[16354] in bugtraq
Sun's Java Web Server Remote Command Execution on Admin Server
daemon@ATHENA.MIT.EDU (Foundstone Labs)
Tue Aug 22 17:52:05 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-ID: <5B8559F3126DD4119C5100B0D022A06D0854E6@MAILWEST>
Date: Tue, 22 Aug 2000 13:27:30 -0700
Reply-To: Foundstone Labs <labs@FOUNDSTONE.COM>
From: Foundstone Labs <labs@FOUNDSTONE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Foundstone, Inc.
http://www.foundstone.com
"Securing the Dot Com World"
Security Advisory
Sun's Java Web Server Remote Command Execution on Admin Server
----------------------------------------------------------------------
FS Advisory ID: FS-082200-11-JWS
Release Date: August 22, 2000
Product: Java Web Server
Vendor: Sun Microsystems (http://www.sun.com)
Type: Remote command execution
Severity: High
Author: Saumil Shah (saumil.shah@foundstone.com)
Shreeraj Shah (shreeraj.shah@foundstone.com)
Stuart McClure (stuart.mcclure@foundstone.com)
Foundstone, Inc. (http://www.foundstone.com)
Operating Systems: Solaris and Windows NT
Vulnerable versions: Sun Java Web Server, all versions
Foundstone Advisory: http://www.foundstone.com
----------------------------------------------------------------------
Description
Using Sun's Java Web Server's administration module
configuration and the Bulletin Board example application
supplied with Java Web Server, it is possible to remotely
execute arbitrary commands on the target system despite
existing vendor recommendations for hardening.
NOTE: Foundstone and Sun recommends implementing
vendor recommended hardening steps as those found in Sun's
advisory http://www.sun.com/software/jwebserver/faq/
jwsca-2000-02.html on locking down Java Web Server. However,
you must implement the solutions below to address the issues
discussed in this advisory.
Details
The com.sun.server.http.pagecompile.jsp92.JspServlet servlet
is also known to compile JSP pages (if they are not already
compiled) and execute them within the Java Runtime Enviroment
and hand the output back to the web server.
Sun's Java Web Server FAQ (mentioned above) eliminated forced
invocation of servlets using the /servlet/ prefix for the Java
Web Server Web Service and Secure Web Service. However, it is
possible to use the administration module, which runs on port
9090 by default and invoke servlets using the /servlet/ prefix
in the URL and point it to any arbitrary file within the
administration document root on the web server to be compiled
and executed as if it were a JSP file. With carefully crafted
JSP tags, it is possible to execute arbitrary commands on the
server.
Java Web Server comes with a sample bulletin board application
that creates a "board.html" file in the web document root
directory, that stores messages posted to the bulletin board
by remote users. The bulletin board application can be
accessed via the administration module by:
http://jws.site:9090/examples/applications/bboard/
bboard_frames.html
There is a user input text area for posting comments on the
bulletin board. The code to be uploaded needs to be entered
here, and uploaded into "board.html" by clicking the Post To
Board button.
If JSP code has been posted to "board.html", it is possible to
get the code compiled and executed by referencing the
following URL:
http://jws.site:9090/servlet/com.sun.server.http.pagecompile.
jsp92.JspServlet/board.html
It is possible to write Java code that will allow arbitrary
commands to be executed on the underlying operating system by
using the Runtime.getRuntime().exec() method.
Sun's Java Web Server FAQ does mention removing unnecessary
examples when deploying the server for a production environment.
However, if there are applications that write user inputs to a
data file on the server it may be possible to exploit this
vulnerability.
Proof of concept
The example below shows how to upload and run code that
displays "Hello World", coming from the server.
Given below is JSP code that will print "Hello World":
<% String s="Hello World"; %>
<%=s %>
Post this code to the bulletin board via:
http://jws.site:9090/examples/applications/bboard/
bboard_frames.html
Verify that the code has indeed been uploaded via:
http://jws.site:9090/board.html
Compile and execute this code by referencing the following URL:
http://jws.site:9090/servlet/com.sun.server.http.pagecompile.
jsp92.JspServlet/board.html
Solution
Workaround:
This is not a perfect workaround, just something that stops
this vulnerability for the time being, but it destroys the
administrative module's functionality.
Remove or comment out the line:
/servlet=invoker
in the file rules.properties which can be found under:
jws_directory/properties/server/adminserver/adminservice/
rules.properties
Restart the Java Web Server. However this renders the
administrative module unusable.
Vendor Fix:
Please install the following patches on systems running Java
Web Server:
Java Web Server Version Patch ID
------------------------ -----------
1.1.3 Patch 3
2.0 Patch 3
For Java Web Server versions 1.1.1 and 1.1.2, first upgrade the
Java Web Server and then install the appropriate patch.
Patches are available at:
http://java.sun.com/products/java-server/jws113patch3.html
http://java.sun.com/products/java-server/jws20patch3.html
Credits
We would also like to thank Sun Microsystems for their prompt
reaction to this problem and their co-operation in heightening
security awareness in the security community.
Disclaimer
The information contained in this advisory is the copyright
(C) 2000 of Foundstone, Inc. and believed to be accurate at
the time of printing, but no representation or warranty is
given, express or implied, as to its accuracy or completeness.
Neither the author nor the publisher accepts any liability
whatsoever for any direct, indirect or conquential loss or
damage arising in any way from any use of, or reliance placed
on, this information for any purpose. This advisory may be
redistributed provided that no fee is assigned and that the
advisory is not modified in any way.
