‘Sun Java Web Proxy Server FTP Resource Handling Heap-Based Buffer Overflow’
Summary
‘Sun Microsystems Inc’s Java System is ‘a collection of server applications bundled together. One such server application included is the Web Proxy Server. This software implements proxy services including HTTP and SOCKSv5′.
Credit:
‘The information has been provided by iDefense.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=747‘
Details
‘Vulnerable Systems:
* Sun Java System Web Proxy Server 4.0 through 4.0.7
A heap based buffer overflow exists in the handling of FTP resources. Specifically the vulnerability resides within the code responsible for handling HTTP GET requests.
Analysis:
Exploitation of this issue allows an attacker to execute arbitrary code on the server. An attacker would need to locate the vulnerable server and construct a malicious HTTP GET request. The attacker would then send the HTTP GET request to the Sun Java Web Proxy Server and upon processing the request execution of arbitrary code would be possible.
Vendor response:
Sun Microsystems has officially addressed this vulnerability with Alert # 242986.
For more information, consult their bulletin at the following URL: http://sunsolve.sun.com/search/document.do?assetkey=1-66-242986-1
CVE Information:
CVE-2008-4541
Disclosure timeline:
05/27/2008 – Initial vendor notification
05/27/2008 – Initial vendor response
10/09/2008 – Coordinated public disclosure’