Adobe Jrun Issue

romeo_tango · 06-14-2010, 01:47 AM

Hi,

I have a server running SPARC 64 bit and Solaris 10. One of my client's security team found this issue :

Code:

HTTP_JRun_Double_Slash
Description :

Macromedia JRun could allow a remote attacker to bypass authentication and gain access to the Web administration interface. A remote attacker could send a specially-crafted URL request to the Web

Administration interface appended with an extra forward-slash character to bypass authentication and gain unauthorized access to administrative functions

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Macromedia Product Security Bulletin MPSB02-06. See References.

I don't understand what does that mean. Does it means I should patch the Jrun in my Solaris box? I looked for jrun in my servers and found no 'jrun' to be patched.

Did I misunderstood something here?

Please help.
Thanks.

jlliagre · 06-15-2010, 12:42 AM

Ouch, it's an eight years old security patch ...

Everything you want to know is probably written here:

http://www.adobe.com/devnet/security...mpsb02-06.html

You should also make sure there are no newer security patch that might apply.

romeo_tango · 06-15-2010, 11:31 PM

Hi Sir,

Yes it is very old one that none of my friends know about it. The problem for me is that we don't use JRun in our server at all. What should I patch if there are no JRun in the server?

If I checked the suspected hacking attempt URLs. it were like these lines :

Code:

http://www.[mywebsite].com//www.[mywebsite].comhttp//www.[mywebsite].comhttp//imcservices.adultfriendfinder.com/p/imc/imc_data.cgi
http://www.[mywebsite].com//www.[mywebsite].comhttp//imcservices.adultfriendfinder.com/p/imc/imc_data.cgi
http://www.[mywebsite].com//imcservices.adultfriendfinder.com/p/imc/imc_data.cgi

note: replace mywebsite with a valid URL of course.

My analysis is that the user's work station was infected by some kind of trojan or virus so that he accessed that [mywebsite] URLs constantly in every 5 minutes interval. Does that possible?

If that's the case then perhaps the firewall alert was only false alarm because I really don't see any hacking attempt in the URLs.

jlliagre · 06-16-2010, 01:05 AM

How do you assert no JRun is installed on this server ?

romeo_tango · 06-16-2010, 01:23 AM

Code:

# ps -aelf | grep jrun
 0 S     root 18838 18823   0  67 20        ?    153        ? 13:18:45 pts/2       0:00 grep jrun
# ps -aelf | grep JRun
 0 R     root 18840 18823   0  87 20        ?     28          13:18:47 pts/2       0:00 grep JRun
# find / -name \*jrun*
# ls -alh /usr/local/apache2/modules/ | grep jrun

I ensured that there was no jrun in the system by above commands. Did I miss something?

Thanks.

jlliagre · 06-16-2010, 06:55 AM

I would have used that command:

Code:

find / -name "*[Jj][Rr][Un]*"

romeo_tango · 06-16-2010, 09:16 PM

Ah I actually already did something like that trying to find JRUN, JRun, Jrun, jrun all of the possibilities but the result is none.

So this means there is no jrun in the system right?

jlliagre · 06-17-2010, 01:05 AM

I'm not familiar with JRun but I would expect some files with JRun in their names to show up. Why not asking your client's security team what made him think JRun was installed ?

romeo_tango · 06-17-2010, 01:37 AM

I already mention why did the JRun issue showed up in 3rd post.
Their firewall detect the false URL as hacking attempts while the URLs were looked like a trojan-caused to me.

I also found that if you have Jrun installed, you will have the JRUN's variable in your environment.
I checked them all and pretty sure now that the server don't have any Jrun in it.

So I guess I'm just gonna close the thread.
Thanks a lot for you help Sir.