CVE-2004-0646
CVSS10.0
发布时间 :2004-12-23 00:00:00
修订时间 :2008-09-05 16:38:59
NMCOPS    

[原文]Buffer overflow in the WriteToLog function for JRun 3.0 through 4.0 web server connectors, such as (1) mod_jrun and (2) mod_jrun20 for Apache, with verbose logging enabled, allows remote attackers to execute arbitrary code via a long HTTP header Content-Type field or other fields.


[CNNVD]Macromedia JRun管理平台会话补丁及跨站脚本漏洞(CNNVD-200412-116)

        
        Macromedia JRun是一款Macromedia公司开发的Java应用服务器,提供快速可靠的J2EE兼容平台。
        Macromedia JRun 4.0管理平台存在跨站脚本及会话固定错误,远程攻击者可以利用这个漏洞获得敏感信息或未授权访问应用系统。
        目前没有详细漏洞细节提供。JRun 3.x不存在此漏洞。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:macromedia:jrun:4.0Macromedia JRun 4.0
cpe:/a:macromedia:coldfusion:6.0Macromedia ColdFusion 6.0
cpe:/a:macromedia:jrun:3.1Macromedia JRun 3.1
cpe:/a:macromedia:jrun:3.0Macromedia JRun 3.0
cpe:/a:macromedia:coldfusion:6.1Macromedia ColdFusion MX 6.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0646
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0646
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-116
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/990200
(UNKNOWN)  CERT-VN  VU#990200
http://xforce.iss.net/xforce/xfdb/17485
(VENDOR_ADVISORY)  XF  coldfusion-jrun-verbose-bo(17485)
http://www.securityfocus.com/bid/11245
(VENDOR_ADVISORY)  BID  11245
http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html
(PATCH)  CONFIRM  http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html
http://www.securityfocus.com/archive/1/377194
(UNKNOWN)  BUGTRAQ  20040929 iDEFENSE Security Advisory 09.29.04 - Macromedia JRun 4 mod_jrun Apache Module Buffer Overflow Vulnerability
http://www.macromedia.com/devnet/security/security_zone/mpsb04-09.html
(UNKNOWN)  CONFIRM  http://www.macromedia.com/devnet/security/security_zone/mpsb04-09.html
http://secunia.com/advisories/12647/
(UNKNOWN)  SECUNIA  12647

- 漏洞信息

Macromedia JRun管理平台会话补丁及跨站脚本漏洞
危急 设计错误
2004-12-23 00:00:00 2005-10-20 00:00:00
远程  
        
        Macromedia JRun是一款Macromedia公司开发的Java应用服务器,提供快速可靠的J2EE兼容平台。
        Macromedia JRun 4.0管理平台存在跨站脚本及会话固定错误,远程攻击者可以利用这个漏洞获得敏感信息或未授权访问应用系统。
        目前没有详细漏洞细节提供。JRun 3.x不存在此漏洞。
        

- 公告与补丁

        厂商补丁:
        Macromedia
        ----------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.macromedia.com/go/jrun_updater

- 漏洞信息 (F34536)

iDEFENSE Security Advisory 2004-09-29.t (PacketStormID:F34536)
2004-10-07 00:00:00
iDefense Labs  idefense.com
advisory,remote,overflow,arbitrary
CVE-2004-0646
[点击下载]

iDEFENSE Security Advisory 09.29.04 - Remote exploitation of a buffer overflow vulnerability in Macromedia's JRun 4 mod_jrun Apache module could allow execution of arbitrary code.

Macromedia JRun 4 mod_jrun Apache Module Buffer Overflow Vulnerability 

iDEFENSE Security Advisory 09.29.04
www.idefense.com/application/poi/display?id=145&type=vulnerabilities
September 29, 2004

I. BACKGROUND

Macromedia JRun 4 is a full Java 2 Enterprise Edition (J2EE) compatible
application server.

Further details are available at:

   http://www.macromedia.com/software/jrun/

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Macromedia's
JRun 4 mod_jrun Apache module could allow execution of arbitrary code.

The problem specifically exists in the WriteToLog function of mod_jrun
and mod_jrun20, where a fixed size buffer is allocated on the stack. No
bounds checking is performed on the input. When the Verbose logging
option is set, this function may be called with user-supplied data. If
this data is longer than the space which has been allocated, a buffer
overflow may occur. Specially formed input may allow execution of
arbitrary commands.

