Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine.

The remote host is affected by the vulnerability described in GLSA-200703-16 (Apache JK Tomcat Connector: Remote execution of arbitrary code)

    ZDI reported an unsafe memory copy in mod_jk that was discovered by an     anonymous researcher in the map_uri_to_worker function of     native/common/jk_uri_worker_map.c .
  Impact :

    A remote attacker can send a long URL request to an Apache server using     Tomcat. That can trigger the vulnerability and lead to a stack-based     buffer overflow, which could result in the execution of arbitrary code     with the permissions of the Apache user.
  Workaround :

    There is no known workaround at this time.

According to its banner, the version of the Apache mod_jk module in use on the remote web server contains a buffer overflow vulnerability.
An unauthenticated, remote attacker may be able to exploit this flaw by sending a long URL request to crash the affected service or execute arbitrary code on the remote host, subject to the privileges of the web server user id.

TippingPoint and The Zero Day Initiative reports :

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache Tomcat JK Web Server Connector.
Authentication is not required to exploit this vulnerability.

The specific flaw exists in the URI handler for the mod_jk.so library, map_uri_to_worker(), defined in native/common/jk_uri_worker_map.c.
When parsing a long URL request, the URI worker map routine performs an unsafe memory copy. This results in a stack overflow condition which can be leveraged to execute arbitrary code.

The remote host is running the Apache Tomcat web server with mod_jk.  mod_jk is reported to be vulnerable to a remote buffer overflow.  It is alleged that an attacker sending a URI of greater than 4095 bytes can corrupt the application memory.  Successful exploitation would result in the attacker executing arbitrary code on the remote web server. 

ID	Name	Product	Family	Severity
24841	GLSA-200703-16 : Apache JK Tomcat Connector: Remote execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
24813	Apache mod_jk Long URL Worker Map Stack Remote Overflow	Nessus	CGI abuses	high
24770	FreeBSD : mod_jk -- long URL stack overflow vulnerability (cf86c644-cb6c-11db-8e9d-000c6ec775d9)	Nessus	FreeBSD Local Security Checks	high
3932	Apache TomCat mod_jk < 1.2.21 Worker Map Remote Overflow	Nessus Network Monitor	Web Servers	high

Detections

Analytics

CVE-2007-0774

critical

Tenable Plugins

high

high

high

high