Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Buffer Overflow in Macromedia's ColdFusion and JRun
A buffer overflow vulnerability exists in Macromedia’s ColdFusion 6.0 and JRun 4.0 that might enable a potential attacker to execute arbitrary code in the SYSTEM context of the vulnerable system.
Ken Pfeil
November 13, 2002
3 Min Read
Reported November 12, 2002, byeEye Digital Security.
VERSIONS AFFECTED
Macromedia ColdFusion 6.0 and earlier (with IIS ISAPI)
Macromedia JRun 4.0 and earlier (with IIS ISAPI)
DESCRIPTION
Abuffer overflow vulnerability exists in Macromedia’s ColdFusion 6.0 and JRun4.0 that might enable a potential attacker to execute arbitrary code in theSYSTEM context of the vulnerable system. This vulnerability stems from variousheap overflows in the IIS ISAPI handlers when handling Uniform ResourceIdentifier (URI) filenames. By supplying a filename over 4096 bytes in size, anattacker can overwrite heap memory. To gain control of the remote IIS processwith SYSTEM-level access, an attacker can overwrite various structures in theprocess heap. For more details about this vulnerability, see the discoverer’s Website.
DEMONSTRATION
The discoverer posted the following demonstration as proof ofconcept:
The following requests can beused to duplicate the attack.
For JRun:
telnet example.com 80
GET /[+4096 byte buffer].jspHTTP/1.0
[enter]
[enter]
For Coldfusion:
telnet example.com 80
GET /[+4096 byte buffer].cfmHTTP/1.0
[enter]
[enter]
VENDOR RESPONSE
Macromediahas released patches for both the ColdFusion and JRun products.
ColdFusionMX Advisory:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23161
JRunAdvisory:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23500
CREDIT
Discoveredby Riley Hassell ofeEye Digital Security.
About the Author
You May Also Like
.png?width=700&auto=webp&quality=80&disable=upscale)