[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Allaire JRUN 2.3 Remote command execution

Title: Allaire JRUN 2.3 Remote command execution
Released by: Foundstone
Date: 23rd October 2000
Printable version: Click here
                            Foundstone, Inc.


                      "Securing the Dot Com World"

                           Security Advisory

                           Allaire JRUN 2.3


FS Advisory ID:         FS-102300-14-JRUN

Release Date:           October 23, 2000

Product:                Allaire JRUN 2.3

Vendor:                 Allaire Inc. (http://www.allaire.com)

Vendor Advisory:        http://www.allaire.com/security/

Type:                   Remote command execution

Severity:               High

Author:                 Shreeraj Shah (shreeraj.shah@foundstone.com)

                        Saumil Shah (saumil.shah@foundstone.com)

                        Stuart McClure (stuart.mcclure@foundstone.com)

                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems:      All operating systems supported by JRUN

Vulnerable versions:    JRUN Server v2.3

Foundstone Advisory:




        It is possible to compile and execute any arbitrary file

        within the web document root directory of the JRUN's web

        server as if it were a JSP file, even if the file type is not


        If applications running on the JRUN 2.3 server write to files

        within the web document root directory, it is possible to

        insert executable code in the form of JSP tags and have the

        code compiled and executed using JRUN's handlers. This can

        potentially cause an attacker to gain administrative control

        of the underlying operating systems.

        The theory behind such vulnerabilities is described in CERT

        Advisory CA-2000-02 which can be found at:


        This vulnerability is similar to the remote execution

        vulnerability for Sun's Java Web Server and BEA's WebLogic

        application server reported previously by Foundstone.

        (FS-071000-5-JWS and FS-073100-10-BEA)


        From the rules.properties and servlets.properties file, it is

        seen that the URL prefix /servlet/ can be used as an invoker

        for any servlet. Also, the JRUN servlet engine handles all jsp

        requests by invoking the com.livesoftware.jrun.plugins.JSP


        It is possible to invoke these servlets manually, even if they

        are not registered in the JRUN configuration, using the

        complete name in the URL prefixed by /servlet/, and point it

        to any arbitrary file on the web server. This file will be

        then compiled and executed as if it were a JSP file. If JSP

        code can be injected into any file on the web server via an

        application (e.g. a guestbook application), it is possible to

        execute arbitrary commands on the server.

Proof of concept

        Assume that there is an application on the JRUN server that

        writes user entered data to a file called "temp.txt".

        Given below is JSP code that will print "Hello World":

        <% out.println("Hello World"); %>

        If this code is somehow inserted in the file "temp.txt" via an

        application, then the following two URLs can be used to invoke

        forced compilation and execution of "temp.txt":




        Note: It is assumed that JRun runs on host "jrun", port 8000.


        Follow the recommendations given in Allaire Security Bulletin

        ASB00-29, available at: http://www.allaire.com/security/


        We would also like to thank Allaire for their prompt reaction

        to this problem and their co-operation in heightening

        security awareness in the security community.


        The information contained in this advisory is the copyright

        (C) 2000 of Foundstone, Inc. and believed to be accurate at

        the time of printing, but no representation or warranty is

        given, express or implied, as to its accuracy or completeness.

        Neither the author nor the publisher accepts any liability

        whatsoever for any direct, indirect or conquential loss or

        damage arising in any way from any use of, or reliance placed

        on, this information for any purpose. This advisory may be

        redistributed provided that no fee is assigned and that the

        advisory is not modified in any way.

(C) 1999-2000 All rights reserved.