002

Not required to uninstall previous KB updates. See that previous monthly Rollup (October 3) is no longer present in Window Updates after installing the new one.

While I didn't manage to isolate the main "First chance exception 0xC0000005" from the Workflows:

• After applying the October 8 KB the issue 0xC0000005 is no longer there in the previously failing Workflows
• The isolated second chance exceptions are also not reproduced, see ntdl Access Violation case, Server Object Creation case
• My isolated Regex samples with test data from the failing workflow didn't reproduce the Exception, so I cannot confirm that the regex use directly caused the issues
• However VBScript proved not to be affected, as pointed out by @Lee
• This appears to be an unfortunate issue in the basket, while fixing memory corruption creating a several ones.

We also experienced these same errors related to CVE-2019-1367 and classic ASP. We narrowed the scope of the errors to a few places we were using JScript instead of VBScript to do JSON conversions, then we narrowed it further to were we were using regex. We worked around the errors by rewriting the functionality that was in JScript code in VBScript.

I found this article that refers to CVE-2019-13670 with a very similar number and very similar wording: Google Chrome could allow a remote attacker to execute arbitrary code on the system, caused by a V8 memory corruption in regex..

CVE-2019-1367 is specific to Internet Explorer and updated C\Windows\system32\JScript.dll. From that, I'm guessing IE's javascript engine and classic ASP JScript engine are both handled by JScript.dll? Wild guess. CVE-2019-13670 is specific to Chrome (which I assume doesn't use JScript.dll), but it mentioned regex and we found our problems to be specific to regex usage in JScript.