||Home : Advisories : Sun's Java Web Server Remote Command Execution on Admin Server|
||Sun's Java Web Server Remote Command Execution on Admin Server
||22nd August 2000
"Securing the Dot Com World"
Sun's Java Web Server Remote Command Execution on Admin Server
FS Advisory ID: FS-082200-11-JWS
Release Date: August 22, 2000
Product: Java Web Server
Vendor: Sun Microsystems (http://www.sun.com)
Type: Remote command execution
Author: Saumil Shah (email@example.com)
Shreeraj Shah (firstname.lastname@example.org)
Stuart McClure (email@example.com)
Foundstone, Inc. (http://www.foundstone.com)
Operating Systems: Solaris and Windows NT
Vulnerable versions: Sun Java Web Server, all versions
Foundstone Advisory: http://www.foundstone.com
Using Sun's Java Web Server's administration module
configuration and the Bulletin Board example application
supplied with Java Web Server, it is possible to remotely
execute arbitrary commands on the target system despite
existing vendor recommendations for hardening.
NOTE: Foundstone and Sun recommends implementing
vendor recommended hardening steps as those found in Sun's
jwsca-2000-02.html on locking down Java Web Server. However,
you must implement the solutions below to address the issues
discussed in this advisory.
The com.sun.server.http.pagecompile.jsp92.JspServlet servlet
is also known to compile JSP pages (if they are not already
compiled) and execute them within the Java Runtime Enviroment
and hand the output back to the web server.
Sun's Java Web Server FAQ (mentioned above) eliminated forced
invocation of servlets using the /servlet/ prefix for the Java
Web Server Web Service and Secure Web Service. However, it is
possible to use the administration module, which runs on port
9090 by default and invoke servlets using the /servlet/ prefix
in the URL and point it to any arbitrary file within the
administration document root on the web server to be compiled
and executed as if it were a JSP file. With carefully crafted
JSP tags, it is possible to execute arbitrary commands on the
Java Web Server comes with a sample bulletin board application
that creates a "board.html" file in the web document root
directory, that stores messages posted to the bulletin board
by remote users. The bulletin board application can be
accessed via the administration module by:
There is a user input text area for posting comments on the
bulletin board. The code to be uploaded needs to be entered
here, and uploaded into "board.html" by clicking the Post To
If JSP code has been posted to "board.html", it is possible to
get the code compiled and executed by referencing the
It is possible to write Java code that will allow arbitrary
commands to be executed on the underlying operating system by
using the Runtime.getRuntime().exec() method.
Sun's Java Web Server FAQ does mention removing unnecessary
examples when deploying the server for a production environment.
However, if there are applications that write user inputs to a
data file on the server it may be possible to exploit this
Proof of concept
The example below shows how to upload and run code that
displays "Hello World", coming from the server.
Given below is JSP code that will print "Hello World":
<% String s="Hello World"; %>
Post this code to the bulletin board via:
Verify that the code has indeed been uploaded via:
Compile and execute this code by referencing the following URL:
This is not a perfect workaround, just something that stops
this vulnerability for the time being, but it destroys the
administrative module's functionality.
Remove or comment out the line:
in the file rules.properties which can be found under:
Restart the Java Web Server. However this renders the
administrative module unusable.
Please install the following patches on systems running Java
Java Web Server Version Patch ID
1.1.3 Patch 3
2.0 Patch 3
For Java Web Server versions 1.1.1 and 1.1.2, first upgrade the
Java Web Server and then install the appropriate patch.
Patches are available at:
We would also like to thank Sun Microsystems for their prompt
reaction to this problem and their co-operation in heightening
security awareness in the security community.
The information contained in this advisory is the copyright
(C) 2000 of Foundstone, Inc. and believed to be accurate at
the time of printing, but no representation or warranty is
given, express or implied, as to its accuracy or completeness.
Neither the author nor the publisher accepts any liability
whatsoever for any direct, indirect or conquential loss or
damage arising in any way from any use of, or reliance placed
on, this information for any purpose. This advisory may be
redistributed provided that no fee is assigned and that the
advisory is not modified in any way.