|
Vulnerability JavaWebServer Affected Sun's Java Web Server (Solaris and Windows NT) Description Following is based on a Foundstone Security Advisory. Using Sun's Java Web Server's administration module configuration and the Bulletin Board example application supplied with Java Web Server, it is possible to remotely execute arbitrary commands on the target system despite existing vendor recommendations for hardening. Foundstone and Sun recommends implementing vendor recommended hardening steps as those found in Sun's advisory http://www.sun.com/software/jwebserver/faq/jwsca-2000-02.html on locking down Java Web Server. However, you must implement the solutions below to address the issues discussed in this advisory. The com.sun.server.http.pagecompile.jsp92.JspServlet servlet is also known to compile JSP pages (if they are not already compiled) and execute them within the Java Runtime Enviroment and hand the output back to the web server. Sun's Java Web Server FAQ (mentioned above) eliminated forced invocation of servlets using the /servlet/ prefix for the Java Web Server Web Service and Secure Web Service. However, it is possible to use the administration module, which runs on port 9090 by default and invoke servlets using the /servlet/ prefix in the URL and point it to any arbitrary file within the administration document root on the web server to be compiled and executed as if it were a JSP file. With carefully crafted JSP tags, it is possible to execute arbitrary commands on the server. Java Web Server comes with a sample bulletin board application that creates a "board.html" file in the web document root directory, that stores messages posted to the bulletin board by remote users. The bulletin board application can be accessed via the administration module by: http://jws.site:9090/examples/applications/bboard/bboard_frames.html There is a user input text area for posting comments on the bulletin board. The code to be uploaded needs to be entered here, and uploaded into "board.html" by clicking the Post To Board button. If JSP code has been posted to "board.html", it is possible to get the code compiled and executed by referencing the following URL: http://jws.site:9090/servlet/com.sun.server.http.pagecompile.jsp92.JspServlet/board.html It is possible to write Java code that will allow arbitrary commands to be executed on the underlying operating system by using the Runtime.getRuntime().exec() method. Sun's Java Web Server FAQ does mention removing unnecessary examples when deploying the server for a production environment. However, if there are applications that write user inputs to a data file on the server it may be possible to exploit this vulnerability. The example below shows how to upload and run code that displays "Hello World", coming from the server. Given below is JSP code that will print "Hello World": <% String s="Hello World"; %> <%=s %> Post this code to the bulletin board via: http://jws.site:9090/examples/applications/bboard/bboard_frames.html Verify that the code has indeed been uploaded via: http://jws.site:9090/board.html Compile and execute this code by referencing the following URL: http://jws.site:9090/servlet/com.sun.server.http.pagecompile.jsp92.JspServlet/board.html Solution This is not a perfect workaround, just something that stops this vulnerability for the time being, but it destroys the administrative module's functionality. Remove or comment out the line: /servlet=invoker in the file rules.properties which can be found under: jws_directory/properties/server/adminserver/adminservice/rules.properties Restart the Java Web Server. However this renders the administrative module unusable. As for vendor fix, please install the following patches on systems running Java Web Server: Java Web Server Version Patch ID ------------------------ ----------- 1.1.3 Patch 3 2.0 Patch 3 For Java Web Server versions 1.1.1 and 1.1.2, first upgrade the Java Web Server and then install the appropriate patch. Patches are available at: http://java.sun.com/products/java-server/jws113patch3.html http://java.sun.com/products/java-server/jws20patch3.html