![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Mon, 30 Oct 2000 13:27:02 -0800
From: Foundstone Labs <labs@FOUNDSTONE.COM>
Subject: Unify eWave ServletExec DoS
To: BUGTRAQ@SECURITYFOCUS.COM
Foundstone, Inc.
http://www.foundstone.com
"Securing the Dot Com World"
Security Advisory
Unify eWave ServletExec DoS
----------------------------------------------------------------------
FS Advisory ID: FS-103000-15-SRVX
Release Date: October 30, 2000
Product: Unify eWave ServletExec 3.0C
Vendor: Unify Corp.
(http://www.unifyewave.com/servletexec/)
Type: Denial of Service
Severity: High
Author: Shreeraj Shah (shreeraj.shah@foundstone.com)
Saumil Shah (saumil.shah@foundstone.com)
Stuart McClure (stuart.mcclure@foundstone.com)
Foundstone, Inc. (http://www.foundstone.com)
Operating Systems: All operating systems supported by ServletExec
Vulnerable versions: Unify eWave ServletExec 3.0C
Foundstone Advisory: http://www.foundstone.com/advisories.htm
----------------------------------------------------------------------
Description
Unify's eWave ServletExec is a JSP and a Java Servlet engine
which is to be used as a plug-in to popular web servers like
Apache, IIS, Netscape, etc.
It is possible to send a URL request which causes the
ServletExec servlet engine to terminate abruptly. The web
server, however, is not affected.
Details
It is possible to forcibly invoke any servlet by prefixing
the path to servlet with "/servlet/" in the URL. A servlet
called "ServletExec" is present in the server side classes.
Invoking the "ServletExec" servlet via forced servlet
invocation causes the servlet engine to re-initialize and
attempt to bind a server thread on port 80. If the server is
already running, the port binding causes an exception and
the servlet engine terminates abruptly.
For example, if ServletExec is running on 10.0.0.1 as a plug-
in to a web server on port 80, an attacker can open a
connection to port 80 and make the following GET request that
causes the servlet engine to terminate abruptly.
nc 10.0.0.1 80
GET /servlet/ServletExec HTTP/1.0
Or simply access the URL http://10.0.0.1/servlet/ServletExec
from a browser to the same effect.
ServletExec generates java.net.BindException and kills the
servlet engine.
The following gets recorded in the log file:
Received an exception when starting ServletExec:
java.net.BindException:
Address in use: bind
Solution
Upgrade to ServletExec version 3.0E, available at:
http://www.servletexec.com/downloads/
Please contact the vendor for further details at
info@unify.com or Unify Sales at 1-800-248-6439
Credits
We would like to thank Unify for their prompt reaction to this
problem and their co-operation in heightening awareness in the
security community.
Disclaimer
The information contained in this advisory is the copyright (C)
2000 of Foundstone, Inc. and believed to be accurate at the time
of printing, but no representation or warranty is given, express
or implied, as to its accuracy or completeness. Neither the
author nor the publisher accepts any liability whatsoever for
any direct, indirect or conquential loss or damage arising in
any way from any use of, or reliance placed on, this information
for any purpose. This advisory may be redistributed provided that
no fee is assigned and that the advisory is not modified in any
way.