COMMAND

    JavaWebServer

SYSTEMS AFFECTED

    Sun's Java Web Server (Solaris and Windows NT)

PROBLEM

    Following is based on a Foundstone Security Advisory.  Using Sun's
    Java  Web  Server's  administration  module  configuration and the
    Bulletin Board example application supplied with Java Web  Server,
    it  is  possible  to  remotely  execute  arbitrary commands on the
    target  system   despite  existing   vendor  recommendations   for
    hardening.

    Foundstone  and  Sun  recommends  implementing  vendor recommended
    hardening steps as those found in Sun's advisory

        http://www.sun.com/software/jwebserver/faq/jwsca-2000-02.html

    on locking down Java Web Server.  However, you must implement  the
    solutions below to address the issues discussed in this advisory.

    The  com.sun.server.http.pagecompile.jsp92.JspServlet  servlet  is
    also known to compile JSP pages (if they are not already compiled)
    and execute them within the  Java Runtime Enviroment and hand  the
    output back to the web server.

    Sun's  Java  Web  Server  FAQ  (mentioned above) eliminated forced
    invocation of servlets using the /servlet/ prefix for the Java Web
    Server  Web  Service  and  Secure  Web  Service.   However,  it is
    possible to use the administration module, which runs on port 9090
    by default and invoke servlets  using the /servlet/ prefix in  the
    URL and point it to  any arbitrary file within the  administration
    document root on the web server to be compiled and executed as  if
    it  were  a  JSP  file.   With  carefully  crafted JSP tags, it is
    possible to execute arbitrary commands on the server.

    Java Web  Server comes  with a  sample bulletin  board application
    that  creates  a  "board.html"  file  in  the  web  document  root
    directory, that stores  messages posted to  the bulletin board  by
    remote users.  The bulletin board application can be accessed  via
    the administration module by:

        http://jws.site:9090/examples/applications/bboard/bboard_frames.html

    There  is  a  user  input  text  area  for posting comments on the
    bulletin board.  The code to be uploaded needs to be entered here,
    and  uploaded  into  "board.html"  by  clicking  the Post To Board
    button.

    If JSP code has been posted to "board.html", it is possible to get
    the code compiled and executed by referencing the following URL:

        http://jws.site:9090/servlet/com.sun.server.http.pagecompile.jsp92.JspServlet/board.html

    It  is  possible  to  write  Java  code  that will allow arbitrary
    commands  to  be  executed  on  the underlying operating system by
    using the Runtime.getRuntime().exec() method.

    Sun's  Java  Web  Server  FAQ  does  mention  removing unnecessary
    examples when deploying the  server for a production  environment.
    However, if  there are  applications that  write user  inputs to a
    data  file  on  the  server  it  may  be  possible to exploit this
    vulnerability.

    The example below shows how  to upload and run code  that displays
    "Hello World", coming  from the server.   Given below is  JSP code
    that will print "Hello World":

        <% String s="Hello World"; %>
        <%=s %>

    Post this code to the bulletin board via:

        http://jws.site:9090/examples/applications/bboard/bboard_frames.html

    Verify that the code has indeed been uploaded via:

        http://jws.site:9090/board.html

     Compile and execute this code by referencing the following URL:

        http://jws.site:9090/servlet/com.sun.server.http.pagecompile.jsp92.JspServlet/board.html

SOLUTION

    This is not a perfect  workaround, just something that stops  this
    vulnerability  for   the  time   being,  but   it  destroys    the
    administrative module's functionality.  Remove or comment out  the
    line:

        /servlet=invoker

    in the file rules.properties which can be found under:

        jws_directory/properties/server/adminserver/adminservice/rules.properties

    Restart  the   Java  Web   Server.   However   this  renders   the
    administrative module unusable.

    As for vendor fix, please install the following patches on systems
    running Java Web Server:

        Java Web Server Version    Patch ID
        ------------------------   -----------
        1.1.3                      Patch 3
        2.0                        Patch 3

    For Java Web  Server versions 1.1.1  and 1.1.2, first  upgrade the
    Java Web Server and then  install the appropriate patch.   Patches
    are available at:

        http://java.sun.com/products/java-server/jws113patch3.html
        http://java.sun.com/products/java-server/jws20patch3.html