Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory BEA's WebLogic *.jsp/*.jhtml remote command execution ---------------------------------------------------------------------- FS Advisory ID: FS-073100-10-BEA Release Date: July 31, 2000 Product: WebLogic Vendor: BEA Systems (http://www.beasys.com) Vendor Advisory: http://developer.bea.com/alerts/index.html Type: Possible remote command execution. Severity: High (depending on your configuration) Author: Shreeraj Shah (shreeraj.shah@foundstone.com) Saumil Shah (saumil.shah@foundstone.com) Stuart McClure (stuart.mcclure@foundstone.com) Operating Systems: All operating systems supported by WebLogic Vulnerable versions: WebLogic, all versions Foundstone Advisory: http://www.foundstone.com/advisories.htm ---------------------------------------------------------------------- Description It is possible to compile and execute any arbitrary file within the web document root directory of the WebLogic server as if it were a JSP/JHTML file, even if the file type is not .jsp or .jhtml. If applications residing on the WebLogic server write to files within the web document root directory, it is possible to insert executable code in the form of JSP or JHTML tags and have the code compiled and executed using WebLogic's handlers. This can potentially cause an attacker to gain administrative control of the underlying operating systems. The theory behind such vulnerabilities is described in CERT Advisory CA-2000-02 which can be found at: http://www.cert.org/advisories/CA-2000-02.html This vulnerability is similar to the remote execution vulnerability for Sun's Java Web Server reported previously by Foundstone. (FS-071000-5-JWS) Details Looking into the weblogic.properties files, the following lines indicate how WebLogic associates handlers for compiling and executing JHTML and JSP files. weblogic.httpd.register.*.jhtml=\ weblogic.servlet.jhtmlc.PageCompileServlet weblogic.httpd.register.*.jsp=\ weblogic.servlet.JSPServlet JHTML pages in WebLogic get handled by the weblogic.servlet.jhtml.PageCompileServlet, which compiles the JHTML pages (if they are not already compiled) and executes them within the Java Runtime Enviroment and hand the output back to the web server. Similarly, weblogic.servlet.JSPServlet is responsible for compiling and executing JSP pages. It is possible to invoke these servlets manually using the /*.jhtml/ or /*.jsp/ prefix in the URL, and point it to any arbitrary file on the web server to be compiled and executed as if it were a JHTML or a JSP file. If JHTML or JSP code can be injected into any file on the web server via an application (e.g. a guestbook application), it is possible to execute arbitrary commands on the server. Proof of concept Assume that there is an application on the WebLogic server that writes user entered data to a file called "temp.txt". Given below is JHTML/JSP code that will print "Hello World": out.println("Hello World"); (JHTML) -or- <% out.println("Hello World"); %> (JSP) If this code is somehow inserted in the file "temp.txt" via an application, then the following can be used to invoke forced compilation and execution of "temp.txt": http://weblogic.site/*.jhtml/path/to/temp.txt (JHTML) -or- http://weblogic.site/*.jsp/path/to/temp.txt Solution Please refer to BEA's advisory BEA00-04.00 which can be found at http://developer.bea.com/alerts/index.html Credits We would also like to thank BEA Systems for their prompt reaction to this problem and their co-operation in heightening security awareness in the security community. Disclaimer THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT (C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY.