Reported November 12, 2002, by eEye Digital Security.

 

 

VERSIONS AFFECTED

 

  • Macromedia ColdFusion 6.0 and earlier (with IIS ISAPI)

  • Macromedia JRun 4.0 and earlier (with IIS ISAPI)

 

 

DESCRIPTION

 

A buffer overflow vulnerability exists in Macromedia’s ColdFusion 6.0 and JRun 4.0 that might enable a potential attacker to execute arbitrary code in the SYSTEM context of the vulnerable system. This vulnerability stems from various heap overflows in the IIS ISAPI handlers when handling Uniform Resource Identifier (URI) filenames. By supplying a filename over 4096 bytes in size, an attacker can overwrite heap memory. To gain control of the remote IIS process with SYSTEM-level access, an attacker can overwrite various structures in the process heap. For more details about this vulnerability, see the discoverer’s Web site.

 

DEMONSTRATION

 

The discoverer posted the following demonstration as proof of concept:

 

The following requests can be used to duplicate the attack.

 

For JRun:

telnet example.com 80

GET /\[+4096 byte buffer\].jsp HTTP/1.0

\[enter\]

\[enter\]

 

For Coldfusion:

telnet example.com 80

GET /\[+4096 byte buffer\].cfm HTTP/1.0

\[enter\]

\[enter\]

 

 

VENDOR RESPONSE

 

Macromedia has released patches for both the ColdFusion and JRun products.

<span style='font-family:Verdana;mso-fareast-font-family:"Times New Roman"'> <p></p>
</h3>

ColdFusion MX Advisory:

http://www.macromedia.com/v1/handlers/index.cfm?ID=23161

 

JRun Advisory:

http://www.macromedia.com/v1/handlers/index.cfm?ID=23500

 

 

CREDIT          

Discovered by Riley Hassell of eEye Digital Security.