Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability



Please remove this wrong report (no crash happens as reported and Pi3Web version 2.013 doesn't exist at all!!!) and inform all sites copying information from your site about the removal.

I am very disapointed about the fact, that such reports are published without contacting software vendors or any attempt of verification/reproduction of reported issues.

Unfortunately the published reports are copied by the whole "internet security community" within days (google for "Pi3Web ISAPI DoS vulnerability"). But a correction of an once reported issue is never copied. As representant of a small open source project without budget I can only contact a handful of security sites in order to comment a wrong report.

But I can never repair the image demolition resulting from such false reports.

Therefore I will close the open source project Pi3Web for that reason, because wrong reports happened multiple times in the past.

My E-Mail to the original issuer of the report is attached below.
--
kind regards,
Holger Zimmermnn


Hi Hamid,

I cannot reproduce, what you have tested. Whenever I enter
the following URL (hz is my test host):

http://hz/isapi/users.txt

I get the HTTP error 500 and a normal error page
as the response:

"500 Internal server error

The server encountered an internal error while processing this request."

Here is the access log fragment of this request (I tried it
multiple times):

192.168.1.5 hz.t-online.de - [22/Nov/2008:17:02:12 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:02:13 +0100] "GET /favicon.ico HTTP/1.1" 200 973
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:12 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:14 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:14 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:14 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:15 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339

And here is the error log: fragment

[Fri Nov 21 16:53:17 2008 GMT] Server error log started
[Sat Nov 22 16:02:12 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:12 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:14 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:14 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:14 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:15 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error description is 'Win32 error code: 193'.

As you can see, the system error is catched and handled by the server, nothing crashes or stops the server. There's no reason for a DOS
vulnerability at all.

My server is Pi3Web 2.03 PL 2 and runs with Windows XP prof. DE SP 3.
I repeated the test with Pi3Web 2.03 PL 2 running on Windows XP
Embedded with exactly the same result.

I don't know about Pi3Web version 2.013 at all! The latest release
is Pi3Web 2.03 PL2. The older releases available at sourcforge.net
or pi3.org are Pi3Web 2.02, 2.01, 2.00 and 1.03.

Please check your results and don't publish the report, before
a vulnerability has been proofed.
--
regards,
Holger Zimmermann


Amirkabir University CSIRT Laboratory schrieb:



*Pi3Web ISAPI DoS vulnerability *



Discovered by: Hamid Ebadi

CSIRT Team Member

Amirkabir University CSIRT Laboratory (APA Laboratory)



autcert@xxxxxxxxx

* *

* *

*Introduction *

Pi3Web is a free, multithreaded, highly configurable and extensible HTTP server and development environment for cross platform internet server development and deployment. Pi3web is vulnerable to a denial of service (DoS) vulnerability whenever an invalid ISAPI module is requested from server.



*Vulnerable version *

Pi3Web <=2.0.13



*Vulnerability *

By requesting the following URL from pi3web the server crashes:

http://WEB_SITE/isapi/users.txt



EnhPi3.exe -Bad Image

The application or DLL c:\Pi3Web\Isapi\users.txt is not a valid Windows image. Please check this against your installation diskette The vulnerability is caused.



The crash is due to insufficient checks for incoming requests. Whenever a file in ISAPI directory, which is not a valid DLL is requested, the server tries to load it into memory as a DLL library and a crash happens.



*Workaround *

Before an official patch is released, use one of the following workarounds to mitigate the problem:



1. Disable ISAPI mapping in server configuration in Server Admin > Mapping Tab.

2. Delete the users.txt, install.daf and readme.daf in ISAPI folder.





*Credit*

This vulnerability has been discovered by Hamid Ebadi from Amirkabir university CSIRT laboratory.



autcert@xxxxxxxxx

https://www.ircert.cc







Relevant Pages

  • Re: Server Performance Report - Memory in use - showing No data
    ... Please find below the report I received this morning. ... There still isn't any 'Server Specifications' or 'Memory use' data ... click the Backup snap-in in Server Management, ... Critical Errors in Application Log ...
    (microsoft.public.windows.server.sbs)
  • Re: Erroneous E-mails sent entries in Server Usage Report
    ... One of the sbs2k3Sp1 boxes did previously report outgoing messages correctly in the Usage Report. ... I gave up modifying the default recipient policy years ago and now create my own policy on each server before creating users. ... the information "E-mail sent to external recipients" lists *zero* messages being sent by all users other than Administrator. ... Please check the Message Tracking Center. ...
    (microsoft.public.windows.server.sbs)
  • Re: Server Performance Reports broken
    ... I'll try to reinstall R2 and report back on how that goes. ... we cannot remove WSUS from R2 features directly. ... tries to collect WSUS information and WSUS node still appears in Server ... Step 1: Reinstall monitoring component: ...
    (microsoft.public.windows.server.sbs)
  • Re: Server Usage Report
    ... Server firewall to access the Internet. ... Configure ISA Server for monitoring and reporting. ... The SBS Usage report does not pull data from ISA. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Erroneous E-mails sent entries in Server Usage Report
    ... As far as I can recall, this problem was not present on my own server before ... did previously report outgoing messages correctly in the Usage Report. ... I gave up modifying the default recipient policy years ago and now create my ... Please check the Message Tracking Center. ...
    (microsoft.public.windows.server.sbs)