Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory Sun's Java Web Server ---------------------------------------------------------------------- FS Advisory ID: FS-071000-5-JWS Release Date: July 10, 2000 Product: Java Web Server Vendor: Sun Microsystems (http://www.sun.com) Vendor Advisory: CERT Advisory: http://www.cert.org/advisories /CA-2000-02.html JWS FAQ: http://www.sun.com/software /jwebserver/faq/jwsca-2000-02.html Type: Remote command execution Severity: High (depending on your configuration) Author: Saumil Shah (saumil.shah@foundstone.com) Shreeraj Shah (shreeraj.shah@foundstone.com) Stuart McClure (stuart.mcclure@foundstone.com) Foundstone, Inc. (http://www.foundstone.com) Operating Systems: Solaris and Windows NT Vulnerable versions: Sun Java Web Server, all versions Foundstone Advisory: http://www.foundstone.com/advisories.htm ---------------------------------------------------------------------- Description A security weakness exists in Sun's Java Web Server default configuration. Using the Bulletin Board example application supplied with Java Web Server, it is possible to remotely execute arbitrary commands on the target system. *NOTE: This advisory is a precautionary advisory, in an attempt to alert the user community about a known vulnerability that has just become practical to exploit. Please refer to Sun's FAQ referenced above. Also, please refer to CERT advisory CA-2000-02. Details JSP pages in Java Web Server get handled by the com.sun.server.http.pagecompile.jsp.runtime.JspServlet, which compiles the JSP pages (if they are not already compiled) and executes them within the Java Runtime Enviroment and hand the output back to the web server. It is possible to invoke this servlet manually using the /servlet/ prefix in the URL, and point it to any arbitrary file on the web server to be compiled and executed as if it were a JSP file. Specifially, plain HTML files can also be compiled and executed like JSP files. If JSP code can be injected into HTML files, it is possible to execute arbitrary commands on the server. Java Web Server comes with a sample bulletin board application that creates a "board.html" file in the web document root directory, that stores messages posted to the bulletin board by remote users. The bulletin board application can be accessed at: http://jws.site/examples/applications/bboard/bboard_frames.html There is a user input text area for posting comments on the bulletin board. The code to be uploaded needs to be entered here, and uploaded into "board.html" by clicking the Post To Board button. If JSP code has been posted to "board.html", it is possible to get the code compiled and executed by referencing the following URL: http://jws.site/servlet/com.sun.server.http.pagecompile.jsp. runtime.JspServlet/board.html It is possible to write Java code that will allow arbitrary commands to be executed on the underlying operating system by using the Runtime.getRuntime().exec() method. Proof of concept The example below shows how to upload and run code that displays "Hello World", coming from the server. Given below is JSP code that will print "Hello World": <% String s="Hello World"; %> <%=s %> Post this code to the bulletin board via: http://jws.site/examples/applications/bboard/bboard_frames.html Verify that the code has indeed been uploaded via: http://jws.site/board.html Compile and execute this code by referencing the following URL: http://jws.site/servlet/com.sun.server.http.pagecompile.jsp.runtime. JspServlet/board.html Solution See Java Web Server's documentation section entitled "How to secure a web site that uses the Java Web Server" and Sun's Java Web Server FAQ (which was posted in response to CERT Advisory CA-2000-02) at: http://www.sun.com/software/jwebserver/faq/jwsca-2000-02.html Both documents describe detailed steps to lock down and harden the Java Web Server. This issue can be removed by simply removing the examples in the examples directory which is described in both documents. Credits We would also like to thank Sun Microsystems for their prompt response to us with this problem. Disclaimer The information contained in this advisory is the copyright (C) 2000 of Foundstone, Inc. and believed to be accurate at the time of printing, but no representation or warranty is given, express or implied, as to its accuracy or completeness. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect or conquential loss or damage arising in any way from any use of, or reliance placed on, this information for any purpose. This advisory may be redistributed provided that no fee is assigned and that the advisory is not modified in any way.