Home page logo
/

bugtraq logo Bugtraq mailing list archives

Allaire's JRUN DoS
From: Foundstone Labs <labs () FOUNDSTONE COM>
Date: Wed, 1 Nov 2000 09:34:22 -0800

                            Foundstone, Inc.
                        http://www.foundstone.com
                      "Securing the Dot Com World"

                           Security Advisory

                           Allaire's JRUN DoS

----------------------------------------------------------------------
FS Advisory ID:         FS-110100-17-JRUN

Release Date:           November 1, 2000

Product:                JRun 3.0

Vendor:                 Allaire Inc. (http://www.allaire.com)

Vendor Advisory:        http://www.allaire.com/security/

Type:                   Denial of Service attack

Severity:               High

Author:                 Shreeraj Shah (shreeraj.shah () foundstone com)
                        Saumil Shah (saumil.shah () foundstone com)
                        Stuart McClure (stuart.mcclure () foundstone com)
                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems:      All operating systems

Vulnerable versions:    JRun 3.0

Foundstone Advisory:
http://www.foundstone.com/cgi-bin/display.cgi?Section_ID=13
----------------------------------------------------------------------


Description

        A denial of service vulnerability exists within the Allaire
        JRun 3.0 web application server which allows an attacker to
        bring down the JRun application server engine.

Details

        JRun3.0 is a Java application server, supporting Java Server
        Pages, Java servlets and other Java related technologies. The
        /servlet URL prefix is mapped as a handler for invoking
        servlets.

        Servlets are stored in a hierarchical manner and are accessed
        via a naming convention of the type:

           <dir>.<dir>. ... <dir>.<servlet>

        Hence if a servlet called test is stored under com/site/test,
        it is invoked by the URL:

           http://site.running.jrun/servlet/com.site.test

        If a large string of dots is placed after the /servlet/ URL
        prefix, such as:

           http://site.running.jrun/servlet/................
           (hundreds of "."s)

        it gets interpreted as a very large tree of non-existent
        directories when looking for the servlet. This causes the
        JRun server engine to temporarily consume system resources at
        a high priority, and brings about a temporary denial of
        services for the JRun server engine. Other services do not
        get affected.

        If many such URL requests are made, the JRun server engine
        (specifically the javaw process) does not recover. All
        other JRun dependent requests get denied.

Proof of concept

        From a browser, make the following URL request:

        http://site.running.jrun/servlet/........... (many "."s)

Solution

        Follow the recommendations given in Allaire Security Bulletin
        ASB00-30, available at: http://www.allaire.com/security/

Credits

        We would also like to thank Allaire Inc. for their prompt
        reaction to this problem and their co-operation in heightening
        security awareness in the security community.

Disclaimer

        The information contained in this advisory is the copyright (C)
        2000 of Foundstone, Inc. and believed to be accurate at the time
        of printing, but no representation or warranty is given, express
        or implied, as to its accuracy or completeness. Neither the
        author nor the publisher accepts any liability whatsoever for
        any direct, indirect or conquential loss or damage arising in
        any way from any use of, or reliance placed on, this information
        for any purpose. This advisory may be redistributed provided that
        no fee is assigned and that the advisory is not modified in any
        way.


  By Date           By Thread  

Current thread:
  • Allaire's JRUN DoS Foundstone Labs (Nov 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault