WebSphere Application Server (WAS), IBM's Java Enterprise Edition (JEE) application server, is one of the leading application servers and is the predominate application server in the financial and insurance sectors. It is also embedded in several of IBM's other products including WebSphere Portal, WebSphere Process Server and WebSphere Message Broker.
In March 2009, IBM released PK81387 which patches a "Possible application source file exposure" in WAS. Detailed explanation of this vulnerability and it's exploitation will be provided including how implementation details such as character encoding and multiple vulnerabilities, some still unpatched, can be orchestrated to provide file and directory exposure inside a applications Web Archive (WAR). In some cases, with common libraries or WAS feature use, these vulnerabilities can be extended to achieve arbitrary code execution resulting in full compromise of the application server.
Exploitation details will be described and use of this vulnerability and others to execute a remote operating system shell will be demonstrated. Source code to the exploit and other tools will be provided.