CVE-2003-0525
CVSS5.0
发布时间 :2003-08-27 00:00:00
修订时间 :2008-09-10 15:19:31
NMCOPS    

[原文]The getCanonicalPath function in Windows NT 4.0 may free memory that it does not own and cause heap corruption, which allows attackers to cause a denial of service (crash) via requests that cause a long file name to be passed to getCanonicalPath, as demonstrated on the IBM JVM using a long string to the java.io.getCanonicalPath Java method.


[CNNVD]Windows NT 4.0系统IBM JVM远程拒绝服务攻击漏洞(MS03-029)(CNNVD-200308-196)

        
        Windows NT 4.0是一款Microsoft开发的视窗操作系统。
        Windows NT 4.0文件名处理中存在缺陷,远程攻击者可以利用这个漏洞使NT 4.0文件名进程函数崩溃,造成拒绝服务。
        @stake通过运行在IBM JVM上的Java Servlet触发了此漏洞。问题存在于IBM Java 2实时环境中,当传递超长字符串给java.io.getCanonicalPath()函数时,可导致程序崩溃。任何传递用户提供的数据给getCanonicalPath()函数的应用程序都存在此漏洞。
        当传递超长字符串给java.io.getCanonicalPath()函数时会在ntdll.dll中出现访问冲突。这个访问冲突是由IBM JVM由于堆破坏而导致Core dump引起的。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_nt:4.0::terminal_server
cpe:/o:microsoft:windows_nt:4.0:sp1:serverMicrosoft Windows 4.0 sp1 server
cpe:/o:microsoft:windows_nt:4.0:sp6:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP6
cpe:/o:microsoft:windows_nt:4.0:sp1:enterprise_server
cpe:/o:microsoft:windows_nt:4.0::server
cpe:/o:microsoft:windows_nt:4.0:sp2:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp6a:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp2:serverMicrosoft Windows 4.0 sp2 server
cpe:/o:microsoft:windows_nt:4.0:sp4:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp3:serverMicrosoft Windows 4.0 sp3 server
cpe:/o:microsoft:windows_nt:4.0:sp4:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP4
cpe:/o:microsoft:windows_nt:4.0::enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp6:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp5:serverMicrosoft Windows 4.0 sp5 server
cpe:/o:microsoft:windows_nt:4.0:sp5:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP5
cpe:/o:microsoft:windows_nt:4.0:sp3:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp6:serverMicrosoft Windows 4.0 sp6 server
cpe:/o:microsoft:windows_nt:4.0:sp5:enterprise_server
cpe:/o:microsoft:windows_nt:4.0:sp1:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP1
cpe:/o:microsoft:windows_nt:4.0:sp2:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP2
cpe:/o:microsoft:windows_nt:4.0:sp3:terminal_serverMicrosoft Windows NT Terminal Server 4.0 SP3
cpe:/o:microsoft:windows_nt:4.0:sp6a:serverMicrosoft Windows 4.0 sp6a server
cpe:/o:microsoft:windows_nt:4.0:sp4:serverMicrosoft Windows 4.0 sp4 server

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:319Windows NT getCanonicalPath Heap Corruption Denial of Service
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0525
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0525
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-196
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/12701
(UNKNOWN)  XF  winnt-file-management-dos (12701)
http://www.microsoft.com/technet/security/bulletin/ms03-029.asp
(UNKNOWN)  MS  MS03-029
http://www.atstake.com/research/advisories/2003/a072303-1.txt
(VENDOR_ADVISORY)  ATSTAKE  A072303-1

- 漏洞信息

Windows NT 4.0系统IBM JVM远程拒绝服务攻击漏洞(MS03-029)
中危 边界条件错误
2003-08-27 00:00:00 2005-10-20 00:00:00
远程※本地  
        
