From labs@FOUNDSTONE.COM Sun Nov 5 17:52:18 2000 From: Foundstone Labs To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 1 Nov 2000 09:34:22 -0800 Subject: [BUGTRAQ] Allaire's JRUN DoS [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory Allaire's JRUN DoS ---------------------------------------------------------------------- FS Advisory ID: FS-110100-17-JRUN Release Date: November 1, 2000 Product: JRun 3.0 Vendor: Allaire Inc. (http://www.allaire.com) Vendor Advisory: http://www.allaire.com/security/ Type: Denial of Service attack Severity: High Author: Shreeraj Shah (shreeraj.shah@foundstone.com) Saumil Shah (saumil.shah@foundstone.com) Stuart McClure (stuart.mcclure@foundstone.com) Foundstone, Inc. (http://www.foundstone.com) Operating Systems: All operating systems Vulnerable versions: JRun 3.0 Foundstone Advisory: http://www.foundstone.com/cgi-bin/display.cgi?Section_ID=13 ---------------------------------------------------------------------- Description A denial of service vulnerability exists within the Allaire JRun 3.0 web application server which allows an attacker to bring down the JRun application server engine. Details JRun3.0 is a Java application server, supporting Java Server Pages, Java servlets and other Java related technologies. The /servlet URL prefix is mapped as a handler for invoking servlets. Servlets are stored in a hierarchical manner and are accessed via a naming convention of the type: .. ... . Hence if a servlet called test is stored under com/site/test, it is invoked by the URL: http://site.running.jrun/servlet/com.site.test If a large string of dots is placed after the /servlet/ URL prefix, such as: http://site.running.jrun/servlet/................ (hundreds of "."s) it gets interpreted as a very large tree of non-existent directories when looking for the servlet. This causes the JRun server engine to temporarily consume system resources at a high priority, and brings about a temporary denial of services for the JRun server engine. Other services do not get affected. If many such URL requests are made, the JRun server engine (specifically the javaw process) does not recover. All other JRun dependent requests get denied. Proof of concept From a browser, make the following URL request: http://site.running.jrun/servlet/........... (many "."s) Solution Follow the recommendations given in Allaire Security Bulletin ASB00-30, available at: http://www.allaire.com/security/ Credits We would also like to thank Allaire Inc. for their prompt reaction to this problem and their co-operation in heightening security awareness in the security community. Disclaimer The information contained in this advisory is the copyright (C) 2000 of Foundstone, Inc. and believed to be accurate at the time of printing, but no representation or warranty is given, express or implied, as to its accuracy or completeness. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect or conquential loss or damage arising in any way from any use of, or reliance placed on, this information for any purpose. This advisory may be redistributed provided that no fee is assigned and that the advisory is not modified in any way.