COMMAND

    ServletExec

SYSTEMS AFFECTED

    Unify eWave ServletExec 3.0C

PROBLEM

    Following is based on a Foundstone Labs FS-103000-15-SRVX Security
    Advisory  by  Shreeraj  Shah,  Saumil  Shah  and  Stuart  McClure.
    Unify's eWave ServletExec is a JSP and a Java Servlet engine which
    is to be  used as a  plug-in to popular  web servers like  Apache,
    IIS, Netscape, etc.

    It is possible to send a URL request which causes the  ServletExec
    servlet engine to terminate abruptly.  The web server, however, is
    not affected.

    It is  possible to  forcibly invoke  any servlet  by prefixing the
    path to  servlet with  "/servlet/" in  the URL.  A servlet  called
    "ServletExec" is present in the server side classes.

    Invoking the "ServletExec"  servlet via forced  servlet invocation
    causes the servlet engine to  re-initialize and attempt to bind  a
    server thread on  port 80. If  the server is  already running, the
    port binding causes an exception and the servlet engine terminates
    abruptly.

    For example, if ServletExec is running on 10.0.0.1 as a plug-in to
    a web server on port 80, an attacker can open a connection to port
    80 and  make the  following GET  request that  causes the  servlet
    engine to terminate abruptly.

        nc 10.0.0.1 80
        GET /servlet/ServletExec HTTP/1.0

    Or simply access the URL http://10.0.0.1/servlet/ServletExec  from
    a browser to the same effect.

    ServletExec generates java.net.BindException and kills the servlet
    engine.  The following gets recorded in the log file:

        Received an exception when starting ServletExec:
        java.net.BindException: Address in use: bind

SOLUTION

    Upgrade to ServletExec version 3.0E, available at:

        http://www.servletexec.com/downloads/