Windows NT 4.0 with IBM JVM Denial of Service

From: @stake Advisories (@stake)
Date: Wed Jul 23 2003 - 14:07:25 PDT

  • Next message: @stake Advisories: "Microsoft SQL Server local code execution" 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                               @stake, Inc.
                             www.atstake.com

                            Security Advisory


Advisory Name: Windows NT 4.0 with IBM JVM Denial of Service
 Release Date: 07/23/2003
  Application: Any Java application, other applications
               are possible attack vectors.
     Platform: Java 2 Runtime Environment, Standard Edition
               (build 1.3.0), Windows NT 4.0
     Severity: Denial of service
       Author: Matthew Miller <mmillerat_private>
               Jeremy Rauch
Vendor Status: Microsoft has patch available
CVE Candidate: CAN-2003-0525
    Reference: www.atstake.com/research/advisories/2003/a072303-1.txt


Overview:

A flaw exists in Windows NT 4.0's file name processing. The flaw can
cause heap corruption to occur when a long string is passed to the
file name functions.  This results in the program calling the NT 4.0
file name processing functions to crash.

One attack vector identified by @stake is through a Java servlet
running on the IBM JVM.  This class of problem highlights the Java
platform's dependance on the correctness of the underlying operating
system for it's overall security.  Java application developers
should still bounds check untrusted inputs that are passed to the
underlying operating system API, such as file handling functions.


Detailed Description:

A denial of service condition for IBM's Java 2 Runtime Environment
can be triggered when passing a long string to the
java.io.getCanonicalPath() function. Any application which passes
user supplied data to the getCanonicalPath() function is potentially
vulnerable.
 
When passing a long string to java.io.getCanonicalPath() an access
violation occurs in the Windows NT 4.0 ntdll.dll.  This access
violation causes the IBM JVM to core resulting in a Denial of
Service. This seems to be due to a corruption of the
heap.


Vendor Response:

Microsoft contacted by @stake: 05/14/2003
Microsoft reproduced and verified: 06/10/2003

Microsoft has issued a bulletin and a patch.  More information
is available at:

http://www.microsoft.com/technet/security/bulletin/MS03-029.asp


Recommendation:

Java developers should identify all occurances and perform data
validation where java.io.getCanonicalPath is used.

NT 4.0 Administrators running servers which use Java servlets
should consider installing the Microsoft supplied patch.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

  CAN-2003-0525


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc


Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPx74oUe9kNIfAm4yEQKc6wCghclEcANjGkrPRGENJyoDhKxyBcYAnjbi
UiSnzl1p7SRXf+9j7dbRQ/M4
=10T3
-----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Wed Jul 23 2003 - 14:41:30 PDT