Error log fragment:
[Fri Nov 21 16:53:17 2008 GMT] Server error log started
[Sat Nov 22 16:02:12 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not
There's no server crash and the server doesn't stop reponding, i.e. no DoS vulnerability.
Here is the original report:
Amirkabir University CSIRT Laboratory schrieb:
>
>
>
> *Pi3Web ISAPI DoS vulnerability *
>
>
>
> Discovered by: Hamid Ebadi
>
> CSIRT Team Member
>
> Amirkabir University CSIRT Laboratory (APA Laboratory)
>
>
>
> autcert@aut.ac.ir
>
> * *
>
> * *
>
> *Introduction *
>
> Pi3Web is a free, multithreaded, highly configurable and extensible HTTP server and development environment for cross platform internet server development and deployment. Pi3web is vulnerable to a denial of service (DoS) vulnerability whenever an invalid ISAPI module is requested from server.
>
>
>
> *Vulnerable version *
>
> Pi3Web <=2.0.13
>
>
>
> *Vulnerability *
>
> By requesting the following URL from pi3web the server crashes:
>
> http://WEB_SITE/isapi/users.txt
>
>
>
> EnhPi3.exe -Bad Image
>
> The application or DLL c:\Pi3Web\Isapi\users.txt is not a valid Windows image. Please check this against your installation diskette The vulnerability is caused.
>
>
>
> The crash is due to insufficient checks for incoming requests. Whenever a file in ISAPI directory, which is not a valid DLL is requested, the server tries to load it into memory as a DLL library and a crash happens.
>
>
>
> *Workaround *
>
> Before an official patch is released, use one of the following workarounds to mitigate the problem:
>
>
>
> 1. Disable ISAPI mapping in server configuration in Server Admin > Mapping Tab.
>
> 2. Delete the users.txt, install.daf and readme.daf in ISAPI folder.
>
>
>
>
>
> *Credit*
>
> This vulnerability has been discovered by Hamid Ebadi from Amirkabir university CSIRT laboratory.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I could finally reproduce the problem, when I used the Pi3Web 2.0.3
release without any patches. After applying the available patches
in the intended (incremental) order to this installation, with
Pi3Web 2.0.3 PL2 the issue disappeared.
It seems the creator of the original report has not used a
properly maintained Pi3Web 2.03 with PL2 applied. The required
patch PL2 is publically available since April 2007.
FINAL RESULT
No vulnerability:
- with a properly maintained Pi3Web version 2.0.3 with incremental
patches up to PL2 applied
- OR - when Pi3Web is installed as a Windows service
- OR - when configuration template Pi3Web/Conf/Intenet.pi3 is used
Vulnerability (remote DoS in the reported way) confirmed:
- Pi3Web version 2.0.3 without any available patches installed
- AND - Pi3Web is installed as a desktop application
- AND - configuration template Pi3Web/Conf/Intenet.pi3 is not used
Normally all of the three topics have to be considered, when the server
is installed as an remotely accessible (internet) server.
Older versions may be vulnerable under the same condition (installation
as a desktop application) but a number of indpendent solutions are
available:
- use configuration template internet.pi3 as basis to setup own
internet servers
- delete the ISAPI (and other!) examples manually
- apply one (and only one) of the following configuration changes:
1.) supplement the mapping directive for ISAPI:
Mapping Condition="&or(®exp('*.dll*',$U),®exp('*.dll',$f))"
ISAPIMapper From="/isapi/" To="Isapi\"
2.) add to the ISAPI handler object:
CheckPath Condition="¬(&and(®exp('*.dll*',$U),
®exp('*.dll',$f)))" StatusCode StatusCode="404"
PROPOSED ACTIONS
Please check the Pi3Web server installation to ensure, that all
available patches have been applied. All updates and patches
for release Pi3Web can be downloaded here:
For people, who use the web site www.pi3.org (and not the project
web site at sourceforge) I added a hint/link in the download area
to look for recent updates and patches at sourceforge.
Users of older versions should update to Pi3Web 2.0.3, apply
the proposed configuration change or delete the ISAPI examples
completely from the ISAPI folder.
--
kind regards,
Holger Zimmermann
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The patch PL3 for Pi3Web 2.0.3 fixes the behaviour, that the Windows error dialog box is shown, when the server has been installed in desktop mode and an URI like /isapi/users.txt is requested. HTTP status is set to 404, when a URI is requested, which is not mapped to a valid Win32 DLL image but to another file.
This should finish all discussions, whether this behaviour is a DoS or not.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Pi3Web version 2.0.13 doesn't exist. I cannot reproduce, what has been tests. Whenever I enter the following URL (hz is my test host):
http://hz/isapi/users.txt
I get the HTTP error 500 and a normal error page
as the response:
"500 Internal server error
The server encountered an internal error while processing this request."
