COMMAND

	Macromedia JRun remote buffer overflow.

SYSTEMS AFFECTED

	version 3.1

PROBLEM

	In NGSSoftware Insight Security Research Advisory  #NISR29052002,  David
	Litchfield found following bug:
	

	Macromedia\'s JRun, previously  owned  by  Allaire,  is  a  J2EE  Server
	designed  to  run  on  web  servers  to  deliver   java   based   online
	applications. The Win32 version  3.1  contains  a  remotely  exploitable
	buffer overrun vulnerability that allows an attacker  to  gain  complete
	control of the server in question.
	

	When JRun is installed, an ISAPI filter/application  is  stored  in  the
	/scripts virtual directory. If a request comes into  the  server  for  a
	.jsp resource the JRun filter  handles  the  request.  Further,  if  the
	ISAPI DLL is accessed directly it acts as an application.  By  making  a
	request to the DLL with an  overly  long  Host  header  field,  a  saved
	return address is overwritten on the stack allowing an attacker to  gain
	control over the process\' execution. As the jrun  DLL  is  loaded  into
	the address space of the web  service  process,  inetinfo.exe,  on  both
	Internet Information Server 4 and 5, any code  supplied  in  an  exploit
	will run in the security context of the local SYSTEM account.

SOLUTION

	Upgrade to version 4, or apply following patch:
	

	

	http://www.macromedia.com/v1/Handlers/index.cfm?ID=22273&Method=Full