SecuriTeam - Macromedia JRun4 mod_jrun Apache Module Buffer Overflow

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Macromedia JRun 4 is an application server used for developing and deploying Java applications. JRun 4 provides the speed and reliability required to deploy and manage your standards-based Internet applications.

Remote exploitation of a buffer overflow vulnerability in Macromedia's JRun 4 mod_jrun Apache module could allow execution of arbitrary code.

Credit:
The information has been provided by iDEFENSE Security Labs.
The original article can be found at: http://www.idefense.com/application/poi/display?id=145&type=vulnerabilities

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* JRun 4 SP1a (mod_jrun) on Apache versions 1.3.x and 2.0.x, possibly all versions of mod_jrun are vulnerable

Immune Systems:
* Patched versions of mod_jrun from Macromedia's cumulative security update

CVE Information:
CAN-2004-0646

The problem exists in the WriteToLog function of mod_jrun and mod_jrun20, where a fixed size buffer is allocated on the stack.

No bounds checking is performed on the input. When the Verbose logging option is set, this function may be called with user-supplied data. If this data is longer than the space which has been allocated, a buffer overflow may occur. Specially formed input may allow execution of arbitrary commands.

Impact
Successful exploitation allows execution of arbitrary code with the permissions of the user of the httpd process, typically 'nobody' or 'apache'. Note, As the Verbose option is not set by default, most installs will not be vulnerable. An overly long Content-Type field, among other header fields, can be used to trigger this buffer overflow.

Workaround
Setting the Verbose option to "false" in the httpd.conf will prevent this vulnerability from being exploitable. After editing the httpd.conf, restart the httpd. This will reduce the amount of data logged by the server, but will prevent exploitation of this vulnerability.

Vendor Status:
MPSB04-08 - Cumulative Security Patch available for JRun server can be found at http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html

Disclosure Timeline
06/18/04 iDEFENSE Clients notified
06/18/04 Initial vendor notification
06/18/04 Initial vendor response
09/29/04 Public disclosure

	LedgerSMB Multiple Vulnerabilities
	Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
	Piwik Cookie Unserialize Vulnerability
	Invision Power Board SQL PHP File Inclusion and SQL Injection
	U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability
	DevIL DICOM Buffer Overflow Vulnerability
	Marvell Driver Multiple Information Element Overflows
	HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution
	HP Color LaserJet Printers Unauthorized Access to Data and DoS
	KDE KDELibs Remote Array Overrun with Arbitrary Code Execution
	Gimp BMP Image Parsing Integer Overflow Vulnerability
	Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation
	WordPress Unrestricted File Upload Arbitrary PHP Code Execution
	Atheros Driver Reserved Frame DoS Vulnerability
	McAfee Security Manager Authentication Bypass and Session Hijacking Vulnerability