Date: Mon, 30 Oct 2000 13:27:02 -0800 From: Foundstone Labs <labs@FOUNDSTONE.COM> Subject: Unify eWave ServletExec DoS To: BUGTRAQ@SECURITYFOCUS.COM Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory Unify eWave ServletExec DoS ---------------------------------------------------------------------- FS Advisory ID: FS-103000-15-SRVX Release Date: October 30, 2000 Product: Unify eWave ServletExec 3.0C Vendor: Unify Corp. (http://www.unifyewave.com/servletexec/) Type: Denial of Service Severity: High Author: Shreeraj Shah (shreeraj.shah@foundstone.com) Saumil Shah (saumil.shah@foundstone.com) Stuart McClure (stuart.mcclure@foundstone.com) Foundstone, Inc. (http://www.foundstone.com) Operating Systems: All operating systems supported by ServletExec Vulnerable versions: Unify eWave ServletExec 3.0C Foundstone Advisory: http://www.foundstone.com/advisories.htm ---------------------------------------------------------------------- Description Unify's eWave ServletExec is a JSP and a Java Servlet engine which is to be used as a plug-in to popular web servers like Apache, IIS, Netscape, etc. It is possible to send a URL request which causes the ServletExec servlet engine to terminate abruptly. The web server, however, is not affected. Details It is possible to forcibly invoke any servlet by prefixing the path to servlet with "/servlet/" in the URL. A servlet called "ServletExec" is present in the server side classes. Invoking the "ServletExec" servlet via forced servlet invocation causes the servlet engine to re-initialize and attempt to bind a server thread on port 80. If the server is already running, the port binding causes an exception and the servlet engine terminates abruptly. For example, if ServletExec is running on 10.0.0.1 as a plug- in to a web server on port 80, an attacker can open a connection to port 80 and make the following GET request that causes the servlet engine to terminate abruptly. nc 10.0.0.1 80 GET /servlet/ServletExec HTTP/1.0 Or simply access the URL http://10.0.0.1/servlet/ServletExec from a browser to the same effect. ServletExec generates java.net.BindException and kills the servlet engine. The following gets recorded in the log file: Received an exception when starting ServletExec: java.net.BindException: Address in use: bind Solution Upgrade to ServletExec version 3.0E, available at: http://www.servletexec.com/downloads/ Please contact the vendor for further details at info@unify.com or Unify Sales at 1-800-248-6439 Credits We would like to thank Unify for their prompt reaction to this problem and their co-operation in heightening awareness in the security community. Disclaimer The information contained in this advisory is the copyright (C) 2000 of Foundstone, Inc. and believed to be accurate at the time of printing, but no representation or warranty is given, express or implied, as to its accuracy or completeness. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect or conquential loss or damage arising in any way from any use of, or reliance placed on, this information for any purpose. This advisory may be redistributed provided that no fee is assigned and that the advisory is not modified in any way.