[17311] in bugtraq
Allaire JRUN 2.3 Remote command execution
daemon@ATHENA.MIT.EDU (Foundstone Labs)
Tue Oct 24 00:05:27 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <5B8559F3126DD4119C5100B0D022A06D1F4005@mailwest>
Date: Mon, 23 Oct 2000 11:42:43 -0700
Reply-To: Foundstone Labs <labs@FOUNDSTONE.COM>
From: Foundstone Labs <labs@FOUNDSTONE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Foundstone, Inc.
http://www.foundstone.com
"Securing the Dot Com World"
Security Advisory
Allaire JRUN 2.3
----------------------------------------------------------------------
FS Advisory ID: FS-102300-14-JRUN
Release Date: October 23, 2000
Product: Allaire JRUN 2.3
Vendor: Allaire Inc. (http://www.allaire.com)
Vendor Advisory: http://www.allaire.com/security/
Type: Remote command execution
Severity: High
Author: Shreeraj Shah (shreeraj.shah@foundstone.com)
Saumil Shah (saumil.shah@foundstone.com)
Stuart McClure (stuart.mcclure@foundstone.com)
Foundstone, Inc. (http://www.foundstone.com)
Operating Systems: All operating systems supported by JRUN
Vulnerable versions: JRUN Server v2.3
Foundstone Advisory:
http://www.foundstone.com/cgi-bin/display.cgi?Section_ID=13
----------------------------------------------------------------------
Description
It is possible to compile and execute any arbitrary file
within the web document root directory of the JRUN's web
server as if it were a JSP file, even if the file type is not
.jsp.
If applications running on the JRUN 2.3 server write to files
within the web document root directory, it is possible to
insert executable code in the form of JSP tags and have the
code compiled and executed using JRUN's handlers. This can
potentially cause an attacker to gain administrative control
of the underlying operating systems.
The theory behind such vulnerabilities is described in CERT
Advisory CA-2000-02 which can be found at:
http://www.cert.org/advisories/CA-2000-02.html
This vulnerability is similar to the remote execution
vulnerability for Sun's Java Web Server and BEA's WebLogic
application server reported previously by Foundstone.
(FS-071000-5-JWS and FS-073100-10-BEA)
Details
From the rules.properties and servlets.properties file, it is
seen that the URL prefix /servlet/ can be used as an invoker
for any servlet. Also, the JRUN servlet engine handles all jsp
requests by invoking the com.livesoftware.jrun.plugins.JSP
servlet.
It is possible to invoke these servlets manually, even if they
are not registered in the JRUN configuration, using the
complete name in the URL prefixed by /servlet/, and point it
to any arbitrary file on the web server. This file will be
then compiled and executed as if it were a JSP file. If JSP
code can be injected into any file on the web server via an
application (e.g. a guestbook application), it is possible to
execute arbitrary commands on the server.
Proof of concept
Assume that there is an application on the JRUN server that
writes user entered data to a file called "temp.txt".
Given below is JSP code that will print "Hello World":
<% out.println("Hello World"); %>
If this code is somehow inserted in the file "temp.txt" via an
application, then the following two URLs can be used to invoke
forced compilation and execution of "temp.txt":
http://jrun:8000/servlet/com.livesoftware.jrun.plugins.jsp.JSP/../../path/to
/temp.txt
http://jrun:8000/servlet/jsp/../../path/to/temp.txt
Note: It is assumed that JRun runs on host "jrun", port 8000.
Solution
Follow the recommendations given in Allaire Security Bulletin
ASB00-29, available at: http://www.allaire.com/security/
Credits
We would also like to thank Allaire for their prompt reaction
to this problem and their co-operation in heightening
security awareness in the security community.
Disclaimer
The information contained in this advisory is the copyright
(C) 2000 of Foundstone, Inc. and believed to be accurate at
the time of printing, but no representation or warranty is
given, express or implied, as to its accuracy or completeness.
Neither the author nor the publisher accepts any liability
whatsoever for any direct, indirect or conquential loss or
damage arising in any way from any use of, or reliance placed
on, this information for any purpose. This advisory may be
redistributed provided that no fee is assigned and that the
advisory is not modified in any way.