<<< Date Index >>>     <<< Thread Index >>>

Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability



Please remove this wrong report (no crash happens as reported and Pi3Web 
version 2.013 doesn't exist at all!!!) and inform all sites copying information 
from your site about the removal.

I am very disapointed about the fact, that such reports are published without 
contacting software vendors or any attempt of verification/reproduction of 
reported issues. 

Unfortunately the published reports are copied by the whole "internet security 
community" within days (google for "Pi3Web ISAPI DoS vulnerability"). But a 
correction of an once reported issue is never copied. As representant of a 
small open source project without budget I can only contact a handful of 
security sites in order to comment a wrong report.

But I can never repair the image demolition resulting from such false reports.

Therefore I will close the open source project Pi3Web for that reason, because 
wrong reports happened multiple times in the past.

My E-Mail to the original issuer of the report is attached below.
-- 
kind regards,
Holger Zimmermnn


Hi Hamid,

I cannot reproduce, what you have tested. Whenever I enter
the following URL (hz is my test host):

http://hz/isapi/users.txt

I get the HTTP error 500 and a normal error page
as the response:

"500 Internal server error

The server encountered an internal error while processing this request."

Here is the access log fragment of this request (I tried it
multiple times):

192.168.1.5 hz.t-online.de - [22/Nov/2008:17:02:12 +0100] "GET /isapi/users.txt 
HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:02:13 +0100] "GET /favicon.ico 
HTTP/1.1" 200 973
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:12 +0100] "GET /isapi/users.txt 
HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:14 +0100] "GET /isapi/users.txt 
HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:14 +0100] "GET /isapi/users.txt 
HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:14 +0100] "GET /isapi/users.txt 
HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:15 +0100] "GET /isapi/users.txt 
HTTP/1.1" 500 339

And here is the error log: fragment

[Fri Nov 21 16:53:17 2008 GMT] Server error log started
[Sat Nov 22 16:02:12 2008 GMT] ISAPI20: ISAPI DLL with path 
'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 
error code: 193'.
[Sat Nov 22 16:05:12 2008 GMT] ISAPI20: ISAPI DLL with path 
'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 
error code: 193'.
[Sat Nov 22 16:05:14 2008 GMT] ISAPI20: ISAPI DLL with path 
'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 
error code: 193'.
[Sat Nov 22 16:05:14 2008 GMT] ISAPI20: ISAPI DLL with path 
'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 
error code: 193'.
[Sat Nov 22 16:05:14 2008 GMT] ISAPI20: ISAPI DLL with path 
'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 
error code: 193'.
[Sat Nov 22 16:05:15 2008 GMT] ISAPI20: ISAPI DLL with path 
'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 
error code: 193'.

As you can see, the system error is catched and handled by the server, nothing 
crashes or stops the server. There's no reason for a DOS
vulnerability at all.

My server is Pi3Web 2.03 PL 2 and runs with Windows XP prof. DE SP 3.
I repeated the test with Pi3Web 2.03 PL 2 running on Windows XP
Embedded with exactly the same result.

I don't know about Pi3Web version 2.013 at all! The latest release
is Pi3Web 2.03 PL2. The older releases available at sourcforge.net
or pi3.org are Pi3Web 2.02, 2.01, 2.00 and 1.03.

Please check your results and don't publish the report, before
a vulnerability has been proofed.
-- 
regards,
Holger Zimmermann


Amirkabir University CSIRT Laboratory schrieb:
>
>
>
> *Pi3Web ISAPI DoS vulnerability *
>
>
>
> Discovered by: Hamid Ebadi
>
> CSIRT Team Member
>
> Amirkabir University CSIRT Laboratory (APA Laboratory)
>
>
>
> autcert@xxxxxxxxx
>
> *   *
>
> *   *
>
> *Introduction *
>
> Pi3Web is a free, multithreaded, highly configurable and extensible HTTP 
> server and development environment for cross platform internet server 
> development and deployment. Pi3web is vulnerable to a denial of service (DoS) 
> vulnerability whenever an invalid ISAPI module is requested from server.
>
>
>
> *Vulnerable version *
>
> Pi3Web <=2.0.13
>
>
>
> *Vulnerability *
>
> By requesting the following URL from pi3web the server crashes:
>
> http://WEB_SITE/isapi/users.txt
>
>
>
> EnhPi3.exe -Bad Image
>
> The application or DLL c:\Pi3Web\Isapi\users.txt is not a valid Windows 
> image. Please check this against your installation diskette The vulnerability 
> is caused.
>
>
>
> The crash is due to insufficient checks for incoming requests. Whenever a 
> file in ISAPI directory, which is not a valid DLL is requested, the server 
> tries to load it into memory as a DLL library and a crash happens.
>
>
>
> *Workaround *
>
> Before an official patch is released, use one of the following workarounds to 
> mitigate the problem:
>
>
>
> 1. Disable ISAPI mapping in server configuration in Server Admin > Mapping 
> Tab.
>
> 2. Delete the users.txt, install.daf and readme.daf in ISAPI folder.
>
>
>
>
>
> *Credit*
>
> This vulnerability has been discovered by Hamid Ebadi from Amirkabir 
> university CSIRT laboratory.
>
>
>
> autcert@xxxxxxxxx
>
> https://www.ircert.cc
>
>
>
>