Three vulnerabilities have been found in Allaire's JRun:
1) It is possible to compile and execute any arbitrary file within the web document root directory of the JRun's web server as if it were a JSP file, even if the file type is not .jsp.
2) Multiple show code vulnerabilities exist in Allaire's JRun Server 2.3 allowing an attacker to view the source code of any file within the web document root of the web server.
3) A severe security flaw exists with Allaire's JRun 3.0 allowing an attacker to access WEB-INF directories on the JRun 3.0 server. The WEB-INF directory tree contains web application classes, pre-compiled JSP files, server side libraries, session information and files such as web.xml and webapp.properties.
The following is a technical explanation of those vulnerabilities.
Remote command execution (vulnerability 1)
If applications running on the JRUN 2.3 server write to files within the web document root directory, it is possible to insert executable code in the form of JSP tags and have the code compiled and executed using JRun's handlers. This can potentially cause an attacker to gain administrative control of the underlying operating systems.
This vulnerability is similar to the remote execution vulnerability for Sun's Java Web Server and BEA's WebLogic application server reported previously by Foundstone. (FS-071000-5-JWS and FS-073100-10-BEA)
Details:
From the rules.properties and servlets.properties file, it is seen that the URL prefix /servlet/ can be used as an invoker for any servlet. In addition, the JRUN servlet engine handles all jsp requests by invoking the com.livesoftware.jrun.plugins.JSP servlet.
It is possible to invoke these servlets manually, even if they are not registered in the JRUN configuration, using the complete name in the URL prefixed by /servlet/, and point it to any arbitrary file on the web server. This file will be then compiled and executed as if it were a JSP file. If JSP code can be injected into any file on the web server via an application (e.g. a guestbook application), it is possible to execute arbitrary commands on the server.
Proof of concept:
Assume that there is an application on the JRun server that writes user entered data to a file called "temp.txt".
Given below is JSP code that will print "Hello World":
<% out.println("Hello World"); %>
If this code is somehow inserted in the file "temp.txt" via an application, then the following two URLs can be used to invoke forced compilation and execution of "temp.txt":
Note: It is assumed that JRun runs on host "jrun", port 8000.
Solution:
Follow the recommendations given in Allaire Security Bulletin ASB00-29, available at: http://www.allaire.com/security/
Arbitrary File Retrieval (vulnerability 2)
JRun 2.3 uses Java Servlets to handle parsing of various types of pages (for example, HTML, JSP, etc). Based on the settings in the rules.properties and servlets.properties files, it is possible to invoke any servlet using the URL prefix "/servlet/".
It is possible to use JRun's SSIFilter servlet to retrieve arbitrary files on the target system. The following two examples show the URLs that can be used to retrieve any arbitrary files:
http://jrun:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../test.jsp
http://jrun:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../../../../../../boot.ini
http://jrun:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../../../../../../winnt/repair/sam.
http://jrun:8000/servlet/ssifilter/../../test.jsp
http://jrun:8000/servlet/ssifilter/../../../../../../../boot.ini
http://jrun:8000/servlet/ssifilter/../../../../../../../winnt/repair/sam._
(NOTE: Any of the above URLs maybe wrapped they should be on a single line)
Note: It is assumed that JRun runs on host "jrun", port 8000.
Solution:
Follow the recommendations given in Allaire Security Bulletin ASB00-28, available at: http://www.allaire.com/security/
Unauthenticated Access to WEB-INF directory (vulnerability 3)
JRun 3.0 can be made to run as a stand-alone web server on port 8100. The directory <jrun_install_dir>/servers/default holds different web applications hosted in it.
The directory <jrun_install_dir>/servers/default/default-app is the web document root for the default web application. This application is mapped to http://site.running.jrun:8100/, if accessed via a web browser.
Other web application directories are set up in a similar manner as follows:
<jrun_install_dir>/servers/default/app1
<jrun_install_dir>/servers/default/app2 ... etc.
Each web application directory contains a WEB-INF directory tree that contains configuration files, server side components, libraries and other application related information. This directory is not visible to the client. If the WEB-INF directory is requested by a web browser by the following URL:
http://site.running.jrun:8100/WEB-INF/
The server responds with a 403 Forbidden error code. However, it is possible to access this directory via the following URL:
http://site.running.jrun:8100//WEB-INF/
This causes the entire directory tree under WEB-INF to be displayed and eventually files under this directory can be accessed. For example:
Would allow remote attackers to view the web.xml and webapp.properties in the WEB-INF directory. Attackers can also access critical resources such as class files, session information, etc.
Proof of concept:
Prefixing the path to WEB-INF by / in the URL causes the directory structure within WEB-INF to be displayed.
http://site.running.jrun:8100//WEB-INF/
Solution:
Follow the recommendations given in Allaire Security Bulletin ASB00-27, available at: http://www.allaire.com/security/
