Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Microsoft Security Bulletin MS03-029 - Moderate

Flaw in Windows Function Could Allow Denial of Service (823803)

Published: July 23, 2003 | Updated: May 12, 2004

Version: 2.1

Originally posted: July 23, 2003
Updated: May 12, 2004
Version: 2.1

Summary

Who should read this bulletin:
Systems administrators running Microsoft® Windows® NT 4.0 Server

Impact of vulnerability:
Denial of service

Maximum Severity Rating:
Moderate

Recommendation:
Administrators of Windows NT 4.0 servers should consider applying the security patch.

Affected Software:

  • Microsoft Windows NT 4.0 Workstation
  • Microsoft Windows NT 4.0 Server
  • Microsoft Windows NT 4.0 Terminal Server Edition

Not Affected Software:

  • Microsoft Windows 2000
  • Microsoft Windows XP
  • Microsoft Windows Server 2003

End User Bulletin: An end user version of this bulletin is available at:

http://www.microsoft.com/athome/security/update/bulletins/default.mspx.

General Information

Technical description:

Subsequent to the original release of this bulletin Microsoft extended the support of Windows NT Workstation 4.0. A security update is now available from Microsoft Product Support Services for customers running this operating system. Contact Microsoft Product Support Services to obtain this additional security update.

Subsequent to issuing this security bulletin, Microsoft identified a problem with the security patch which specifically affects systems which have the Remote Access Service (RAS) enabled on them. This causes RAS to fail when the system is rebooted after applying the patch. It does not affect other non-RAS functions, nor is there a problem with the actual fix for the security vulnerability itself. Microsoft has developed a fix for this issue and is re-releasing this bulletin to reflect the new updated patch.

A flaw exists in a Windows NT 4.0 file management function that can cause a denial of service vulnerability. The flaw results because the affected function can cause memory that it does not own to be freed when a specially crafted request is passed to it. If the application making the request to the function does not carry out any user input validation and allows the specially crafted request to be passed to the function, the function may free memory that it does not own. As a result, the application passing the request could fail.

By default, the affected function is not accessible remotely, however applications installed on the operating system that are available remotely may make use of the affected function. Application servers or Web servers are two such applications that may access the function. Note that Internet Information Server 4.0 (IIS 4.0) does not, by default, make use of the affected function.

Mitigating factors:

  • The default installation of Windows NT 4.0 is not vulnerable to a remote denial of service. Additional software that makes use of the affected file management function must be installed on the system to expose the vulnerability remotely.
  • If the application calling the affected file management function carries out input validation, the specially crafted request may not be passed to the vulnerable function.
  • The vulnerability cannot be used to cause Windows NT 4.0 itself to fail. Only the application that makes the request may fail.

Severity Rating:

Windows NT 4.0 Workstation Moderate
Windows NT 4.0 Server Moderate
Windows NT 4.0 Terminal Server Edition Moderate

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0525

Tested Versions:

Microsoft tested Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Windows 2000, Windows XP and Windows Server 2003 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Why has Microsoft issued new security updates for Windows NT Workstation 4.0?
Subsequent to the original release of this bulletin Microsoft extended the support of Windows NT Workstation 4.0. A security update is now available from Microsoft Product Support Services for customers running this operating system. Contact Microsoft Product Support Services to obtain these additional security updates.

Why has Microsoft reissued this bulletin?
Subsequent to issuing this security bulletin, Microsoft identified a problem with the security patch which specifically affects systems which have the Remote Access Service (RAS) enabled on them. This causes RAS to fail when the system is rebooted after applying the patch. It does not affect other non-RAS functions, nor is there a problem with the actual fix for the security vulnerability itself. Microsoft has developed a fix for this issue and is re-releasing this bulletin to reflect the new updated patch that corrects the RAS problem.

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully exploited the vulnerability could cause an application running on a Windows NT 4.0 system to fail. By default the vulnerable function cannot be accessed remotely, however, additional software that may have been in installed on the server may make the function accessible remotely.

What causes the vulnerability?
The vulnerability results because of a flaw in the way certain memory operations relating to a Windows function are carried out by Windows NT 4.0.

Which Windows function is vulnerable?
The file management function is vulnerable. Therefore the vulnerability is only exposed by applications that make use of this function.

What's wrong with the way the Windows NT 4.0 file management function carries out memory operations?
There is a flaw in the way a Windows function handles memory operations. If a specially crafted request is made to the affected function, the server may incorrectly free some memory that is not actually owned by the function. This could cause the application making the overly long request to fail.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause an application running on Windows NT 4.0 to fail. The application that could fail would be the application that was making use of the affected function and that was allowing the specially crafted request to be passed to the API.

What types of applications might make a request to the vulnerable function?
Typically applications that require information about the file system might make requests to the function. Such applications might include Web servers or application servers. Note that Microsoft Internet Information Server 4.0 (IIS 4.0) does not make use of the function and cannot therefore be used to exploit the vulnerability.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by sending a specially crafted request to the affected function by using another application. If the application making the request does not carry out any user input validation, the affected function may then free memory that it does not own, causing the calling application to fail.

What does the patch do?
The patch eliminates the vulnerability by ensuring that the affected component does not free memory that it does not own.

Download locations for this patch

Additional information about this patch

Installation platforms:

This patch can be installed on systems running Windows NT 4.0 Workstation, Windows NT 4.0 Server Service Pack 6a and Windows NT 4.0 Terminal Server Edition Service Pack 6.

Reboot needed: Yes

Patch can be uninstalled: Yes

Superseded patches: None.

Verifying patch installation:

  • Windows NT 4.0:

    To verify that the patch has been installed on the machine, confirm that all files listed in the file manifest in Knowledge Base article 823803 are present on the system.

  • Windows NT 4.0 Terminal Server Edition:

    To verify that the patch has been installed on the machine, confirm that all files listed in the file manifest in Knowledge Base article 823803 are present on the system.

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Acknowledgments

Microsoft thanks Matt Miller and Jeremy Rauch of @stake for reporting this issue to us and working with us to protect customers.

Support:

  • Microsoft Knowledge Base article 823803 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (July 23, 2003): Bulletin Created.
  • V1.1 (July 29, 2003): Updated to provide details of problem when patch is installed on systems running RAS Service.
  • V2.0 (August 13, 2003): Updated to reflect the release of updated patches to correct problems on computers running RAS.
  • V2.1 (May 12, 2004): Bulletin updated to inform customers about the availability of a security update for Windows NT Workstation 4.0 Service Pack 6a.

Built at 2014-04-18T13:49:36Z-07:00

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.