[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Sun's Java Web Server Remote Command Execution on Admin Server

Title: Sun's Java Web Server Remote Command Execution on Admin Server
Released by: Sun
Date: 22nd August 2000
Printable version: Click here
                            Foundstone, Inc.


                      "Securing the Dot Com World"

                           Security Advisory

    Sun's Java Web Server Remote Command Execution on Admin Server


FS Advisory ID:         FS-082200-11-JWS

Release Date:           August 22, 2000

Product:                Java Web Server

Vendor:                 Sun Microsystems (http://www.sun.com)

Type:                   Remote command execution

Severity:               High

Author:                 Saumil Shah (saumil.shah@foundstone.com)

                        Shreeraj Shah (shreeraj.shah@foundstone.com)

                        Stuart McClure (stuart.mcclure@foundstone.com)

                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems:      Solaris and Windows NT

Vulnerable versions:    Sun Java Web Server, all versions

Foundstone Advisory:    http://www.foundstone.com



        Using Sun's Java Web Server's administration module

        configuration and the Bulletin Board example application

        supplied with Java Web Server, it is possible to remotely

        execute arbitrary commands on the target system despite

        existing vendor recommendations for hardening.

        NOTE: Foundstone and Sun recommends implementing

        vendor recommended hardening steps as those found in Sun's

        advisory http://www.sun.com/software/jwebserver/faq/

        jwsca-2000-02.html on locking down Java Web Server. However,

        you must implement the solutions below to address the issues

        discussed in this advisory.


        The com.sun.server.http.pagecompile.jsp92.JspServlet servlet

        is also known to compile JSP pages (if they are not already

        compiled) and execute them within the Java Runtime Enviroment

        and hand the output back to the web server.

        Sun's Java Web Server FAQ (mentioned above) eliminated forced

        invocation of servlets using the /servlet/ prefix for the Java

        Web Server Web Service and Secure Web Service. However, it is

        possible to use the administration module, which runs on port

        9090 by default and invoke servlets using the /servlet/ prefix

        in the URL and point it to any arbitrary file within the

        administration document root on the web server to be compiled

        and executed as if it were a JSP file. With carefully crafted

        JSP tags, it is possible to execute arbitrary commands on the


        Java Web Server comes with a sample bulletin board application

        that creates a "board.html" file in the web document root

        directory, that stores messages posted to the bulletin board

        by remote users. The bulletin board application can be

        accessed via the administration module by:



        There is a user input text area for posting comments on the

        bulletin board. The code to be uploaded needs to be entered

        here, and uploaded into "board.html" by clicking the Post To

        Board button.

        If JSP code has been posted to "board.html", it is possible to

        get the code compiled and executed by referencing the

        following URL:



        It is possible to write Java code that will allow arbitrary

        commands to be executed on the underlying operating system by

        using the Runtime.getRuntime().exec() method.

        Sun's Java Web Server FAQ does mention removing unnecessary

        examples when deploying the server for a production environment.

        However, if there are applications that write user inputs to a

        data file on the server it may be possible to exploit this


Proof of concept

        The example below shows how to upload and run code that

        displays "Hello World", coming from the server.

        Given below is JSP code that will print "Hello World":

        <% String s="Hello World"; %>

        <%=s %>

        Post this code to the bulletin board via:



        Verify that the code has indeed been uploaded via:


        Compile and execute this code by referencing the following URL:





        This is not a perfect workaround, just something that stops

        this vulnerability for the time being, but it destroys the

        administrative module's functionality.

        Remove or comment out the line:


        in the file rules.properties which can be found under:



        Restart the Java Web Server. However this renders the

        administrative module unusable.

        Vendor Fix:

        Please install the following patches on systems running Java

        Web Server:

        Java Web Server Version    Patch ID

        ------------------------   -----------

        1.1.3                      Patch 3

        2.0                        Patch 3

        For Java Web Server versions 1.1.1 and 1.1.2, first upgrade the

        Java Web Server and then install the appropriate patch.

        Patches are available at:




        We would also like to thank Sun Microsystems for their prompt

        reaction to this problem and their co-operation in heightening

        security awareness in the security community.


        The information contained in this advisory is the copyright

        (C) 2000 of Foundstone, Inc. and believed to be accurate at

        the time of printing, but no representation or warranty is

        given, express or implied, as to its accuracy or completeness.

        Neither the author nor the publisher accepts any liability

        whatsoever for any direct, indirect or conquential loss or

        damage arising in any way from any use of, or reliance placed

        on, this information for any purpose. This advisory may be

        redistributed provided that no fee is assigned and that the

        advisory is not modified in any way.

(C) 1999-2000 All rights reserved.