Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory Sun's Java Web Server Remote Command Execution on Admin Server ---------------------------------------------------------------------- FS Advisory ID: FS-082200-11-JWS Release Date: August 22, 2000 Product: Java Web Server Vendor: Sun Microsystems (http://www.sun.com) Type: Remote command execution Severity: High Author: Saumil Shah (saumil.shah@foundstone.com) Shreeraj Shah (shreeraj.shah@foundstone.com) Stuart McClure (stuart.mcclure@foundstone.com) Foundstone, Inc. (http://www.foundstone.com) Operating Systems: Solaris and Windows NT Vulnerable versions: Sun Java Web Server, all versions Foundstone Advisory: http://www.foundstone.com ---------------------------------------------------------------------- Description Using Sun's Java Web Server's administration module configuration and the Bulletin Board example application supplied with Java Web Server, it is possible to remotely execute arbitrary commands on the target system despite existing vendor recommendations for hardening. NOTE: Foundstone and Sun recommends implementing vendor recommended hardening steps as those found in Sun's advisory http://www.sun.com/software/jwebserver/faq/ jwsca-2000-02.html on locking down Java Web Server. However, you must implement the solutions below to address the issues discussed in this advisory. Details The com.sun.server.http.pagecompile.jsp92.JspServlet servlet is also known to compile JSP pages (if they are not already compiled) and execute them within the Java Runtime Enviroment and hand the output back to the web server. Sun's Java Web Server FAQ (mentioned above) eliminated forced invocation of servlets using the /servlet/ prefix for the Java Web Server Web Service and Secure Web Service. However, it is possible to use the administration module, which runs on port 9090 by default and invoke servlets using the /servlet/ prefix in the URL and point it to any arbitrary file within the administration document root on the web server to be compiled and executed as if it were a JSP file. With carefully crafted JSP tags, it is possible to execute arbitrary commands on the server. Java Web Server comes with a sample bulletin board application that creates a "board.html" file in the web document root directory, that stores messages posted to the bulletin board by remote users. The bulletin board application can be accessed via the administration module by: http://jws.site:9090/examples/applications/bboard/ bboard_frames.html There is a user input text area for posting comments on the bulletin board. The code to be uploaded needs to be entered here, and uploaded into "board.html" by clicking the Post To Board button. If JSP code has been posted to "board.html", it is possible to get the code compiled and executed by referencing the following URL: http://jws.site:9090/servlet/com.sun.server.http.pagecompile. jsp92.JspServlet/board.html It is possible to write Java code that will allow arbitrary commands to be executed on the underlying operating system by using the Runtime.getRuntime().exec() method. Sun's Java Web Server FAQ does mention removing unnecessary examples when deploying the server for a production environment. However, if there are applications that write user inputs to a data file on the server it may be possible to exploit this vulnerability. Proof of concept The example below shows how to upload and run code that displays "Hello World", coming from the server. Given below is JSP code that will print "Hello World": <% String s="Hello World"; %> <%=s %> Post this code to the bulletin board via: http://jws.site:9090/examples/applications/bboard/ bboard_frames.html Verify that the code has indeed been uploaded via: http://jws.site:9090/board.html Compile and execute this code by referencing the following URL: http://jws.site:9090/servlet/com.sun.server.http.pagecompile. jsp92.JspServlet/board.html Solution Workaround: This is not a perfect workaround, just something that stops this vulnerability for the time being, but it destroys the administrative module's functionality. Remove or comment out the line: /servlet=invoker in the file rules.properties which can be found under: jws_directory/properties/server/adminserver/adminservice/ rules.properties Restart the Java Web Server. However this renders the administrative module unusable. Vendor Fix: Please install the following patches on systems running Java Web Server: Java Web Server Version Patch ID ------------------------ ----------- 1.1.3 Patch 3 2.0 Patch 3 For Java Web Server versions 1.1.1 and 1.1.2, first upgrade the Java Web Server and then install the appropriate patch. Patches are available at: http://java.sun.com/products/java-server/jws113patch3.html http://java.sun.com/products/java-server/jws20patch3.html Credits We would also like to thank Sun Microsystems for their prompt reaction to this problem and their co-operation in heightening security awareness in the security community. Disclaimer The information contained in this advisory is the copyright (C) 2000 of Foundstone, Inc. and believed to be accurate at the time of printing, but no representation or warranty is given, express or implied, as to its accuracy or completeness. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect or conquential loss or damage arising in any way from any use of, or reliance placed on, this information for any purpose. This advisory may be redistributed provided that no fee is assigned and that the advisory is not modified in any way. ----- End forwarded message -----