From labs@FOUNDSTONE.COM Mon Oct 23 22:38:26 2000 From: Foundstone Labs To: BUGTRAQ@SECURITYFOCUS.COM Date: Mon, 23 Oct 2000 11:42:43 -0700 Subject: [BUGTRAQ] Allaire JRUN 2.3 Remote command execution [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory Allaire JRUN 2.3 ---------------------------------------------------------------------- FS Advisory ID: FS-102300-14-JRUN Release Date: October 23, 2000 Product: Allaire JRUN 2.3 Vendor: Allaire Inc. (http://www.allaire.com) Vendor Advisory: http://www.allaire.com/security/ Type: Remote command execution Severity: High Author: Shreeraj Shah (shreeraj.shah@foundstone.com) Saumil Shah (saumil.shah@foundstone.com) Stuart McClure (stuart.mcclure@foundstone.com) Foundstone, Inc. (http://www.foundstone.com) Operating Systems: All operating systems supported by JRUN Vulnerable versions: JRUN Server v2.3 Foundstone Advisory: http://www.foundstone.com/cgi-bin/display.cgi?Section_ID=13 ---------------------------------------------------------------------- Description It is possible to compile and execute any arbitrary file within the web document root directory of the JRUN's web server as if it were a JSP file, even if the file type is not .jsp. If applications running on the JRUN 2.3 server write to files within the web document root directory, it is possible to insert executable code in the form of JSP tags and have the code compiled and executed using JRUN's handlers. This can potentially cause an attacker to gain administrative control of the underlying operating systems. The theory behind such vulnerabilities is described in CERT Advisory CA-2000-02 which can be found at: http://www.cert.org/advisories/CA-2000-02.html This vulnerability is similar to the remote execution vulnerability for Sun's Java Web Server and BEA's WebLogic application server reported previously by Foundstone. (FS-071000-5-JWS and FS-073100-10-BEA) Details From the rules.properties and servlets.properties file, it is seen that the URL prefix /servlet/ can be used as an invoker for any servlet. Also, the JRUN servlet engine handles all jsp requests by invoking the com.livesoftware.jrun.plugins.JSP servlet. It is possible to invoke these servlets manually, even if they are not registered in the JRUN configuration, using the complete name in the URL prefixed by /servlet/, and point it to any arbitrary file on the web server. This file will be then compiled and executed as if it were a JSP file. If JSP code can be injected into any file on the web server via an application (e.g. a guestbook application), it is possible to execute arbitrary commands on the server. Proof of concept Assume that there is an application on the JRUN server that writes user entered data to a file called "temp.txt". Given below is JSP code that will print "Hello World": <% out.println("Hello World"); %> If this code is somehow inserted in the file "temp.txt" via an application, then the following two URLs can be used to invoke forced compilation and execution of "temp.txt": http://jrun:8000/servlet/com.livesoftware.jrun.plugins.jsp.JSP/../../path/to /temp.txt http://jrun:8000/servlet/jsp/../../path/to/temp.txt Note: It is assumed that JRun runs on host "jrun", port 8000. Solution Follow the recommendations given in Allaire Security Bulletin ASB00-29, available at: http://www.allaire.com/security/ Credits We would also like to thank Allaire for their prompt reaction to this problem and their co-operation in heightening security awareness in the security community. Disclaimer The information contained in this advisory is the copyright (C) 2000 of Foundstone, Inc. and believed to be accurate at the time of printing, but no representation or warranty is given, express or implied, as to its accuracy or completeness. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect or conquential loss or damage arising in any way from any use of, or reliance placed on, this information for any purpose. This advisory may be redistributed provided that no fee is assigned and that the advisory is not modified in any way.