forked from ProjectZeroDays/Exploits2
-
Notifications
You must be signed in to change notification settings - Fork 0
/
FS-073100-10-BEA.txt
executable file
·124 lines (87 loc) · 4.92 KB
/
FS-073100-10-BEA.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
Foundstone, Inc.
http://www.foundstone.com
"Securing the Dot Com World"
Security Advisory
BEA's WebLogic *.jsp/*.jhtml remote command execution
----------------------------------------------------------------------
FS Advisory ID: FS-073100-10-BEA
Release Date: July 31, 2000
Product: WebLogic
Vendor: BEA Systems (http://www.beasys.com)
Vendor Advisory: http://developer.bea.com/alerts/index.html
Type: Possible remote command execution.
Severity: High (depending on your configuration)
Author: Shreeraj Shah ([email protected])
Saumil Shah ([email protected])
Stuart McClure ([email protected])
Operating Systems: All operating systems supported by WebLogic
Vulnerable versions: WebLogic, all versions
Foundstone Advisory: http://www.foundstone.com/advisories.htm
----------------------------------------------------------------------
Description
It is possible to compile and execute any arbitrary file
within the web document root directory of the WebLogic server
as if it were a JSP/JHTML file, even if the file type is not
.jsp or .jhtml.
If applications residing on the WebLogic server write to files
within the web document root directory, it is possible to
insert executable code in the form of JSP or JHTML tags and
have the code compiled and executed using WebLogic's handlers.
This can potentially cause an attacker to gain administrative
control of the underlying operating systems.
The theory behind such vulnerabilities is described in CERT
Advisory CA-2000-02 which can be found at:
http://www.cert.org/advisories/CA-2000-02.html
This vulnerability is similar to the remote execution
vulnerability for Sun's Java Web Server reported previously by
Foundstone. (FS-071000-5-JWS)
Details
Looking into the weblogic.properties files, the following
lines indicate how WebLogic associates handlers for compiling
and executing JHTML and JSP files.
weblogic.httpd.register.*.jhtml=\
weblogic.servlet.jhtmlc.PageCompileServlet
weblogic.httpd.register.*.jsp=\
weblogic.servlet.JSPServlet
JHTML pages in WebLogic get handled by the
weblogic.servlet.jhtml.PageCompileServlet, which compiles the
JHTML pages (if they are not already compiled) and executes
them within the Java Runtime Enviroment and hand the output
back to the web server. Similarly, weblogic.servlet.JSPServlet
is responsible for compiling and executing JSP pages.
It is possible to invoke these servlets manually using the
/*.jhtml/ or /*.jsp/ prefix in the URL, and point it to any
arbitrary file on the web server to be compiled and executed
as if it were a JHTML or a JSP file. If JHTML or JSP code can
be injected into any file on the web server via an application
(e.g. a guestbook application), it is possible to execute
arbitrary commands on the server.
Proof of concept
Assume that there is an application on the WebLogic server
that writes user entered data to a file called "temp.txt".
Given below is JHTML/JSP code that will print "Hello World":
<java>out.println("Hello World");</java> (JHTML) -or-
<% out.println("Hello World"); %> (JSP)
If this code is somehow inserted in the file "temp.txt" via
an application, then the following can be used to invoke
forced compilation and execution of "temp.txt":
http://weblogic.site/*.jhtml/path/to/temp.txt (JHTML) -or-
http://weblogic.site/*.jsp/path/to/temp.txt
Solution
Please refer to BEA's advisory BEA00-04.00 which can be found
at http://developer.bea.com/alerts/index.html
Credits
We would also like to thank BEA Systems for their prompt
reaction to this problem and their co-operation in heightening
security awareness in the security community.
Disclaimer
THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT
(C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS
GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.
NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY
WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONQUENTIAL LOSS OR
DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED
ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE
REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.