|
|
|
|
| |
"Macromedia JRun 4 is an application server used for developing and deploying Java based applications."
Remote exploitation of a buffer overflow vulnerability in Macromedia JRun 4 allows attackers to execute arbitrary code or cause a denial of service condition. |
| |
Credit:
The information has been provided by iDEFENSE Labs .
The original article can be found at: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=360
The vendor advisory can be found at: http://www.macromedia.com/devnet/security/security_zone/mpsb05-13.html
|
| |
Vulnerable Systems:
* Macromedia JRun 4 prior to Updater 5
Immune Systems:
* Macromedia Run 4 Updater 5
* Macromedia Run 4 Updater 6
The vulnerability exists within the JRun web server, specifically in the handling of long request strings. In certain configurations, when a long (approximately 64k) URL is supplied, a stack-based overflow occurs potentially allowing the execution of arbitrary code. In testing performed it was possible to overwrite the saved return address on the stack with remotely supplied values (converted into 'wide characters' by the server).
Successful exploitation allow remote attackers to execute arbitrary code with Local System privileges. The supplied JRun web server must be active for the attack vector to exist. It is not recommended to use the JRun web server component in production systems, as the installer mentions that it should be used for development only.
As the service restarts after each crash, it is possible to make multiple attempts to exploit this issue, and each time restart from a 'clean' state.
Although this vulnerability allows a stack overwrite, it may be more difficult to exploit due the input string being converted into a 'wide character' version of the str input, by placing a null byte between each character. While this does not necessarily prevent exploitation, it does increase the complexity of developing an exploit.
Exploitation of this vulnerability may allow a remote attackers to execute code on the affected system as Local System, allowing complete compromise, or cause a denial of service against the affected system, preventing legitimate use.
Workaround:
The JRun documentation suggests that the JRun Web Server should not be used in a production environment. In a development environment, the JRun server should not accept connections from outside of the development network.
Disclosure Timeline:
08/25/2004 - Initial vendor notification
08/31/2004 - Initial vendor response
12/21/2005 - Public disclosure
|
|
|
|
|
|
|
|
|
|
