Microsoft Windows NT 4.0 with IBM JVM DoS

2003-07-23T16:06:33
ID OSVDB:2328
Type osvdb
Reporter OSVDB
Modified 2003-07-23T16:06:33

Description

Vulnerability Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

                           @stake, Inc.
                         www.atstake.com

                        Security Advisory

Advisory Name: Windows NT 4.0 with IBM JVM Denial of Service Release Date: 07/23/2003 Application: Any Java application, other applications are possible attack vectors. Platform: Java 2 Runtime Environment, Standard Edition (build 1.3.0), Windows NT 4.0 Severity: Denial of service Author: Matthew Miller <mmiller@atstake.com> Jeremy Rauch Vendor Status: Microsoft has patch available CVE Candidate: CAN-2003-0525 Reference: www.atstake.com/research/advisories/2003/a072303-1.txt

Overview:

A flaw exists in Windows NT 4.0's file name processing. The flaw can cause heap corruption to occur when a long string is passed to the file name functions. This results in the program calling the NT 4.0 file name processing functions to crash.

One attack vector identified by @stake is through a Java servlet running on the IBM JVM. This class of problem highlights the Java platform's dependance on the correctness of the underlying operating system for it's overall security. Java application developers should still bounds check untrusted inputs that are passed to the underlying operating system API, such as file handling functions.

Detailed Description:

A denial of service condition for IBM's Java 2 Runtime Environment can be triggered when passing a long string to the java.io.getCanonicalPath() function. Any application which passes user supplied data to the getCanonicalPath() function is potentially vulnerable.

When passing a long string to java.io.getCanonicalPath() an access violation occurs in the Windows NT 4.0 ntdll.dll. This access violation causes the IBM JVM to core resulting in a Denial of Service. This seems to be due to a corruption of the heap.

Vendor Response:

Microsoft contacted by @stake: 05/14/2003 Microsoft reproduced and verified: 06/10/2003

Microsoft has issued a bulletin and a patch. More information is available at:

http://www.microsoft.com/technet/security/bulletin/MS03-029.asp

Recommendation:

Java developers should identify all occurances and perform data validation where java.io.getCanonicalPath is used.

NT 4.0 Administrators running servers which use Java servlets should consider installing the Microsoft supplied patch.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

CAN-2003-0525

@stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/

@stake Advisory Archive: http://www.atstake.com/research/advisories/

PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE----- Version: PGP 8.0

iQA/AwUBPx74oUe9kNIfAm4yEQKc6wCghclEcANjGkrPRGENJyoDhKxyBcYAnjbi UiSnzl1p7SRXf+9j7dbRQ/M4 =10T3 -----END PGP SIGNATURE-----

Short Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

                           @stake, Inc.
                         www.atstake.com

                        Security Advisory

Advisory Name: Windows NT 4.0 with IBM JVM Denial of Service Release Date: 07/23/2003 Application: Any Java application, other applications are possible attack vectors. Platform: Java 2 Runtime Environment, Standard Edition (build 1.3.0), Windows NT 4.0 Severity: Denial of service Author: Matthew Miller <mmiller@atstake.com> Jeremy Rauch Vendor Status: Microsoft has patch available CVE Candidate: CAN-2003-0525 Reference: www.atstake.com/research/advisories/2003/a072303-1.txt

Overview:

A flaw exists in Windows NT 4.0's file name processing. The flaw can cause heap corruption to occur when a long string is passed to the file name functions. This results in the program calling the NT 4.0 file name processing functions to crash.

One attack vector identified by @stake is through a Java servlet running on the IBM JVM. This class of problem highlights the Java platform's dependance on the correctness of the underlying operating system for it's overall security. Java application developers should still bounds check untrusted inputs that are passed to the underlying operating system API, such as file handling functions.

Detailed Description:

A denial of service condition for IBM's Java 2 Runtime Environment can be triggered when passing a long string to the java.io.getCanonicalPath() function. Any application which passes user supplied data to the getCanonicalPath() function is potentially vulnerable.

When passing a long string to java.io.getCanonicalPath() an access violation occurs in the Windows NT 4.0 ntdll.dll. This access violation causes the IBM JVM to core resulting in a Denial of Service. This seems to be due to a corruption of the heap.

Vendor Response:

Microsoft contacted by @stake: 05/14/2003 Microsoft reproduced and verified: 06/10/2003

Microsoft has issued a bulletin and a patch. More information is available at:

http://www.microsoft.com/technet/security/bulletin/MS03-029.asp

Recommendation:

Java developers should identify all occurances and perform data validation where java.io.getCanonicalPath is used.

NT 4.0 Administrators running servers which use Java servlets should consider installing the Microsoft supplied patch.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

CAN-2003-0525

@stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/

@stake Advisory Archive: http://www.atstake.com/research/advisories/

PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE----- Version: PGP 8.0

iQA/AwUBPx74oUe9kNIfAm4yEQKc6wCghclEcANjGkrPRGENJyoDhKxyBcYAnjbi UiSnzl1p7SRXf+9j7dbRQ/M4 =10T3 -----END PGP SIGNATURE-----

References: