----- Original Message ----- 
From: "@stake Advisories" <advisories@atstake.com>
To: <bugtraq@securityfocus.com>
Sent: Wednesday, July 23, 2003 1:07 PM
Subject: Windows NT 4.0 with IBM JVM Denial of Service


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>                                @stake, Inc.
>                              www.atstake.com
> 
>                             Security Advisory
> 
> 
> Advisory Name: Windows NT 4.0 with IBM JVM Denial of Service
>  Release Date: 07/23/2003
>   Application: Any Java application, other applications
>                are possible attack vectors.
>      Platform: Java 2 Runtime Environment, Standard Edition
>                (build 1.3.0), Windows NT 4.0
>      Severity: Denial of service
>        Author: Matthew Miller <mmiller@atstake.com>
>                Jeremy Rauch
> Vendor Status: Microsoft has patch available
> CVE Candidate: CAN-2003-0525
>     Reference: www.atstake.com/research/advisories/2003/a072303-1.txt
> 
> 
> Overview:
> 
> A flaw exists in Windows NT 4.0's file name processing. The flaw can
> cause heap corruption to occur when a long string is passed to the
> file name functions.  This results in the program calling the NT 4.0
> file name processing functions to crash.
> 
> One attack vector identified by @stake is through a Java servlet
> running on the IBM JVM.  This class of problem highlights the Java
> platform's dependance on the correctness of the underlying operating
> system for it's overall security.  Java application developers
> should still bounds check untrusted inputs that are passed to the
> underlying operating system API, such as file handling functions.
> 
> 
> Detailed Description:
> 
> A denial of service condition for IBM's Java 2 Runtime Environment
> can be triggered when passing a long string to the
> java.io.getCanonicalPath() function. Any application which passes
> user supplied data to the getCanonicalPath() function is potentially
> vulnerable.
>  
> When passing a long string to java.io.getCanonicalPath() an access
> violation occurs in the Windows NT 4.0 ntdll.dll.  This access
> violation causes the IBM JVM to core resulting in a Denial of
> Service. This seems to be due to a corruption of the
> heap.
> 
> 
> Vendor Response:
> 
> Microsoft contacted by @stake: 05/14/2003
> Microsoft reproduced and verified: 06/10/2003
> 
> Microsoft has issued a bulletin and a patch.  More information
> is available at:
> 
> http://www.microsoft.com/technet/security/bulletin/MS03-029.asp
> 
> 
> Recommendation:
> 
> Java developers should identify all occurances and perform data
> validation where java.io.getCanonicalPath is used.
> 
> NT 4.0 Administrators running servers which use Java servlets
> should consider installing the Microsoft supplied patch.
> 
> 
> Common Vulnerabilities and Exposures (CVE) Information:
> 
> The Common Vulnerabilities and Exposures (CVE) project has assigned
> the following names to these issues.  These are candidates for
> inclusion in the CVE list (http://cve.mitre.org), which standardizes
> names for security problems.
> 
>   CAN-2003-0525
> 
> 
> @stake Vulnerability Reporting Policy:
> http://www.atstake.com/research/policy/
> 
> @stake Advisory Archive:
> http://www.atstake.com/research/advisories/
> 
> PGP Key:
> http://www.atstake.com/research/pgp_key.asc
> 
> 
> Copyright 2003 @stake, Inc. All rights reserved.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0
> 
> iQA/AwUBPx74oUe9kNIfAm4yEQKc6wCghclEcANjGkrPRGENJyoDhKxyBcYAnjbi
> UiSnzl1p7SRXf+9j7dbRQ/M4
> =10T3
> -----END PGP SIGNATURE-----
> 
>