[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Unify eWave ServletExec DoS

Title: Unify eWave ServletExec DoS
Released by: Foundstone
Date: 30th October 2000
Printable version: Click here
                            Foundstone, Inc.


                      "Securing the Dot Com World"

                           Security Advisory

                      Unify eWave ServletExec DoS


FS Advisory ID:         FS-103000-15-SRVX

Release Date:           October 30, 2000

Product:                Unify eWave ServletExec 3.0C

Vendor:                 Unify Corp.


Type:                   Denial of Service

Severity:               High

Author:                 Shreeraj Shah (shreeraj.shah@foundstone.com)

                        Saumil Shah (saumil.shah@foundstone.com)

                        Stuart McClure (stuart.mcclure@foundstone.com)

                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems:      All operating systems supported by ServletExec

Vulnerable versions:    Unify eWave ServletExec 3.0C

Foundstone Advisory:    http://www.foundstone.com/advisories.htm



        Unify's eWave ServletExec is a JSP and a Java Servlet engine

        which is to be used as a plug-in to popular web servers like

        Apache, IIS, Netscape, etc.

        It is possible to send a URL request which causes the

        ServletExec servlet engine to terminate abruptly. The web

        server, however, is not affected.


        It is possible to forcibly invoke any servlet by prefixing

        the path to servlet with "/servlet/" in the URL. A servlet

        called "ServletExec" is present in the server side classes.

        Invoking the "ServletExec" servlet via forced servlet

        invocation causes the servlet engine to re-initialize and

        attempt to bind a server thread on port 80. If the server is

        already running, the port binding causes an exception and

        the servlet engine terminates abruptly.

        For example, if ServletExec is running on as a plug-

        in to a web server on port 80, an attacker can open a

        connection to port 80 and make the following GET request that

        causes the servlet engine to terminate abruptly.

        nc 80

        GET /servlet/ServletExec HTTP/1.0

        Or simply access the URL

        from a browser to the same effect.

        ServletExec generates java.net.BindException and kills the

        servlet engine.

        The following gets recorded in the log file:

        Received an exception when starting ServletExec:


        Address in use: bind


        Upgrade to ServletExec version 3.0E, available at:


        Please contact the vendor for further details at

        info@unify.com or Unify Sales at 1-800-248-6439


        We would like to thank Unify for their prompt reaction to this

        problem and their co-operation in heightening awareness in the

        security community.


        The information contained in this advisory is the copyright (C)

        2000 of Foundstone, Inc. and believed to be accurate at the time

        of printing, but no representation or warranty is given, express

        or implied, as to its accuracy or completeness. Neither the

        author nor the publisher accepts any liability whatsoever for

        any direct, indirect or conquential loss or damage arising in

        any way from any use of, or reliance placed on, this information

        for any purpose. This advisory may be redistributed provided that

        no fee is assigned and that the advisory is not modified in any


(C) 1999-2000 All rights reserved.