The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Macromedia JRun4 mod_jrun Apache Module Buffer Overflow
------------------------------------------------------------------------
SUMMARY
Macromedia <http://www.macromedia.com/software/jrun/> JRun 4 is an
application server used for developing and deploying Java applications.
JRun 4 provides the speed and reliability required to deploy and manage
your standards-based Internet applications.
Remote exploitation of a buffer overflow vulnerability in Macromedia's
JRun 4 mod_jrun Apache module could allow execution of arbitrary code.
DETAILS
Vulnerable Systems:
* JRun 4 SP1a (mod_jrun) on Apache versions 1.3.x and 2.0.x, possibly all
versions of mod_jrun are vulnerable
Immune Systems:
* Patched versions of mod_jrun from Macromedia's cumulative security
update
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0646>
CAN-2004-0646
The problem exists in the WriteToLog function of mod_jrun and mod_jrun20,
where a fixed size buffer is allocated on the stack.
No bounds checking is performed on the input. When the Verbose logging
option is set, this function may be called with user-supplied data. If
this data is longer than the space which has been allocated, a buffer
overflow may occur. Specially formed input may allow execution of
arbitrary commands.
Impact
Successful exploitation allows execution of arbitrary code with the
permissions of the user of the httpd process, typically 'nobody' or
'apache'. Note, As the Verbose option is not set by default, most installs
will not be vulnerable. An overly long Content-Type field, among other
header fields, can be used to trigger this buffer overflow.
Workaround
Setting the Verbose option to "false" in the httpd.conf will prevent this
vulnerability from being exploitable. After editing the httpd.conf,
restart the httpd. This will reduce the amount of data logged by the
server, but will prevent exploitation of this vulnerability.
Vendor Status:
MPSB04-08 - Cumulative Security Patch available for JRun server can be
found at
<http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html>
http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html
Disclosure Timeline
06/18/04 iDEFENSE Clients notified
06/18/04 Initial vendor notification
06/18/04 Initial vendor response
09/29/04 Public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE Security Labs.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=145&type=vulnerabilities>
http://www.idefense.com/application/poi/display?id=145&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
