COMMAND
JavaWebServer
SYSTEMS AFFECTED
Sun's Java Web Server (Solaris and Windows NT)
PROBLEM
Following is based on a Foundstone Security Advisory. Using Sun's
Java Web Server's administration module configuration and the
Bulletin Board example application supplied with Java Web Server,
it is possible to remotely execute arbitrary commands on the
target system despite existing vendor recommendations for
hardening.
Foundstone and Sun recommends implementing vendor recommended
hardening steps as those found in Sun's advisory
http://www.sun.com/software/jwebserver/faq/jwsca-2000-02.html
on locking down Java Web Server. However, you must implement the
solutions below to address the issues discussed in this advisory.
The com.sun.server.http.pagecompile.jsp92.JspServlet servlet is
also known to compile JSP pages (if they are not already compiled)
and execute them within the Java Runtime Enviroment and hand the
output back to the web server.
Sun's Java Web Server FAQ (mentioned above) eliminated forced
invocation of servlets using the /servlet/ prefix for the Java Web
Server Web Service and Secure Web Service. However, it is
possible to use the administration module, which runs on port 9090
by default and invoke servlets using the /servlet/ prefix in the
URL and point it to any arbitrary file within the administration
document root on the web server to be compiled and executed as if
it were a JSP file. With carefully crafted JSP tags, it is
possible to execute arbitrary commands on the server.
Java Web Server comes with a sample bulletin board application
that creates a "board.html" file in the web document root
directory, that stores messages posted to the bulletin board by
remote users. The bulletin board application can be accessed via
the administration module by:
http://jws.site:9090/examples/applications/bboard/bboard_frames.html
There is a user input text area for posting comments on the
bulletin board. The code to be uploaded needs to be entered here,
and uploaded into "board.html" by clicking the Post To Board
button.
If JSP code has been posted to "board.html", it is possible to get
the code compiled and executed by referencing the following URL:
http://jws.site:9090/servlet/com.sun.server.http.pagecompile.jsp92.JspServlet/board.html
It is possible to write Java code that will allow arbitrary
commands to be executed on the underlying operating system by
using the Runtime.getRuntime().exec() method.
Sun's Java Web Server FAQ does mention removing unnecessary
examples when deploying the server for a production environment.
However, if there are applications that write user inputs to a
data file on the server it may be possible to exploit this
vulnerability.
The example below shows how to upload and run code that displays
"Hello World", coming from the server. Given below is JSP code
that will print "Hello World":
<% String s="Hello World"; %>
<%=s %>
Post this code to the bulletin board via:
http://jws.site:9090/examples/applications/bboard/bboard_frames.html
Verify that the code has indeed been uploaded via:
http://jws.site:9090/board.html
Compile and execute this code by referencing the following URL:
http://jws.site:9090/servlet/com.sun.server.http.pagecompile.jsp92.JspServlet/board.html
SOLUTION
This is not a perfect workaround, just something that stops this
vulnerability for the time being, but it destroys the
administrative module's functionality. Remove or comment out the
line:
/servlet=invoker
in the file rules.properties which can be found under:
jws_directory/properties/server/adminserver/adminservice/rules.properties
Restart the Java Web Server. However this renders the
administrative module unusable.
As for vendor fix, please install the following patches on systems
running Java Web Server:
Java Web Server Version Patch ID
------------------------ -----------
1.1.3 Patch 3
2.0 Patch 3
For Java Web Server versions 1.1.1 and 1.1.2, first upgrade the
Java Web Server and then install the appropriate patch. Patches
are available at:
http://java.sun.com/products/java-server/jws113patch3.html
http://java.sun.com/products/java-server/jws20patch3.html