![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Wed, 1 Nov 2000 09:34:22 -0800
From: Foundstone Labs <labs@FOUNDSTONE.COM>
Subject: Allaire's JRUN DoS
To: BUGTRAQ@SECURITYFOCUS.COM
Foundstone, Inc.
http://www.foundstone.com
"Securing the Dot Com World"
Security Advisory
Allaire's JRUN DoS
----------------------------------------------------------------------
FS Advisory ID: FS-110100-17-JRUN
Release Date: November 1, 2000
Product: JRun 3.0
Vendor: Allaire Inc. (http://www.allaire.com)
Vendor Advisory: http://www.allaire.com/security/
Type: Denial of Service attack
Severity: High
Author: Shreeraj Shah (shreeraj.shah@foundstone.com)
Saumil Shah (saumil.shah@foundstone.com)
Stuart McClure (stuart.mcclure@foundstone.com)
Foundstone, Inc. (http://www.foundstone.com)
Operating Systems: All operating systems
Vulnerable versions: JRun 3.0
Foundstone Advisory:
http://www.foundstone.com/cgi-bin/display.cgi?Section_ID=13
----------------------------------------------------------------------
Description
A denial of service vulnerability exists within the Allaire
JRun 3.0 web application server which allows an attacker to
bring down the JRun application server engine.
Details
JRun3.0 is a Java application server, supporting Java Server
Pages, Java servlets and other Java related technologies. The
/servlet URL prefix is mapped as a handler for invoking
servlets.
Servlets are stored in a hierarchical manner and are accessed
via a naming convention of the type:
<dir>.<dir>. ... <dir>.<servlet>
Hence if a servlet called test is stored under com/site/test,
it is invoked by the URL:
http://site.running.jrun/servlet/com.site.test
If a large string of dots is placed after the /servlet/ URL
prefix, such as:
http://site.running.jrun/servlet/................
(hundreds of "."s)
it gets interpreted as a very large tree of non-existent
directories when looking for the servlet. This causes the
JRun server engine to temporarily consume system resources at
a high priority, and brings about a temporary denial of
services for the JRun server engine. Other services do not
get affected.
If many such URL requests are made, the JRun server engine
(specifically the javaw process) does not recover. All
other JRun dependent requests get denied.
Proof of concept
From a browser, make the following URL request:
http://site.running.jrun/servlet/........... (many "."s)
Solution
Follow the recommendations given in Allaire Security Bulletin
ASB00-30, available at: http://www.allaire.com/security/
Credits
We would also like to thank Allaire Inc. for their prompt
reaction to this problem and their co-operation in heightening
security awareness in the security community.
Disclaimer
The information contained in this advisory is the copyright (C)
2000 of Foundstone, Inc. and believed to be accurate at the time
of printing, but no representation or warranty is given, express
or implied, as to its accuracy or completeness. Neither the
author nor the publisher accepts any liability whatsoever for
any direct, indirect or conquential loss or damage arising in
any way from any use of, or reliance placed on, this information
for any purpose. This advisory may be redistributed provided that
no fee is assigned and that the advisory is not modified in any
way.