III. ANALYSIS

Successful exploitation allows execution of arbitrary code with the
permissions of the user of the httpd process, typically 'nobody' or
'apache'.

As the Verbose option is not set by default, most installs will not be
vulnerable. An overly long Content-Type field, among other header
fields, can be used to trigger this buffer overflow.

IV. DETECTION

iDEFENSE has confirmed that JRun 4.0 SP1a is vulnerable on Apache httpd
1.3.x and 2.0.x platforms. It is suspected that all versions of mod_jrun
are currently affected.

V. WORKAROUNDS

Setting the Verbose option to "false" in the httpd.conf will prevent
this vulnerability from being exploitable. After editing the httpd.conf,
restart the httpd. This will reduce the amount of data logged by the
server, but will prevent exploitation of this vulnerability.

VI. VENDOR RESPONSE

MPSB04-08 - Cumulative Security Patch available for JRun server
http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0646 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

06/18/04  iDEFENSE Clients notified
06/18/04  Initial vendor notification
06/18/04  Initial vendor response
09/29/04  Public disclosure

IX. CREDIT

The discoverer wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

10546
Macromedia JRun4 mod_jrun Apache Module Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Commercial Vendor Verified

- 漏洞描述

- 时间线

2004-09-29 Unknow
2005-12-10 2004-09-29

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Macromedia has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Macromedia JRun Multiple Remote Vulnerabilities
Design Error 11245
Yes No
2004-09-24 12:00:00 2009-07-12 07:06:00
iDEFENSE, @Stake, and Acros are credited for the discovery of these vulnerabilities.

- 受影响的程序版本

Macromedia JRun 4.0
- Microsoft IIS 5.1
- Microsoft IIS 5.0
- Microsoft IIS 4.0
Macromedia JRun 3.1
- IBM AIX 4.3
- IBM AIX 4.2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- RedHat Linux 6.1 sparc
- RedHat Linux 6.1 i386
- RedHat Linux 6.1 alpha
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0 alpha
- RedHat Linux 6.0
- SGI IRIX 6.5
- Sun Solaris 8_sparc
- Sun Solaris 7.0
Macromedia JRun 3.0
- IBM AIX 4.3
- IBM AIX 4.2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- RedHat Linux 6.1 sparc
- RedHat Linux 6.1 i386
- RedHat Linux 6.1 alpha
- RedHat Linux 6.0 sparc
- RedHat Linux 6.0
- SGI IRIX 6.5
- Sun Solaris 7.0
- Sun Solaris 2.6
Macromedia ColdFusion MX J2EE 6.1
Macromedia ColdFusion MX 6.1
Macromedia ColdFusion MX 6.0
Hitachi Cosminexus Server Web Edition 01-02 (*2)
Hitachi Cosminexus Server Web Edition 01-01 (*1)
Hitachi Cosminexus Enterprise Standard Edition 01-02 (*2)
Hitachi Cosminexus Enterprise Standard Edition 01-01 (*1)
Hitachi Cosminexus Enterprise Enterprise Edition 01-02 (*2)
Hitachi Cosminexus Enterprise Enterprise Edition 01-01 (*1)

- 漏洞讨论

Multiple vulnerabilities are reported in Macromedia JRun.

The first vulnerability is reported to exist in an insecure implementation of a session variable, 'JSESSIONID'. This vulnerability allows remote attackers to bypass authentication checks, and may possibly allow them to gain administrative access to the web application.

The second issue is a source code disclosure vulnerability. This vulnerability allows attackers to retrieve the contents of potentially sensitive script files. This may aid them in further attacks.

The third issue is a buffer overflow vulnerability allowing remote attackers to reportedly crash affected servers.

Versions 3.0, 3.1, and 4.0 are reportedly affected by these vulnerabilities.

- 漏洞利用

Currently we are not aware of any exploits for the buffer overflow issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

The other vulnerabilities do not require an exploit.

- 解决方案

The vendor has released advisories for affected products along with fixes to address these issues. Please see the referenced advisories for further information.

Hitachi has released a security advisory (HS04-008) dealing with this issue for their Cosminexus Web Contents Generator. They have advised that users disable the 'verbose' setting of the affected JRun implementation, or that they apply the Macromedia patch. Please see the referenced web advisory for more information.


Macromedia JRun 3.0

Macromedia JRun 3.1

Macromedia ColdFusion MX 6.0

Macromedia ColdFusion MX J2EE 6.1

Macromedia ColdFusion MX 6.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站