[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F1EF90D.80702@atstake.com>
Date: Wed, 23 Jul 2003 17:07:25 -0400
From: "@stake Advisories" <advisories@...take.com>
To: bugtraq@...urityfocus.com
Subject: Windows NT 4.0 with IBM JVM Denial of Service
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
@stake, Inc.
www.atstake.com
Security Advisory
Advisory Name: Windows NT 4.0 with IBM JVM Denial of Service
Release Date: 07/23/2003
Application: Any Java application, other applications
are possible attack vectors.
Platform: Java 2 Runtime Environment, Standard Edition
(build 1.3.0), Windows NT 4.0
Severity: Denial of service
Author: Matthew Miller <mmiller@...take.com>
Jeremy Rauch
Vendor Status: Microsoft has patch available
CVE Candidate: CAN-2003-0525
Reference: www.atstake.com/research/advisories/2003/a072303-1.txt
Overview:
A flaw exists in Windows NT 4.0's file name processing. The flaw can
cause heap corruption to occur when a long string is passed to the
file name functions. This results in the program calling the NT 4.0
file name processing functions to crash.
One attack vector identified by @stake is through a Java servlet
running on the IBM JVM. This class of problem highlights the Java
platform's dependance on the correctness of the underlying operating
system for it's overall security. Java application developers
should still bounds check untrusted inputs that are passed to the
underlying operating system API, such as file handling functions.
Detailed Description:
A denial of service condition for IBM's Java 2 Runtime Environment
can be triggered when passing a long string to the
java.io.getCanonicalPath() function. Any application which passes
user supplied data to the getCanonicalPath() function is potentially
vulnerable.
When passing a long string to java.io.getCanonicalPath() an access
violation occurs in the Windows NT 4.0 ntdll.dll. This access
violation causes the IBM JVM to core resulting in a Denial of
Service. This seems to be due to a corruption of the
heap.
Vendor Response:
Microsoft contacted by @stake: 05/14/2003
Microsoft reproduced and verified: 06/10/2003
Microsoft has issued a bulletin and a patch. More information
is available at:
http://www.microsoft.com/technet/security/bulletin/MS03-029.asp
Recommendation:
Java developers should identify all occurances and perform data
validation where java.io.getCanonicalPath is used.
NT 4.0 Administrators running servers which use Java servlets
should consider installing the Microsoft supplied patch.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2003-0525
@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/
@stake Advisory Archive:
http://www.atstake.com/research/advisories/
PGP Key:
http://www.atstake.com/research/pgp_key.asc
Copyright 2003 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPx74oUe9kNIfAm4yEQKc6wCghclEcANjGkrPRGENJyoDhKxyBcYAnjbi
UiSnzl1p7SRXf+9j7dbRQ/M4
=10T3
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists