From nisr@nextgenss.com Wed May 29 10:38:54 2002 From: NGSSoftware Insight Security Research To: Bugtraq@securityfocus.com Date: Wed, 29 May 2002 06:33:23 +0100 Subject: Macromedia JRUN Buffer overflow vulnerability (#NISR29052002) [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] NGSSoftware Insight Security Research Advisory Name: Macromedia JRun 3.1 Systems Affected: IIS 4/5 on WinNT 4/Win2K Severity: High Risk Category: Remote System Buffer Overrun Vendor URL: http://www.macromedia.com Author: David Litchfield (david@ngssoftware.com) Advisory URL: http://www.ngssoftware.com/advisories/jrun.txt Date: 29th May 2002 Advisory number: #NISR29052002 Description *********** Macromedia's JRun, previously owned by Allaire, is a J2EE Server designed to run on web servers to deliver java based online applications. The Win32 version 3.1 contains a remotely exploitable buffer overrun vulnerability that allows an attacker to gain complete control of the server in question. Details ******* When JRun is installed, an ISAPI filter/application is stored in the /scripts virtual directory. If a request comes into the server for a .jsp resource the JRun filter handles the request. Further, if the ISAPI DLL is accessed directly it acts as an application. By making a request to the DLL with an overly long Host header field, a saved return address is overwritten on the stack allowing an attacker to gain control over the process' execution. As the jrun DLL is loaded into the address space of the web service process, inetinfo.exe, on both Internet Information Server 4 and 5, any code supplied in an exploit will run in the security context of the local SYSTEM account. Fix Information *************** NGSSoftware alerted Macromedia to this problem at the start of April and since then JRun version 4 has been released. This version should contain the fix to prevent this overrun and as such customers are advised to upgrade as soon as possible. In the interim, one should consider using a tool such as Sanctum's AppSheild or eEye's SecureIIS that help prevent such attacks. A check for this issue has been added to Typhon II, NGSSoftware's vulnerability assessment scanner, of which more information is available from the NGSSite : http://www.ngssoftware.com/. Further Information ******************* For further information about the scope and effects of buffer overflows, please see http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf