The Sun Java Web Server for Solaris and Windows NT allows a remote attacker to execute arbitrary commands on the target system. Proof of concept included.
bd8c338c7d97b0e98dd027394f8a93f703fd4e4cbad9bb9bf3ad8b24525f2c99
Foundstone, Inc.
http://www.foundstone.com
"Securing the Dot Com World"
Security Advisory
Sun's Java Web Server
----------------------------------------------------------------------
FS Advisory ID: FS-071000-5-JWS
Release Date: July 10, 2000
Product: Java Web Server
Vendor: Sun Microsystems (http://www.sun.com)
Vendor Advisory: CERT Advisory: http://www.cert.org/advisories
/CA-2000-02.html
JWS FAQ: http://www.sun.com/software
/jwebserver/faq/jwsca-2000-02.html
Type: Remote command execution
Severity: High (depending on your configuration)
Author: Saumil Shah (saumil.shah@foundstone.com)
Shreeraj Shah (shreeraj.shah@foundstone.com)
Stuart McClure (stuart.mcclure@foundstone.com)
Foundstone, Inc. (http://www.foundstone.com)
Operating Systems: Solaris and Windows NT
Vulnerable versions: Sun Java Web Server, all versions
Foundstone Advisory: http://www.foundstone.com/advisories.htm
----------------------------------------------------------------------
Description
A security weakness exists in Sun's Java Web Server default
configuration. Using the Bulletin Board example application
supplied with Java Web Server, it is possible to remotely
execute arbitrary commands on the target system.
*NOTE: This advisory is a precautionary advisory, in an
attempt to alert the user community about a known vulnerability
that has just become practical to exploit. Please refer to
Sun's FAQ referenced above. Also, please refer to CERT
advisory CA-2000-02.
Details
JSP pages in Java Web Server get handled by the
com.sun.server.http.pagecompile.jsp.runtime.JspServlet, which
compiles the JSP pages (if they are not already compiled) and
executes them within the Java Runtime Enviroment and hand the
output back to the web server.
It is possible to invoke this servlet manually using the
/servlet/ prefix in the URL, and point it to any arbitrary
file on the web server to be compiled and executed as if it
were a JSP file. Specifially, plain HTML files can also be
compiled and executed like JSP files. If JSP code can be
injected into HTML files, it is possible to execute arbitrary
commands on the server.
Java Web Server comes with a sample bulletin board
application that creates a "board.html" file in the web
document root directory, that stores messages posted to the
bulletin board by remote users. The bulletin board
application can be accessed at:
http://jws.site/examples/applications/bboard/bboard_frames.html
There is a user input text area for posting comments on the
bulletin board. The code to be uploaded needs to be entered
here, and uploaded into "board.html" by clicking the Post To
Board button.
If JSP code has been posted to "board.html", it is possible
to get the code compiled and executed by referencing the
following URL:
http://jws.site/servlet/com.sun.server.http.pagecompile.jsp.
runtime.JspServlet/board.html
It is possible to write Java code that will allow arbitrary
commands to be executed on the underlying operating system by
using the Runtime.getRuntime().exec() method.
Proof of concept
The example below shows how to upload and run code that
displays "Hello World", coming from the server.
Given below is JSP code that will print "Hello World":
<% String s="Hello World"; %>
<%=s %>
Post this code to the bulletin board via:
http://jws.site/examples/applications/bboard/bboard_frames.html
Verify that the code has indeed been uploaded via:
http://jws.site/board.html
Compile and execute this code by referencing the following
URL:
http://jws.site/servlet/com.sun.server.http.pagecompile.jsp.runtime.
JspServlet/board.html
Solution
See Java Web Server's documentation section entitled "How
to secure a web site that uses the Java Web Server" and
Sun's Java Web Server FAQ (which was posted in response to
CERT Advisory CA-2000-02) at:
http://www.sun.com/software/jwebserver/faq/jwsca-2000-02.html
Both documents describe detailed steps to lock down and
harden the Java Web Server. This issue can be removed by
simply removing the examples in the examples directory
which is described in both documents.
Credits
We would also like to thank Sun Microsystems for their prompt
response to us with this problem.
Disclaimer
The information contained in this advisory is the copyright
(C) 2000 of Foundstone, Inc. and believed to be accurate at the
time of printing, but no representation or warranty is given,
express or implied, as to its accuracy or completeness. Neither
the author nor the publisher accepts any liability whatsoever for
any direct, indirect or conquential loss or damage arising in
any way from any use of, or reliance placed on, this
information for any purpose. This advisory may be redistributed
provided that no fee is assigned and that the advisory is not
modified in any way.