Vulnerability Note VU#703835

Macromedia JRun ISAPI DLL filter vulnerable to buffer overflow via request for long Host header field

JRun is an application server that works with most popular web servers such as Apache and IIS. Macromedia states that JRun is deployed at over 10,000 organizations worldwide.

As reported in the Next Generation Security Software Advisory (#NISR29052002), a remotely exploitable buffer overflow exists in the ISAPI filter/application. Specifically, the buffer overflow exists in the portion of code that handles the host header field. If an attacker sends a specially crafted request to the application server, he can overwrite a return address on the stack. Because the vulnerable DLL is running in the address space of the web server process (at least on IIS 4 & 5), code submitted by the attacker will be run with SYSTEM privileges.

II. Impact

None.

Systems Affected

http://www.macromedia.com/v1/handlers/index.cfm?ID=23164
http://www.ngssoftware.com/advisories/jrun.txt
http://www.macromedia.com/software/jrun/
http://www.macromedia.com
http://www.securityfocus.com/bid/4873

Credit

This vulnerability was discovered by David Litchfield of Next Generation Security Software.

This document was written by Ian A. Finlay.

Other Information

If you have feedback, comments, or additional information about this vulnerability, please send us email.