[NEWS] Macromedia JRun4 mod_jrun Apache Module Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 10/04/04

  • Next message: SecuriTeam: "[NEWS] Inkra 1504GX IP Protocol Parsing DoS" 
    To: list@securiteam.com
Date: 4 Oct 2004 14:05:56 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Macromedia JRun4 mod_jrun Apache Module Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

    Macromedia <http://www.macromedia.com/software/jrun/> JRun 4 is an
    application server used for developing and deploying Java applications.
    JRun 4 provides the speed and reliability required to deploy and manage
    your standards-based Internet applications.

    Remote exploitation of a buffer overflow vulnerability in Macromedia's
    JRun 4 mod_jrun Apache module could allow execution of arbitrary code.

    DETAILS

    Vulnerable Systems:
     * JRun 4 SP1a (mod_jrun) on Apache versions 1.3.x and 2.0.x, possibly all
    versions of mod_jrun are vulnerable

    Immune Systems:
     * Patched versions of mod_jrun from Macromedia's cumulative security
    update

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0646>
    CAN-2004-0646

    The problem exists in the WriteToLog function of mod_jrun and mod_jrun20,
    where a fixed size buffer is allocated on the stack.

    No bounds checking is performed on the input. When the Verbose logging
    option is set, this function may be called with user-supplied data. If
    this data is longer than the space which has been allocated, a buffer
    overflow may occur. Specially formed input may allow execution of
    arbitrary commands.

    Impact
    Successful exploitation allows execution of arbitrary code with the
    permissions of the user of the httpd process, typically 'nobody' or
    'apache'. Note, As the Verbose option is not set by default, most installs
    will not be vulnerable. An overly long Content-Type field, among other
    header fields, can be used to trigger this buffer overflow.

    Workaround
    Setting the Verbose option to "false" in the httpd.conf will prevent this
    vulnerability from being exploitable. After editing the httpd.conf,
    restart the httpd. This will reduce the amount of data logged by the
    server, but will prevent exploitation of this vulnerability.

    Vendor Status:
    MPSB04-08 - Cumulative Security Patch available for JRun server can be
    found at
    <http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html>
    http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html

    Disclosure Timeline
    06/18/04 iDEFENSE Clients notified
    06/18/04 Initial vendor notification
    06/18/04 Initial vendor response
    09/29/04 Public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:idlabs-advisories@idefense.com> iDEFENSE Security Labs.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=145&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=145&type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Inkra 1504GX IP Protocol Parsing DoS"

    Relevant Pages