Type packetstorm
Reporter Saumil Shah
Modified 2000-07-13T00:00:00


                                            ` Foundstone, Inc.  
"Securing the Dot Com World"  
Security Advisory  
Sun's Java Web Server  
FS Advisory ID: FS-071000-5-JWS  
Release Date: July 10, 2000  
Product: Java Web Server  
Vendor: Sun Microsystems (http://www.sun.com)  
Vendor Advisory: CERT Advisory: http://www.cert.org/advisories  
JWS FAQ: http://www.sun.com/software  
Type: Remote command execution  
Severity: High (depending on your configuration)  
Author: Saumil Shah (saumil.shah@foundstone.com)  
Shreeraj Shah (shreeraj.shah@foundstone.com)  
Stuart McClure (stuart.mcclure@foundstone.com)  
Foundstone, Inc. (http://www.foundstone.com)  
Operating Systems: Solaris and Windows NT  
Vulnerable versions: Sun Java Web Server, all versions  
Foundstone Advisory: http://www.foundstone.com/advisories.htm  
A security weakness exists in Sun's Java Web Server default  
configuration. Using the Bulletin Board example application  
supplied with Java Web Server, it is possible to remotely  
execute arbitrary commands on the target system.  
*NOTE: This advisory is a precautionary advisory, in an  
attempt to alert the user community about a known vulnerability  
that has just become practical to exploit. Please refer to  
Sun's FAQ referenced above. Also, please refer to CERT  
advisory CA-2000-02.  
JSP pages in Java Web Server get handled by the  
com.sun.server.http.pagecompile.jsp.runtime.JspServlet, which  
compiles the JSP pages (if they are not already compiled) and  
executes them within the Java Runtime Enviroment and hand the  
output back to the web server.  
It is possible to invoke this servlet manually using the  
/servlet/ prefix in the URL, and point it to any arbitrary  
file on the web server to be compiled and executed as if it  
were a JSP file. Specifially, plain HTML files can also be  
compiled and executed like JSP files. If JSP code can be  
injected into HTML files, it is possible to execute arbitrary  
commands on the server.  
Java Web Server comes with a sample bulletin board  
application that creates a "board.html" file in the web  
document root directory, that stores messages posted to the  
bulletin board by remote users. The bulletin board  
application can be accessed at:  
There is a user input text area for posting comments on the  
bulletin board. The code to be uploaded needs to be entered  
here, and uploaded into "board.html" by clicking the Post To  
Board button.  
If JSP code has been posted to "board.html", it is possible  
to get the code compiled and executed by referencing the  
following URL:  
It is possible to write Java code that will allow arbitrary  
commands to be executed on the underlying operating system by  
using the Runtime.getRuntime().exec() method.  
Proof of concept  
The example below shows how to upload and run code that  
displays "Hello World", coming from the server.  
Given below is JSP code that will print "Hello World":  
<% String s="Hello World"; %>  
<%=s %>  
Post this code to the bulletin board via:  
Verify that the code has indeed been uploaded via:  
Compile and execute this code by referencing the following  
See Java Web Server's documentation section entitled "How  
to secure a web site that uses the Java Web Server" and  
Sun's Java Web Server FAQ (which was posted in response to  
CERT Advisory CA-2000-02) at:  
Both documents describe detailed steps to lock down and  
harden the Java Web Server. This issue can be removed by  
simply removing the examples in the examples directory  
which is described in both documents.  
We would also like to thank Sun Microsystems for their prompt  
response to us with this problem.  
The information contained in this advisory is the copyright  
(C) 2000 of Foundstone, Inc. and believed to be accurate at the  
time of printing, but no representation or warranty is given,  
express or implied, as to its accuracy or completeness. Neither  
the author nor the publisher accepts any liability whatsoever for  
any direct, indirect or conquential loss or damage arising in  
any way from any use of, or reliance placed on, this  
information for any purpose. This advisory may be redistributed  
provided that no fee is assigned and that the advisory is not  
modified in any way.