[17311] in bugtraq

home help back first fref pref prev next nref lref last post

Allaire JRUN 2.3 Remote command execution

daemon@ATHENA.MIT.EDU (Foundstone Labs)
Tue Oct 24 00:05:27 2000

Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id:  <5B8559F3126DD4119C5100B0D022A06D1F4005@mailwest>
Date:         Mon, 23 Oct 2000 11:42:43 -0700
Reply-To: Foundstone Labs <labs@FOUNDSTONE.COM>
From: Foundstone Labs <labs@FOUNDSTONE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM

                            Foundstone, Inc.
                        http://www.foundstone.com
                      "Securing the Dot Com World"

                           Security Advisory

                           Allaire JRUN 2.3

----------------------------------------------------------------------
FS Advisory ID:         FS-102300-14-JRUN

Release Date:           October 23, 2000

Product:                Allaire JRUN 2.3

Vendor:                 Allaire Inc. (http://www.allaire.com)

Vendor Advisory:        http://www.allaire.com/security/

Type:                   Remote command execution

Severity:               High

Author:                 Shreeraj Shah (shreeraj.shah@foundstone.com)
                        Saumil Shah (saumil.shah@foundstone.com)
                        Stuart McClure (stuart.mcclure@foundstone.com)
                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems:      All operating systems supported by JRUN

Vulnerable versions:    JRUN Server v2.3

Foundstone Advisory:
http://www.foundstone.com/cgi-bin/display.cgi?Section_ID=13
----------------------------------------------------------------------

Description

        It is possible to compile and execute any arbitrary file
        within the web document root directory of the JRUN's web
        server as if it were a JSP file, even if the file type is not
        .jsp.

        If applications running on the JRUN 2.3 server write to files
        within the web document root directory, it is possible to
        insert executable code in the form of JSP tags and have the
        code compiled and executed using JRUN's handlers. This can
        potentially cause an attacker to gain administrative control
        of the underlying operating systems.

        The theory behind such vulnerabilities is described in CERT
        Advisory CA-2000-02 which can be found at:
        http://www.cert.org/advisories/CA-2000-02.html

        This vulnerability is similar to the remote execution
        vulnerability for Sun's Java Web Server and BEA's WebLogic
        application server reported previously by Foundstone.
        (FS-071000-5-JWS and FS-073100-10-BEA)

Details

        From the rules.properties and servlets.properties file, it is
        seen that the URL prefix /servlet/ can be used as an invoker
        for any servlet. Also, the JRUN servlet engine handles all jsp
        requests by invoking the com.livesoftware.jrun.plugins.JSP
        servlet.

        It is possible to invoke these servlets manually, even if they
        are not registered in the JRUN configuration, using the
        complete name in the URL prefixed by /servlet/, and point it
        to any arbitrary file on the web server. This file will be
        then compiled and executed as if it were a JSP file. If JSP
        code can be injected into any file on the web server via an
        application (e.g. a guestbook application), it is possible to
        execute arbitrary commands on the server.

Proof of concept

        Assume that there is an application on the JRUN server that
        writes user entered data to a file called "temp.txt".

        Given below is JSP code that will print "Hello World":

        <% out.println("Hello World"); %>

        If this code is somehow inserted in the file "temp.txt" via an
        application, then the following two URLs can be used to invoke
        forced compilation and execution of "temp.txt":


http://jrun:8000/servlet/com.livesoftware.jrun.plugins.jsp.JSP/../../path/to
/temp.txt
        http://jrun:8000/servlet/jsp/../../path/to/temp.txt

        Note: It is assumed that JRun runs on host "jrun", port 8000.

Solution

        Follow the recommendations given in Allaire Security Bulletin
        ASB00-29, available at: http://www.allaire.com/security/

Credits

        We would also like to thank Allaire for their prompt reaction
        to this problem and their co-operation in heightening
        security awareness in the security community.

Disclaimer

        The information contained in this advisory is the copyright
        (C) 2000 of Foundstone, Inc. and believed to be accurate at
        the time of printing, but no representation or warranty is
        given, express or implied, as to its accuracy or completeness.
        Neither the author nor the publisher accepts any liability
        whatsoever for any direct, indirect or conquential loss or
        damage arising in any way from any use of, or reliance placed
        on, this information for any purpose. This advisory may be
        redistributed provided that no fee is assigned and that the
        advisory is not modified in any way.

home help back first fref pref prev next nref lref last post