[NT] Macromedia JRUN Buffer Overflow Vulnerability (ISAPI DLL)

From: support@securiteam.com
Date: 05/29/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 29 May 2002 19:36:19 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Macromedia JRUN Buffer Overflow Vulnerability (ISAPI DLL)
------------------------------------------------------------------------

SUMMARY

Macromedia's JRun, previously owned by Allaire, is a J2EE Server designed
to run on web servers to deliver java based online applications. The Win32
version 3.1 contains a remotely exploitable buffer overrun vulnerability
that allows an attacker to gain complete control of the server in
question.

DETAILS

Vulnerable systems:
 * Macromedia JRun version 3.1

When JRun is installed, an ISAPI filter/application is stored in the
/scripts virtual directory. If a request comes into the server for a .JSP
resource, the JRun filter handles the request. Further, if the ISAPI DLL
is accessed directly it acts as an application. By making a request to the
DLL with an overly long Host header field, a saved return address is
overwritten on the stack allowing an attacker to gain control over the
process' execution. As the JRun DLL is loaded into the address space of
the web service process, inetinfo.exe, on both Internet Information Server
4 and 5, any code supplied in an exploit will run in the security context
of the local SYSTEM account.

Fix Information:
NGSSoftware alerted Macromedia to this problem at the start of April and
since then JRun version 4 has been released. This version should contain
the fix to prevent this overrun and as such, customers are advised to
upgrade as soon as possible.

ADDITIONAL INFORMATION

The information has been provided by <mailto:nisr@nextgenss.com>
NGSSoftware Insight Security Research.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages