[ SOURCE: http://www.secureroot.com/security/advisories/9735784333.html ] Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory Unify eWave ServletExec upload ---------------------------------------------------------------------- FS Advisory ID: FS-103100-16-SRVX Release Date: October 31, 2000 Product: Unify eWave ServletExec 3.0C Vendor: Unify Corp. (http://www.unifyewave.com/servletexec/) Type: Uploading arbitrary files leading to remote command execution. Severity: High Author: Shreeraj Shah (shreeraj.shah@foundstone.com) Saumil Shah (saumil.shah@foundstone.com) Stuart McClure (stuart.mcclure@foundstone.com) Foundstone, Inc. (http://www.foundstone.com) Operating Systems: All operating systems supported by ServletExec Vulnerable versions: Unify eWave ServletExec 3.0C Foundstone Advisory: http://www.foundstone.com/advisories.htm ---------------------------------------------------------------------- Description Unify's eWave ServletExec is a JSP and a Java Servlet engine which is used as a plug-in to popular web servers like Apache, IIS, Netscape, etc. ServletExec has a servlet called "UploadServlet" in its server side classes. UploadServlet, when invokable, allows an attacker to upload any file to any directory on the server. The uploaded file may have code that can later be executed on the server, leading to remote command execution. Details ServletExec has com.unify.ewave.servletexec.UploadServlet residing in its server side classes. Even though this servlet is not registered, it can be invoked on the server side by the following HTTP requests: nc 10.0.0.1 80 GET /servlet/com.unify.ewave.servletexec.UploadServlet HTTP/1.0 -or- http://10.0.0.1/servlet/com.unify.ewave.servletexec.UploadServlet An attacker can create an HTML form on his or her local system to use this servlet to upload arbitrary files on to the server. A sample of such a form is given below:

Upload Directory:

File to Upload:

Using this upload form, an attacker can upload a file, for example a JSP file, that can run arbitrary commands on the server side. Solution Upgrade to ServletExec version 3.0E, available at: http://www.servletexec.com/downloads/ Please contact the vendor for further details at info@unify.com or Unify Sales at 1-800-248-6439 Credits We would like to thank Unify for their prompt reaction to this problem and their co-operation in heightening awareness in the security community. Disclaimer The information contained in this advisory is the copyright (C) 2000 of Foundstone, Inc. and believed to be accurate at the time of printing, but no representation or warranty is given, express or implied, as to its accuracy or completeness. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect or conquential loss or damage arising in any way from any use of, or reliance placed on, this information for any purpose. This advisory may be redistributed provided that no fee is assigned and that the advisory is not modified in any way.