Vulnerabilities in Pi3Web Server

2001-02-16T00:00:00
ID SECURITYVULNS:DOC:1295
Type securityvulns
Reporter Securityvulns
Modified 2001-02-16T00:00:00

Description

----- Begin Hush Signed Message from joetesta@hushmail.com -----

Vulnerabilities in Pi3Web Server

Overview

Pi3Web v1.0.1 is a web server available from http://www.zdnet.com. A vulnerability exists in the server's internal ISAPI handling procedures which results in a buffer overflow. The server also reveals the physical path of the web root upon encountering a 404 error.

Details

Here is an example URL that overflows a buffer in Pi3Web's executable:

    http://localhost/isapi/tstisapi.dll?[a lot of 'A's]

This results in the following crash:

ENHPI3 caused an invalid page fault in module <unknown> at 0000:41414141. Registers: EAX=00000001 CS=017f EIP=41414141 EFLGS=00010206 EBX=0123d1b0 SS=0187 ESP=041df3b0 EBP=041dfed4 ECX=00000000 DS=0187 ESI=041df3f0 FS=3e6f EDX=00000000 ES=0187 EDI=00000000 GS=0000 Bytes at CS:EIP:

Stack dump: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 00bb0b2c 00000000 05611030

To discover the physical path of the web root:

    http://localhost/[any string which causes a 404 error]

The server responds with:

    The original URL path was:
    /sadfasdf

    The mapped physical path was:
    C:&#92;PI3WEB&#92;WebRoot&#92;sadfasdf




Solution

The buffer overflow can be prevented by deleting the ISAPI module named 'tstisapi.dll'. There is no quick solution for the web root disclosure.

Vendor Status

The author, John Roy, was contacted via <jproy@WORLD.STD.COM> on Monday, February 5, 2001. No reply was received.

- Joe Testa  &#40; e-mail: joetesta@hushmail.com / AIM: LordSpankatron &#41;

----- Begin Hush Signature v1.3 ----- B2izikZHXZBSe741WqgWmHVTt5g5goAcqJzAz0tPWIrMzvB0fUWonV8Q6SUq4x4PTs+t Fqyz4+UGHO1T/IunO4J4uML1McFFFDLqSXJDyeZYd6ZvryQzRY+6WEeaBEVFFLI5X+yq F/nobN22dvqdFHrJ9PVBdYa88NieXkpAY1el3gHXiaGqYcWM1lMoub5WttkwNx9Irzpb CJlaASStNBTRBkSn84x5YkgDOgiANl7VafyNamn3X3uhJ5SHghXnUCvpueGKj6Yna9Dv wKHdyV3pg2r/UiFOfx7fy4BC5L8VOSsQZl420F1rBLxdwpnqqU3g8yiTsSs2HxG3arIF /xxa9llCxo+zKaGppx/6HGIhF8k2S6qfJcYlgmd5YhdQWMuH0A/XQhqxIGNxgJ6nY7mU qbAW7gyoXV0OFYQivjHzq6zaLE8Q7uGqBodkF/CkvbuXSAeENgECSew5bz2EblGV1Ymb 6VlmOeX5w964o01o2/2v+oFNItGYbD9N9LkHNSwNjwH4 ----- End Hush Signature v1.3 ----- \n\nThis message has been signed with a Hush Digital Signature. \nTo verify the signature, please go to www.hush.com/tools\n\n