|
|
|
|
| |
Under certain circumstances, the JRun 3.0 HTTP servlet server may improperly utilize server resources with deliberately malformed URIs. This behavior may lead to a denial of service condition if the server is flooded with these kinds of requests.
An exploit code is included below to help test for this vulnerability. |
| |
Credit:
The information has been provided by Allaire Secure, Shreeraj Shah, Saumil Shah and Stuart McClure.
|
| |
Affected Software Versions:
JRun 3.0 (all editions)
JRun 3.0 SP1 (all editions)
Under certain circumstances, submitting a malformed URI to JRun 3.0 will cause the servlet server to spend too many resources parsing the URI, which will cause it to lock up for a short time. Sending many of these malformed requests at once could lock up a server for a while.
For instance, if a URI resembling http://localhost/servlet/............ is furnished, a perceptible lag between request and response can be observed. Further manipulation of the URI can yield more extreme results.
Technical Explanation:
JRun3.0 is a Java application server, supporting Java Server Pages, Java servlets and other Java related technologies. The /servlet URL prefix is mapped as a handler for invoking servlets.
Servlets are stored in a hierarchical manner and are accessed via a naming convention of the type:
<dir>.<dir>. ... <dir>.<servlet>
Hence if a servlet called test is stored under com/site/test, it is invoked by the URL:
http://site.running.jrun/servlet/com.site.test
If a large string of dots is placed after the /servlet/ URL prefix, such as:
http://site.running.jrun/servlet/................ (hundreds of "."s)
It will be interpreted as a very large tree of non-existent directories when looking for the servlet. This causes the JRun server engine to temporarily consume system resources at a high priority, and brings about a temporary denial of services for the JRun server engine. Other services do not get affected.
If many such URL requests are made, the JRun server engine (specifically the javaw process) does not recover. All other JRun dependent requests are denied.
Exploit:
From a browser, make the following URL request:
http://site.running.jrun/servlet/........... (many "."s)
Patch:
Allaire has released a patch that should resolve the issue in JRun 3.0. The patch is available for immediate download and application.
JRun 3.0 users can find the patch for installation at the following URIs - use the patch appropriate to your platform - instructions for installation is included:
Windows 95/98/NT/2000 and Windows NT Alpha:
http://download.allaire.com/patches/TrailingDots.ZIP
UNIX/Linux patch - GNU gzip/tar:
http://download.allaire.com/patches/TrailingDots.tgz
It is recommended that you back up your existing data before applying any patch.
|
|
|
|
|
|
|
|
|
|