        Windows NT 4.0是一款Microsoft开发的视窗操作系统。
        Windows NT 4.0文件名处理中存在缺陷,远程攻击者可以利用这个漏洞使NT 4.0文件名进程函数崩溃,造成拒绝服务。
        @stake通过运行在IBM JVM上的Java Servlet触发了此漏洞。问题存在于IBM Java 2实时环境中,当传递超长字符串给java.io.getCanonicalPath()函数时,可导致程序崩溃。任何传递用户提供的数据给getCanonicalPath()函数的应用程序都存在此漏洞。
        当传递超长字符串给java.io.getCanonicalPath()函数时会在ntdll.dll中出现访问冲突。这个访问冲突是由IBM JVM由于堆破坏而导致Core dump引起的。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS03-029)以及相应补丁:
        MS03-029:Flaw in Windows Function Could Allow Denial of Service (Q823803)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS03-029.asp

        补丁下载:
        Microsoft Windows NT 4.0 Server:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=8FF8CA3E-D546-4FAF-851F-FFBE2490B901&displaylang=en

        Microsoft Windows NT 4.0 Terminal Server Edition :
        
        http://microsoft.com/downloads/details.aspx?FamilyId=5C46460D-3887-4D5F-B142-F505BB208797&displaylang=en

- 漏洞信息 (F31427)

Atstake Security Advisory 03-07-23.1 (PacketStormID:F31427)
2003-07-24 00:00:00
Jeremy Rauch,Atstake,Matthew Miller  atstake.com
advisory,java
windows,nt
CVE-2003-0525
[点击下载]

Atstake Security Advisory A072303-1 - A flaw exists in the Windows NT 4.0 file name processing. The flaw can cause heap corruption to occur when a long string is passed to the file name functions. This results in the program calling the NT 4.0 file name processing functions to crash. One attack vector identified is through a Java servlet running on the IBM JVM.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                               @stake, Inc.
                             www.atstake.com

                            Security Advisory


Advisory Name: Windows NT 4.0 with IBM JVM Denial of Service
 Release Date: 07/23/2003
  Application: Any Java application, other applications
               are possible attack vectors.
     Platform: Java 2 Runtime Environment, Standard Edition
               (build 1.3.0), Windows NT 4.0
     Severity: Denial of service
       Author: Matthew Miller <mmiller@atstake.com>
               Jeremy Rauch
Vendor Status: Microsoft has patch available
CVE Candidate: CAN-2003-0525
    Reference: www.atstake.com/research/advisories/2003/a072303-1.txt


Overview:

A flaw exists in Windows NT 4.0's file name processing. The flaw can
cause heap corruption to occur when a long string is passed to the
file name functions.  This results in the program calling the NT 4.0
file name processing functions to crash.

One attack vector identified by @stake is through a Java servlet
running on the IBM JVM.  This class of problem highlights the Java
platform's dependance on the correctness of the underlying operating
system for it's overall security.  Java application developers
should still bounds check untrusted inputs that are passed to the
underlying operating system API, such as file handling functions.


Detailed Description:

A denial of service condition for IBM's Java 2 Runtime Environment
can be triggered when passing a long string to the
java.io.getCanonicalPath() function. Any application which passes
user supplied data to the getCanonicalPath() function is potentially
vulnerable.
 
When passing a long string to java.io.getCanonicalPath() an access
violation occurs in the Windows NT 4.0 ntdll.dll.  This access
violation causes the IBM JVM to core resulting in a Denial of
Service. This seems to be due to a corruption of the
heap.


Vendor Response:

Microsoft contacted by @stake: 05/14/2003
Microsoft reproduced and verified: 06/10/2003

Microsoft has issued a bulletin and a patch.  More information
is available at:

http://www.microsoft.com/technet/security/bulletin/MS03-029.asp


Recommendation:

Java developers should identify all occurances and perform data
validation where java.io.getCanonicalPath is used.

