MS03-029: A flaw in a Windows function might allow a Denial of Service (823803)

Technical update

August 13, 2003: An updated security patch has been released to correct problems on Windows NT Server 4.0-based computers running Remote Access Service (RAS) or Routing and Remote Access Service (RRAS). In the "File Information" section, the file attributes for the updated patch were added.

For additional information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
825501 RAS or RRAS does not start when you restart a server that is running Windows NT 4.0
Note This problem does not affect Windows NT 4.0 Terminal Server Edition.
July 23, 2003: In the "Installation Information" section, the registry key to verify that the security patch is installed on your computer was changed from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows NT\SP6\Q823803
to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q823803
July 23, 2003: In the "File Information" section, the registry key to verify the files that the security patch installed was changed from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows NT\SP6\Q823803\Filelist
to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q823803\File 1

SYMPTOMS

A flaw exists in a Windows NT Server 4.0 function that might cause a denial-of-service vulnerability. The flaw occurs because the affected function can cause memory that the function does not own to be freed when some overly long parameters are passed to the function. If the application that makes the request to the function does not carry out any user-input validation and permits the overly long parameters to be passed to the function, the function may free memory that the function does not own. Therefore, the application that passes the request might stop working.

By default, the affected function is not accessible remotely. However, applications that are installed on the operating system that are available remotely might use the affected function. Program servers and Web servers are two such applications that might access the function. Note that by default, Microsoft Internet Information Server (IIS) 4.0 does not use the affected function.

Mitigating factors

A default installation of Windows NT Server 4.0 is not vulnerable to a remote denial of service. Additional software must be installed to expose the vulnerability remotely.
If the application that calls the affected function carries out input validation, the overly long parameter might not be passed to the vulnerable function.
The flaw cannot be used to cause Windows NT Server 4.0 itself to stop working. Only the application that makes the request might stop working.

RESOLUTION

Security patch information

Download information

The following files are available for download from the Microsoft Download Center:

Windows NT Server 4.0

Download the 823803 package now.

Note If you are running Microsoft Windows NT Workstation 4.0, contact Microsoft Product Support Services to obtain this security update. For information about how to contact Microsoft Product Support Services, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

Windows NT Server 4.0, Terminal Server Edition

Download the 823803 package now.

Release Date: July 23, 2003

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Prerequisites

This security patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 (SP6).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to obtain the latest Windows NT 4.0 service pack

Installation information

This security patch supports the following Setup switches:

/y: Perform removal (only with the /m or /q switch).
/f: Force programs to be closed during the shutdown process.
/n: Do not create an Uninstall folder.
/z: Do not restart when the update completes.
/q: Use Quiet or Unattended mode with no user interface (this switch is a superset of the /m switch).
/m: Use Unattended mode with a user interface.
/l: List the installed hotfixes.
/x: Extract the files without running Setup.

To verify that the security patch is installed on your computer, confirm that the following registry key exists:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q823803

Deployment information

To install the security patch without any user intervention, use the following command:

Q823803i /q

To install the security patch without forcing the computer to restart, use the following command:

Q823803i /z

Note You can combine these switches in one command line.

For information about how to deploy this security patch with Microsoft Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/updateservices/evaluation/previous/susoverview.mspx

Restart requirement

You must restart your computer after you apply this security patch.

Removal information

System administrators can use the Hotfix.exe utility to remove this patch. The Hotfix.exe utility is located in the %Windir%\$NTUninstallQ823803$ folder. The utility supports the following Setup switches:

/y: Perform removal (only with the /m or /q switch).
/f: Force programs to be closed during the shutdown process.
/n: Do not create an Uninstall folder.
/z: Do not restart when the installation is complete.
/q: Use Quiet or Unattended mode with no user interface (this switch is a superset of the /m switch).
/m: Use Unattended mode with a user interface.
/l: List the installed hotfixes.

Security patch replacement information

This security patch does not replace any other patches.

File information

The English version of this patch has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows NT Server 4.0 (August 13, 2003 release)

   Date         Time   Version            Size    File name
   --------------------------------------------------------------
   25-Jul-2003  13:00  4.0.1381.7226     379,152  Kernel32.dll

Windows NT Server 4.0 (Original release)

   Date         Time   Version        Size     File name
   --------------------------------------------------------
   08-Jul-2003  13:40  4.0.1381.7224  379,152  Kernel32.dll