Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormShreeraj ShahPACKETSTORM:22706
HistoryAug 02, 2000 - 12:00 a.m.

FS-073100-10-BEA.txt

2000-08-0200:00:00
Shreeraj Shah
packetstormsecurity.com
27
JSON
` Foundstone, Inc.  
http://www.foundstone.com  
"Securing the Dot Com World"  
  
Security Advisory  
  
BEA's WebLogic *.jsp/*.jhtml remote command execution  
  
----------------------------------------------------------------------  
FS Advisory ID: FS-073100-10-BEA  
  
Release Date: July 31, 2000  
  
Product: WebLogic  
  
Vendor: BEA Systems (http://www.beasys.com)  
  
Vendor Advisory: http://developer.bea.com/alerts/index.html  
  
Type: Possible remote command execution.  
  
Severity: High (depending on your configuration)  
  
Author: Shreeraj Shah ([email protected])  
Saumil Shah ([email protected])  
Stuart McClure ([email protected])  
  
Operating Systems: All operating systems supported by WebLogic  
  
Vulnerable versions: WebLogic, all versions  
  
Foundstone Advisory: http://www.foundstone.com/advisories.htm  
----------------------------------------------------------------------  
  
Description  
  
It is possible to compile and execute any arbitrary file  
within the web document root directory of the WebLogic server  
as if it were a JSP/JHTML file, even if the file type is not  
.jsp or .jhtml.  
  
If applications residing on the WebLogic server write to files  
within the web document root directory, it is possible to  
insert executable code in the form of JSP or JHTML tags and  
have the code compiled and executed using WebLogic's handlers.  
This can potentially cause an attacker to gain administrative  
control of the underlying operating systems.  
  
The theory behind such vulnerabilities is described in CERT  
Advisory CA-2000-02 which can be found at:  
http://www.cert.org/advisories/CA-2000-02.html  
  
This vulnerability is similar to the remote execution  
vulnerability for Sun's Java Web Server reported previously by  
Foundstone. (FS-071000-5-JWS)  
  
Details  
  
Looking into the weblogic.properties files, the following  
lines indicate how WebLogic associates handlers for compiling  
and executing JHTML and JSP files.  
  
weblogic.httpd.register.*.jhtml=\  
weblogic.servlet.jhtmlc.PageCompileServlet  
  
weblogic.httpd.register.*.jsp=\  
weblogic.servlet.JSPServlet  
  
JHTML pages in WebLogic get handled by the  
weblogic.servlet.jhtml.PageCompileServlet, which compiles the  
JHTML pages (if they are not already compiled) and executes  
them within the Java Runtime Enviroment and hand the output  
back to the web server. Similarly, weblogic.servlet.JSPServlet  
is responsible for compiling and executing JSP pages.  
  
It is possible to invoke these servlets manually using the  
/*.jhtml/ or /*.jsp/ prefix in the URL, and point it to any  
arbitrary file on the web server to be compiled and executed  
as if it were a JHTML or a JSP file. If JHTML or JSP code can  
be injected into any file on the web server via an application  
(e.g. a guestbook application), it is possible to execute  
arbitrary commands on the server.  
  
Proof of concept  
  
Assume that there is an application on the WebLogic server  
that writes user entered data to a file called "temp.txt".  
  
Given below is JHTML/JSP code that will print "Hello World":  
  
<java>out.println("Hello World");</java> (JHTML) -or-  
<% out.println("Hello World"); %> (JSP)  
  
If this code is somehow inserted in the file "temp.txt" via  
an application, then the following can be used to invoke  
forced compilation and execution of "temp.txt":  
  
http://weblogic.site/*.jhtml/path/to/temp.txt (JHTML) -or-  
http://weblogic.site/*.jsp/path/to/temp.txt  
  
Solution  
  
Please refer to BEA's advisory BEA00-04.00 which can be found  
at http://developer.bea.com/alerts/index.html  
  
Credits  
  
We would also like to thank BEA Systems for their prompt  
reaction to this problem and their co-operation in heightening  
security awareness in the security community.  
  
Disclaimer  
  
THE INFORMATION CONTAINED IN THIS ADVISORY IS THE COPYRIGHT  
(C) 2000 OF FOUNDSTONE, INC. AND BELIEVED TO BE ACCURATE AT  
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS  
GIVEN, EXPRESS OR IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.  
NEITHER THE AUTHOR NOR THE PUBLISHER ACCEPTS ANY LIABILITY  
WHATSOEVER FOR ANY DIRECT, INDIRECT OR CONQUENTIAL LOSS OR  
DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE PLACED  
ON, THIS INFORMATION FOR ANY PURPOSE. THIS ADVISORY MAY BE  
REDISTRIBUTED PROVIDED THAT NO FEE IS ASSIGNED AND THAT THE  
ADVISORY IS NOT MODIFIED IN ANY WAY.  
  
`
JSON