Macromedia JRUN Buffer overflow vulnerability
Results 1 to 2 of 2

Thread: Macromedia JRUN Buffer overflow vulnerability

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    742

    Macromedia JRUN Buffer overflow vulnerability

    Source: Bugtraq@securityfocus.com

    NGSSoftware Insight Security Research Advisory

    Name: Macromedia JRun 3.1
    Systems Affected: IIS 4/5 on WinNT 4/Win2K
    Severity: High Risk
    Category: Remote System Buffer Overrun
    Vendor URL: http://www.macromedia.com
    Author: David Litchfield (david@ngssoftware.com)
    Advisory URL: http://www.ngssoftware.com/advisories/jrun.txt
    Date: 29th May 2002
    Advisory number: #NISR29052002



    Description

    ***********

    Macromedia's JRun, previously owned by Allaire, is a J2EE Server designed to
    run on web servers to deliver java based online applications. The Win32
    version 3.1 contains a remotely exploitable buffer overrun vulnerability
    that allows an attacker to gain complete control of the server in question.



    Details

    *******

    When JRun is installed, an ISAPI filter/application is stored in the
    /scripts virtual directory. If a request comes into the server for a .jsp
    resource the JRun filter handles the request. Further, if the ISAPI DLL is
    accessed directly it acts as an application. By making a request to the DLL
    with an overly long Host header field, a saved return address is overwritten
    on the stack allowing an attacker to gain control over the process'
    execution. As the jrun DLL is loaded into the address space of the web
    service process, inetinfo.exe, on both Internet Information Server 4 and 5,
    any code supplied in an exploit will run in the security context of the
    local SYSTEM account.





    Fix Information

    ***************

    NGSSoftware alerted Macromedia to this problem at the start of April and
    since then JRun version 4 has been released. This version should contain the
    fix to prevent this overrun and as such customers are advised to upgrade as
    soon as possible. In the interim, one should consider using a tool such as
    Sanctum's AppSheild or eEye's SecureIIS that help prevent such attacks.

    A check for this issue has been added to Typhon II, NGSSoftware's
    vulnerability assessment scanner, of which more information is available
    from the NGSSite : http://www.ngssoftware.com/.

    Further Information

    *******************

    For further information about the scope and effects of buffer overflows,
    please see

    http://www.ngssoftware.com/papers/ntbufferoverflow.html

    http://www.ngssoftware.com/papers/bu...rflowpaper.rtf

    http://www.ngssoftware.com/papers/unicodebo.pdf

    http://www.ngssoftware.com/papers/no...bo-windows.pdf

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    And hopefully the solution and fix for the buffer overflow .

    Source: bugtraq@securityfocus.com

    I have been asked by Macromedia to point out that the cumulative patch for JRun 3.1
    found at: http://www.macromedia.com/v1/Handler...73&Method=Full
    also addresses the buffer overflow vulnerability discussed in our advisory, number #NISR29052002. Customers not wishing to upgrade to Version 4 should install this patch.

    Thanks,
    David Litchfield
    http://www.ngssoftware.com/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •