CVE-2004-0118

Vulnerability

The component for the Virtual DOS Machine (VDM) subsystem in Windows NT 4.0 and Windows 2000 contains a null pointer dereference vulnerability. This occurs when 16-bit code is executed without first initializing a VDM, leading to invalid memory access in kernel space. Affected versions include Windows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows NT Server 4.0 Terminal Server Edition Service Pack 6, and Windows 2000 Service Pack 2, Service Pack 3, and Service Pack 4 [1][2].

Exploitation

An attacker must have local access to the system and the ability to execute 16-bit code. The exploitation does not require authentication beyond local user privileges. The attacker triggers the vulnerability by running a specially crafted 16-bit application that causes the VDM subsystem to dereference a null pointer, leading to a crash or potential code execution [2]. No specific sequence of steps is publicly documented beyond the need to execute uninitialized VDM code.

Impact

Successful exploitation allows a local user to execute arbitrary code in the context of the kernel (Ring 0), effectively gaining complete control over the affected system. This can lead to full compromise of confidentiality, integrity, and availability [1][2]. The attacker can install programs, view, change, or delete data, or create new accounts with full user rights.

Mitigation

Microsoft released security update MS04-011 on April 13, 2004, which addresses the vulnerability for all affected platforms [1]. The update is available for download from the Microsoft Security Response Center. For systems that cannot be patched, no workaround is documented; upgrading to a supported version (e.g., Windows XP or later) is recommended. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.