Foundstone, Inc.
                        http://www.foundstone.com
                      "Securing the Dot Com World"

                           Security Advisory

                         Sun's Java Web Server

----------------------------------------------------------------------
FS Advisory ID:         FS-071000-5-JWS

Release Date:           July 10, 2000

Product:                Java Web Server

Vendor:                 Sun Microsystems (http://www.sun.com)

Vendor Advisory:        CERT Advisory:  http://www.cert.org/advisories
                        /CA-2000-02.html

                        JWS FAQ:        http://www.sun.com/software
                        /jwebserver/faq/jwsca-2000-02.html

Type:                   Remote command execution

Severity:               High (depending on your configuration)

Author:                 Saumil Shah (saumil.shah@foundstone.com)
                        Shreeraj Shah (shreeraj.shah@foundstone.com)
                        Stuart McClure (stuart.mcclure@foundstone.com)
                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems:      Solaris and Windows NT

Vulnerable versions:    Sun Java Web Server, all versions

Foundstone Advisory:    http://www.foundstone.com/advisories.htm
----------------------------------------------------------------------

Description

        A security weakness exists in Sun's Java Web Server default
        configuration. Using the Bulletin Board example application
        supplied with Java Web Server, it is possible to remotely
        execute arbitrary commands on the target system.

        *NOTE: This advisory is a precautionary advisory, in an
        attempt to alert the user community about a known vulnerability
        that has just become practical to exploit. Please refer to
        Sun's FAQ referenced above. Also, please refer to CERT
        advisory CA-2000-02.

Details

        JSP pages in Java Web Server get handled by the
        com.sun.server.http.pagecompile.jsp.runtime.JspServlet, which
        compiles the JSP pages (if they are not already compiled) and
        executes them within the Java Runtime Enviroment and hand the
        output back to the web server.

        It is possible to invoke this servlet manually using the
        /servlet/ prefix in the URL, and point it to any arbitrary
        file on the web server to be compiled and executed as if it
        were a JSP file. Specifially, plain HTML files can also be
        compiled and executed like JSP files. If JSP code can be
        injected into HTML files, it is possible to execute arbitrary
        commands on the server.

        Java Web Server comes with a sample bulletin board
        application that creates a "board.html" file in the web
        document root directory, that stores messages posted to the
        bulletin board by remote users. The bulletin board
        application can be accessed at:

        http://jws.site/examples/applications/bboard/bboard_frames.html

        There is a user input text area for posting comments on the
        bulletin board. The code to be uploaded needs to be entered
        here, and uploaded into "board.html" by clicking the Post To
        Board button.

        If JSP code has been posted to "board.html", it is possible
        to get the code compiled and executed by referencing the
        following URL:

        http://jws.site/servlet/com.sun.server.http.pagecompile.jsp.
        runtime.JspServlet/board.html

        It is possible to write Java code that will allow arbitrary
        commands to be executed on the underlying operating system by
        using the Runtime.getRuntime().exec() method.

Proof of concept

        The example below shows how to upload and run code that
        displays "Hello World", coming from the server.

        Given below is JSP code that will print "Hello World":

        <% String s="Hello World"; %>
        <%=s %>

        Post this code to the bulletin board via:

        http://jws.site/examples/applications/bboard/bboard_frames.html

        Verify that the code has indeed been uploaded via:

        http://jws.site/board.html

        Compile and execute this code by referencing the following
        URL:

        http://jws.site/servlet/com.sun.server.http.pagecompile.jsp.runtime.
        JspServlet/board.html

Solution

        See Java Web Server's documentation section entitled "How
        to secure a web site that uses the Java Web Server" and
        Sun's Java Web Server FAQ (which was posted in response to
        CERT Advisory CA-2000-02) at:

        http://www.sun.com/software/jwebserver/faq/jwsca-2000-02.html

        Both documents describe detailed steps to lock down and
        harden the Java Web Server. This issue can be removed by
        simply removing the examples in the examples directory
        which is described in both documents.

Credits

        We would also like to thank Sun Microsystems for their prompt
        response to us with this problem.

Disclaimer

        The information contained in this advisory is the copyright
        (C) 2000 of Foundstone, Inc. and believed to be accurate at the
        time of printing, but no representation or warranty is given,
        express or implied, as to its accuracy or completeness. Neither
        the author nor the publisher accepts any liability whatsoever for
        any direct, indirect or conquential loss or damage arising in
        any way from any use of, or reliance placed on, this
        information for any purpose. This advisory may be redistributed
        provided that no fee is assigned and that the advisory is not
        modified in any way.