NT 4.0 Administrators running servers which use Java servlets
should consider installing the Microsoft supplied patch.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

  CAN-2003-0525


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc


Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPx74oUe9kNIfAm4yEQKc6wCghclEcANjGkrPRGENJyoDhKxyBcYAnjbi
UiSnzl1p7SRXf+9j7dbRQ/M4
=10T3
-----END PGP SIGNATURE-----


    

- 漏洞信息

12654
Windows NT getCanonicalPath Memory Corropuption DoS
Denial of Service
Loss of Availability

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-07-23 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Windows NT File Management Function Denial Of Service Vulnerability
Boundary Condition Error 8259
Yes Yes
2003-07-23 12:00:00 2009-07-11 10:56:00
Discovery is credited to Matt Miller and Jeremy Rauch of @stake.

- 受影响的程序版本

Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Windows NT Workstation 4.0 SP6
Microsoft Windows NT Workstation 4.0 SP5
Microsoft Windows NT Workstation 4.0 SP4
Microsoft Windows NT Workstation 4.0 SP3
Microsoft Windows NT Workstation 4.0 SP2
Microsoft Windows NT Workstation 4.0 SP1
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Terminal Server 4.0 SP6
Microsoft Windows NT Terminal Server 4.0 SP5
Microsoft Windows NT Terminal Server 4.0 SP4
Microsoft Windows NT Terminal Server 4.0 SP3
Microsoft Windows NT Terminal Server 4.0 SP2
Microsoft Windows NT Terminal Server 4.0 SP1
Microsoft Windows NT Terminal Server 4.0 alpha
Microsoft Windows NT Terminal Server 4.0
Microsoft Windows NT Server 4.0 SP6a
+ Avaya DefinityOne Media Servers
+ Avaya DefinityOne Media Servers
+ Avaya IP600 Media Servers
+ Avaya IP600 Media Servers
+ Avaya S3400 Message Application Server 0
+ Avaya S8100 Media Servers 0
+ Avaya S8100 Media Servers 0
Microsoft Windows NT Server 4.0 SP6
Microsoft Windows NT Server 4.0 SP5
Microsoft Windows NT Server 4.0 SP4
Microsoft Windows NT Server 4.0 SP3
Microsoft Windows NT Server 4.0 SP2
Microsoft Windows NT Server 4.0 SP1
Microsoft Windows NT Server 4.0
Microsoft Windows NT Enterprise Server 4.0 SP6a
Microsoft Windows NT Enterprise Server 4.0 SP6
Microsoft Windows NT Enterprise Server 4.0 SP5
Microsoft Windows NT Enterprise Server 4.0 SP4
Microsoft Windows NT Enterprise Server 4.0 SP3
Microsoft Windows NT Enterprise Server 4.0 SP2
Microsoft Windows NT Enterprise Server 4.0 SP1
Microsoft Windows NT Enterprise Server 4.0

- 漏洞讨论

Microsoft Windows NT 4.0 is prone to a denial of service vulnerability within the GetCanonicalPath() function, which is part of ntdll.dll. Support for the function is not installed on Windows NT by default, but may pose remote attack vectors on systems that support the function and run applications that use the function without sufficient input validation of externally-supplied data.

The vulnerability is related to memory management and may potentially be exploited to execute arbitrary code on the system, though this has not been confirmed.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

The vendor has released an updated patch to resolve the RRAS service issue. The updated fixes are linked below.

Microsoft has acknowledged reports that have indicated issues with the patch when applied to NT 4.0 systems that use RRAS (Routing and Remote Access Service). In particular, the RRAS service may fail when a patched system is rebooted. A temporary hotfix has been made available to address these problems and can be obtained by contacting Microsoft Product Support Services. The vendor has stated that updated patches to address these issues with systems that use RRAS are pending. More information is available in the revised version of MS03-029.

It has also been reported that the patch may cause similiar problems with the Web Proxy service for Microsoft Proxy Server. The vendor hotfix is also reported to address this problem with the patch.

Microsoft has released fixes for this issue:


Microsoft Windows NT Workstation 4.0 SP6a

Microsoft Windows NT Terminal Server 4.0 SP6

Microsoft Windows NT Enterprise Server 4.0 SP6a

Microsoft Windows NT Server 4.0 SP6a

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站