[Snort-sigs] Fwd: Allaire's JRUN DoS

Joseph Nicholas Yarbrough nyarbrough at ...5...
Wed Nov 1 19:03:58 EST 2000

Here is a signature for this attack. Seems to be simple, so it should work.

# Allaire's JRUN DoS : Author nyarbrough at ...5... for LURHQ corp http://www.lurhq.com
alert tcp any any -> any 80 (msg:"WEB JRUN DoS attempt"; flags:PA; content:"servlet/......."; nocase;)

Thats all for now,

Joseph Nicholas Yarbrough
Information Security Analyst
LURHQ Corporation
nyarbrough at ...5...

----------  Forwarded Message  ----------
Subject: Allaire's JRUN DoS
Date: Wed, 1 Nov 2000 09:34:22 -0800
From: Foundstone Labs <labs at ...15...>
To: BUGTRAQ at ...16...

Foundstone, Inc.
                      "Securing the Dot Com World"

                           Security Advisory

                           Allaire's JRUN DoS

FS Advisory ID:         FS-110100-17-JRUN

Release Date:           November 1, 2000

Product:                JRun 3.0

Vendor:                 Allaire Inc. (http://www.allaire.com)

Vendor Advisory:        http://www.allaire.com/security/

Type:                   Denial of Service attack

Severity:               High

Author:                 Shreeraj Shah (shreeraj.shah at ...17...)
                        Saumil Shah (saumil.shah at ...17...)
                        Stuart McClure (stuart.mcclure at ...17...)
                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems:      All operating systems

Vulnerable versions:    JRun 3.0

Foundstone Advisory:


        A denial of service vulnerability exists within the Allaire
        JRun 3.0 web application server which allows an attacker to
        bring down the JRun application server engine.


        JRun3.0 is a Java application server, supporting Java Server
        Pages, Java servlets and other Java related technologies. The
        /servlet URL prefix is mapped as a handler for invoking

        Servlets are stored in a hierarchical manner and are accessed
        via a naming convention of the type:

           <dir>.<dir>. ... <dir>.<servlet>

        Hence if a servlet called test is stored under com/site/test,
        it is invoked by the URL:


        If a large string of dots is placed after the /servlet/ URL
        prefix, such as:

           (hundreds of "."s)

        it gets interpreted as a very large tree of non-existent
        directories when looking for the servlet. This causes the
        JRun server engine to temporarily consume system resources at
        a high priority, and brings about a temporary denial of
        services for the JRun server engine. Other services do not
        get affected.

        If many such URL requests are made, the JRun server engine
        (specifically the javaw process) does not recover. All
        other JRun dependent requests get denied.

Proof of concept

        From a browser, make the following URL request:

        http://site.running.jrun/servlet/........... (many "."s)


        Follow the recommendations given in Allaire Security Bulletin
        ASB00-30, available at: http://www.allaire.com/security/


        We would also like to thank Allaire Inc. for their prompt
        reaction to this problem and their co-operation in heightening
        security awareness in the security community.


        The information contained in this advisory is the copyright (C)
        2000 of Foundstone, Inc. and believed to be accurate at the time
        of printing, but no representation or warranty is given, express
        or implied, as to its accuracy or completeness. Neither the
        author nor the publisher accepts any liability whatsoever for
        any direct, indirect or conquential loss or damage arising in
        any way from any use of, or reliance placed on, this information
        for any purpose. This advisory may be redistributed provided that
        no fee is assigned and that the advisory is not modified in any


More information about the Snort-sigs mailing list