[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Allaire JRUN 2.3 Remote command execution

Title: Allaire JRUN 2.3 Remote command execution
Released by: Foundstone
Date: 23rd October 2000
Printable version: Click here 
                            Foundstone, Inc.

                        http://www.foundstone.com

                      "Securing the Dot Com World"



                           Security Advisory



                           Allaire JRUN 2.3



----------------------------------------------------------------------

FS Advisory ID:         FS-102300-14-JRUN



Release Date:           October 23, 2000



Product:                Allaire JRUN 2.3



Vendor:                 Allaire Inc. (http://www.allaire.com)



Vendor Advisory:        http://www.allaire.com/security/



Type:                   Remote command execution



Severity:               High



Author:                 Shreeraj Shah (shreeraj.shah@foundstone.com)

                        Saumil Shah (saumil.shah@foundstone.com)

                        Stuart McClure (stuart.mcclure@foundstone.com)

                        Foundstone, Inc. (http://www.foundstone.com)



Operating Systems:      All operating systems supported by JRUN



Vulnerable versions:    JRUN Server v2.3



Foundstone Advisory:

http://www.foundstone.com/cgi-bin/display.cgi?Section_ID=13

----------------------------------------------------------------------



Description



        It is possible to compile and execute any arbitrary file

        within the web document root directory of the JRUN's web

        server as if it were a JSP file, even if the file type is not

        .jsp.



        If applications running on the JRUN 2.3 server write to files

        within the web document root directory, it is possible to

        insert executable code in the form of JSP tags and have the

        code compiled and executed using JRUN's handlers. This can

        potentially cause an attacker to gain administrative control

        of the underlying operating systems.



        The theory behind such vulnerabilities is described in CERT

        Advisory CA-2000-02 which can be found at:

        http://www.cert.org/advisories/CA-2000-02.html



        This vulnerability is similar to the remote execution

        vulnerability for Sun's Java Web Server and BEA's WebLogic

        application server reported previously by Foundstone.

        (FS-071000-5-JWS and FS-073100-10-BEA)



Details



        From the rules.properties and servlets.properties file, it is

        seen that the URL prefix /servlet/ can be used as an invoker

        for any servlet. Also, the JRUN servlet engine handles all jsp

        requests by invoking the com.livesoftware.jrun.plugins.JSP

        servlet.



        It is possible to invoke these servlets manually, even if they

        are not registered in the JRUN configuration, using the

        complete name in the URL prefixed by /servlet/, and point it

        to any arbitrary file on the web server. This file will be

        then compiled and executed as if it were a JSP file. If JSP

        code can be injected into any file on the web server via an

        application (e.g. a guestbook application), it is possible to

        execute arbitrary commands on the server.



Proof of concept



        Assume that there is an application on the JRUN server that

        writes user entered data to a file called "temp.txt".



        Given below is JSP code that will print "Hello World":



        <% out.println("Hello World"); %>



        If this code is somehow inserted in the file "temp.txt" via an

        application, then the following two URLs can be used to invoke

        forced compilation and execution of "temp.txt":





http://jrun:8000/servlet/com.livesoftware.jrun.plugins.jsp.JSP/../../path/to

/temp.txt

        http://jrun:8000/servlet/jsp/../../path/to/temp.txt



        Note: It is assumed that JRun runs on host "jrun", port 8000.



Solution



        Follow the recommendations given in Allaire Security Bulletin

        ASB00-29, available at: http://www.allaire.com/security/



Credits



        We would also like to thank Allaire for their prompt reaction

        to this problem and their co-operation in heightening

        security awareness in the security community.



Disclaimer



        The information contained in this advisory is the copyright

        (C) 2000 of Foundstone, Inc. and believed to be accurate at

        the time of printing, but no representation or warranty is

        given, express or implied, as to its accuracy or completeness.

        Neither the author nor the publisher accepts any liability

        whatsoever for any direct, indirect or conquential loss or

        damage arising in any way from any use of, or reliance placed

        on, this information for any purpose. This advisory may be

        redistributed provided that no fee is assigned and that the

        advisory is not modified in any way.






(C) 1999-2000 All rights reserved.