exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

jrun.txt

jrun.txt
Posted May 30, 2002
Authored by David Litchfield | Site ngssoftware.com

Macromedia JRun v3.1 for IIS 4/5 on WinNT 4/Win2K contains buffer overflow which allows remote code execution as the local system account.

tags | remote, overflow, local, code execution
systems | windows
SHA-256 | 2bd79d12f83316af1256e8abf3f82e65b0e812edc901f4c331319be81254b1ee

jrun.txt

Change Mirror Download
NGSSoftware Insight Security Research Advisory

Name: Macromedia JRun 3.1

Systems Affected: IIS 4/5 on WinNT 4/Win2K

Severity: High Risk

Category: Remote System Buffer Overrun

Vendor URL: http://www.macromedia.com

Author: David Litchfield (david@ngssoftware.com)

Advisory URL: http://www.ngssoftware.com/advisories/jrun.txt

Date: 29th May 2002

Advisory number: #NISR29052002



Description

***********

Macromedia's JRun, previously owned by Allaire, is a J2EE Server designed to
run on web servers to deliver java based online applications. The Win32
version 3.1 contains a remotely exploitable buffer overrun vulnerability
that allows an attacker to gain complete control of the server in question.



Details

*******

When JRun is installed, an ISAPI filter/application is stored in the
/scripts virtual directory. If a request comes into the server for a .jsp
resource the JRun filter handles the request. Further, if the ISAPI DLL is
accessed directly it acts as an application. By making a request to the DLL
with an overly long Host header field, a saved return address is overwritten
on the stack allowing an attacker to gain control over the process'
execution. As the jrun DLL is loaded into the address space of the web
service process, inetinfo.exe, on both Internet Information Server 4 and 5,
any code supplied in an exploit will run in the security context of the
local SYSTEM account.





Fix Information

***************

NGSSoftware alerted Macromedia to this problem at the start of April and
since then JRun version 4 has been released. This version should contain the
fix to prevent this overrun and as such customers are advised to upgrade as
soon as possible. In the interim, one should consider using a tool such as
Sanctum's AppSheild or eEye's SecureIIS that help prevent such attacks.

A check for this issue has been added to Typhon II, NGSSoftware's
vulnerability assessment scanner, of which more information is available
from the NGSSite : http://www.ngssoftware.com/.

Further Information

*******************

For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/ntbufferoverflow.html

http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf

http://www.ngssoftware.com/papers/unicodebo.pdf

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close