The CyberUnderground
http://cyberunderground.cjb.net

The Java Web Server includes two features that when used together can be made to execute arbitrary code at the privilege level of the server.

The Web Administration module listens on port 9090 for administrative commands via http. By using the /servlet/ prefix, it is possible for a remote user to point the servlet "com.sun.server.http.pagecompile.jsp92.JspServlet" to any file in or below the administration webroot for compilation and execution.

The server also includes a sample application that provides bullettin board functionality. This application usesthe file board.html in the webroot to store all posted messages. Code can be entered as a posted message through the file /examples/applications/bboard/bboard_frames.html and will then be stored as part of board.html .

Therefore, it is possible for a remote user to inject JSP code into board.html, and then have the server execute it via the Administration module, using a URL like:

http:/target:9090/servlet/com.sun.server.http.pagecompile.jsp92.JspServlet/board.html

Vulnerable:

Sun Java Web Server 2.0
   - Sun Solaris 8.0_x86
   - Sun Solaris 8.0
   - Sun Solaris 7.0_x86
   - Sun Solaris 7.0
   - Sun Solaris 2.6_x86HW5/98
   - Sun Solaris 2.6_x86HW3/98
   - Sun Solaris 2.6_x86
   - Sun Solaris 2.6HW5/98
   - Sun Solaris 2.6HW3/98
   - Sun Solaris 2.6
   - Sun Solaris 2.5.1_x86
   - Sun Solaris 2.5.1_ppc
   - Sun Solaris 2.5.1
   - Sun Solaris 2.5_x86
   - Sun Solaris 2.5
Sun Java Web Server 1.1.3
   - Sun Solaris 8.0_x86
   - Sun Solaris 8.0
   - Sun Solaris 7.0_x86
   - Sun Solaris 7.0
   - Sun Solaris 2.6_x86HW5/98
   - Sun Solaris 2.6_x86HW3/98
   - Sun Solaris 2.6_x86
   - Sun Solaris 2.6HW5/98
   - Sun Solaris 2.6HW3/98
   - Sun Solaris 2.6
   - Sun Solaris 2.5.1_x86
   - Sun Solaris 2.5.1_ppc
   - Sun Solaris 2.5.1
   - Sun Solaris 2.5_x86
   - Sun Solaris 2.5