Macromedia JRun 3.1

May 29th, 2002

NGSSoftware Insight Security Research Advisory

Name: Macromedia JRun 3.1

Systems Affected: IIS 4/5 on WinNT 4/Win2K

Severity: High Risk

Category: Remote System Buffer Overrun

Vendor URL: http://www.macromedia.com

Author: David Litchfield (david@ngssoftware.com)

Advisory URL: http://www.ngssoftware.com/advisories/jrun.txt

Date: 29th May 2002

Advisory number: #NISR29052002

Description

***********

Macromedia’s JRun, previously owned by Allaire, is a J2EE Server designed to

run on web servers to deliver java based online applications. The Win32

version 3.1 contains a remotely exploitable buffer overrun vulnerability

that allows an attacker to gain complete control of the server in question.

Details

*******

When JRun is installed, an ISAPI filter/application is stored in the

/scripts virtual directory. If a request comes into the server for a .jsp

resource the JRun filter handles the request. Further, if the ISAPI DLL is

accessed directly it acts as an application. By making a request to the DLL

with an overly long Host header field, a saved return address is overwritten

on the stack allowing an attacker to gain control over the process’

execution. As the jrun DLL is loaded into the address space of the web

service process, inetinfo.exe, on both Internet Information Server 4 and 5,

any code supplied in an exploit will run in the security context of the

local SYSTEM account.

Fix Information

***************

NGSSoftware alerted Macromedia to this problem at the start of April and

since then JRun version 4 has been released. This version should contain the

fix to prevent this overrun. Further a security patch has been created to

fix this issue. Please see

http://www.macromedia.com/v1/Handlers/index.cfm?ID=22273&Method=Full

for more details.

Customers are advised to upgrade as soon as possible. In the interim,

one should consider using a tool such as Sanctum’s AppSheild or eEye’s

SecureIIS that help prevent such attacks.

A check for this issue has been added to Typhon II, NGSSoftware’s

vulnerability assessment scanner, of which more information is available

from the NGSSite : http://www.ngssoftware.com/.

Further Information

*******************

For further information about the scope and effects of buffer overflows,

please see

http://www.ngssoftware.com/papers/ntbufferoverflow.html

http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf

http://www.ngssoftware.com/papers/unicodebo.pdf

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf

Section Navigation


Customer Testimonials

Read what some of our satisfied customers are saying about us.

Speaking Events

We regularly present and speak at international security conferences throughout the world.

Informática 2009, Havana

OWASP AppSec Europe 2008

AusCERT 2008

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls