CVE-2003-0525

Vulnerability

The vulnerability exists in the getCanonicalPath function on Microsoft Windows NT 4.0 (all editions: Workstation, Server, and Terminal Server Edition). When a specially crafted long file name is passed to this function, it may free memory that it does not own, leading to heap corruption. This issue was demonstrated using the IBM JVM, where a long string to the java.io.getCanonicalPath Java method triggers the flaw. No special configuration beyond the default installation is required to reach the vulnerable code path [1].

Exploitation

An attacker does not need authenticated access to the system; the attack can be initiated by any user or remotely if an application exposed to network requests makes use of this function. The attacker simply provides a specially crafted request that includes a long file name string to an application that calls getCanonicalPath. The exact precise exploitation steps involve passing a malformed long path, causing the function to free memory incorrectly and corrupt the heap. No user interaction beyond the initial request is needed [1].

Impact

Successful exploitation results in a denial of service condition, causing the affected application or the system to crash. The impact is limited to availability; it does not allow code execution, privilege escalation, or data disclosure. The crash can occur on Windows NT 4.0 systems running any software that uses the vulnerable function [1].

Mitigation

Microsoft released security bulletin MS03-029 with a patch for Windows NT 4.0. An initial patch had a problem with Remote Access Service (RAS) failing upon reboot; a revised patch was later made available. The fix is available from Microsoft Product Support Services. Windows 2000, Windows XP, and Windows Server 2003 are not affected. No workaround is documented; applying the security update is the recommended mitigation [1].