COMMAND

    Jrun

SYSTEMS AFFECTED

    Allaire JRUN Server 2.3

PROBLEM

    Following is based on  a Foundstone Security Advisory  by Shreeraj
    Shah, Saumil Shah and Stuart  McClure.  It is possible  to compile
    and  execute  any  arbitrary  file  within  the  web document root
    directory of the JRUN's web server as if it were a JSP file,  even
    if the file type is not .jsp.

    If applications  running on  the JRUN  2.3 server  write to  files
    within the web document root  directory, it is possible to  insert
    executable  code  in  the  form  of  JSP  tags  and  have the code
    compiled and executed using JRUN's handlers.  This can potentially
    cause an attacker to gain administrative control of the underlying
    operating systems.

    This  vulnerability  is  similar  to  the remote execution bug for
    Sun's Java Web Server and BEA's WebLogic application server.

    From the rules.properties and servlets.properties file, it is seen
    that the URL prefix  /servlet/ can be used  as an invoker for  any
    servlet.  Also, the JRUN  servlet engine handles all jsp  requests
    by invoking the com.livesoftware.jrun.plugins.JSP servlet.

    It is  possible to  invoke these  servlets manually,  even if they
    are not registered in  the JRUN configuration, using  the complete
    name  in  the  URL  prefixed  by  /servlet/,  and  point it to any
    arbitrary file on the web server.  This file will be then compiled
    and executed as if it were a JSP file. If JSP code can be injected
    into  any  file  on  the  web  server  via  an application (e.g. a
    guestbook  application),  it  is  possible  to  execute  arbitrary
    commands on the server.

    Assume that there is an application on the JRUN server that writes
    user entered data to a file called "temp.txt".  Given below is JSP
    code that will print "Hello World":

        <% out.println("Hello World"); %>

    If this  code is  somehow inserted  in the  file "temp.txt" via an
    application, then  the following  two URLs  can be  used to invoke
    forced compilation and execution of "temp.txt":

        http://jrun:8000/servlet/com.livesoftware.jrun.plugins.jsp.JSP/../../path/to/temp.txt
        http://jrun:8000/servlet/jsp/../../path/to/temp.txt

    Note: It is assumed that JRun runs on host "jrun", port 8000.

SOLUTION

    Follow  the  recommendations  given  in  Allaire Security Bulletin
    ASB00-29.