Macromedia Fixes JRun/Web Services Vulnerability

Macromedia, Inc. , security officials plugged up a
potential breach in old versions of its JRun software Thursday, preventing
malicious hackers (a.k.a. crackers) from remotely exploiting a buffer
overflow vulnerability.

JRun 3.0 and JRun 3.1 are the software developer’s flagship Web services
platform for Java 2 Enterprise Edition (J2EE) applications. Companies
running the software on Windows NT4 or Windows 2000 machines using IIS 4/5
are affected.

The vulnerability, discovered by developers in a NGS Software Insight
security research advisory and reported to the CERT Coordination Center, is
considered a high-risk bug giving crackers remote administration of the
company’s entire Web server.

A patch
can be found at Macromedia’s download page and is already incorporated in
JRun 4. Macromedia officials said anyone who has applied a security patch
since November 2001 is safe from the vulnerability.

The bug was found when security experts at NGS Software put JRun through a
buffer overflow test, also known as a denial of service (DoS) attack, and
found a weakness in the ISAPI .dll. Crackers who access the ISAPI .dll
directly as an application can swamp the Host Header field with too much
information, causing the .dll to overwrite the field with a saved return
address, giving them remote access to the entire Web server on a local
SYSTEM account.

NGS Software reported the vulnerability to Macromedia back in April.

JRun, originally a software application developed by Allaire before
Macromedia took over, has been a relatively bug-free piece of
software. The only other reported vulnerability on the CERT site dates
back to June 2000, with a “cross-site” scripting vulnerability, which has
long since been patched.