Access log fragment:
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:02:12 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:02:13 +0100] "GET /favicon.ico HTTP/1.1" 200 973
Error log fragment:
[Fri Nov 21 16:53:17 2008 GMT] Server error log started
[Sat Nov 22 16:02:12 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not
There's no server crash and the server doesn't stop reponding, i.e. no DoS vulnerability.
Here is the original report:
Amirkabir University CSIRT Laboratory schrieb:
>
>
>
> *Pi3Web ISAPI DoS vulnerability *
>
>
>
> Discovered by: Hamid Ebadi
>
> CSIRT Team Member
>
> Amirkabir University CSIRT Laboratory (APA Laboratory)
>
>
>
> autcert@aut.ac.ir
>
> * *
>
> * *
>
> *Introduction *
>
> Pi3Web is a free, multithreaded, highly configurable and extensible HTTP server and development environment for cross platform internet server development and deployment. Pi3web is vulnerable to a denial of service (DoS) vulnerability whenever an invalid ISAPI module is requested from server.
>
>
>
> *Vulnerable version *
>
> Pi3Web <=2.0.13
>
>
>
> *Vulnerability *
>
> By requesting the following URL from pi3web the server crashes:
>
> http://WEB_SITE/isapi/users.txt
>
>
>
> EnhPi3.exe -Bad Image
>
> The application or DLL c:\Pi3Web\Isapi\users.txt is not a valid Windows image. Please check this against your installation diskette The vulnerability is caused.
>
>
>
> The crash is due to insufficient checks for incoming requests. Whenever a file in ISAPI directory, which is not a valid DLL is requested, the server tries to load it into memory as a DLL library and a crash happens.
>
>
>
> *Workaround *
>
> Before an official patch is released, use one of the following workarounds to mitigate the problem:
>
>
>
> 1. Disable ISAPI mapping in server configuration in Server Admin > Mapping Tab.
>
> 2. Delete the users.txt, install.daf and readme.daf in ISAPI folder.
>
>
>
>
>
> *Credit*
>
> This vulnerability has been discovered by Hamid Ebadi from Amirkabir university CSIRT laboratory.
I could finally reproduce the problem, when I used the Pi3Web 2.0.3
release without any patches. After applying the available patches
in the intended (incremental) order to this installation, with
Pi3Web 2.0.3 PL2 the issue disappeared.
It seems the creator of the original report has not used a
properly maintained Pi3Web 2.03 with PL2 applied. The required
patch PL2 is publically available since April 2007.
FINAL RESULT
No vulnerability:
- with a properly maintained Pi3Web version 2.0.3 with incremental
patches up to PL2 applied
- OR - when Pi3Web is installed as a Windows service
- OR - when configuration template Pi3Web/Conf/Intenet.pi3 is used
Vulnerability (remote DoS in the reported way) confirmed:
- Pi3Web version 2.0.3 without any available patches installed
- AND - Pi3Web is installed as a desktop application
- AND - configuration template Pi3Web/Conf/Intenet.pi3 is not used
Normally all of the three topics have to be considered, when the server
is installed as an remotely accessible (internet) server.
Older versions may be vulnerable under the same condition (installation
as a desktop application) but a number of indpendent solutions are
available:
- use configuration template internet.pi3 as basis to setup own
internet servers
- delete the ISAPI (and other!) examples manually
- apply one (and only one) of the following configuration changes:
1.) supplement the mapping directive for ISAPI:
Mapping Condition="&or(®exp('*.dll*',$U),®exp('*.dll',$f))"
ISAPIMapper From="/isapi/" To="Isapi\"
2.) add to the ISAPI handler object:
CheckPath Condition="¬(&and(®exp('*.dll*',$U),
®exp('*.dll',$f)))" StatusCode StatusCode="404"
PROPOSED ACTIONS
Please check the Pi3Web server installation to ensure, that all
available patches have been applied. All updates and patches
for release Pi3Web can be downloaded here:
https://sourceforge.net/project/showfiles.php?group_id=17753&package_id=16751&release_id=257565
For people, who use the web site www.pi3.org (and not the project
web site at sourceforge) I added a hint/link in the download area
to look for recent updates and patches at sourceforge.
Users of older versions should update to Pi3Web 2.0.3, apply
the proposed configuration change or delete the ISAPI examples
completely from the ISAPI folder.
--
kind regards,
Holger Zimmermann
The patch PL3 for Pi3Web 2.0.3 fixes the behaviour, that the Windows error dialog box is shown, when the server has been installed in desktop mode and an URI like /isapi/users.txt is requested. HTTP status is set to 404, when a URI is requested, which is not mapped to a valid Win32 DLL image but to another file.
This should finish all discussions, whether this behaviour is a DoS or not.