Wrong report: BID 32287, Pi3Web ISAPI DoS vulnerability

[zimpel () t-online de]

Please remove this wrong report (no crash happens as reported and Pi3Web version 2.013 doesn't exist at all!!!) and 
inform all sites copying information from your site about the removal.

I am very disapointed about the fact, that such reports are published without contacting software vendors or any 
attempt of verification/reproduction of reported issues. 

Unfortunately the published reports are copied by the whole "internet security community" within days (google for 
"Pi3Web ISAPI DoS vulnerability"). But a correction of an once reported issue is never copied. As representant of a 
small open source project without budget I can only contact a handful of security sites in order to comment a wrong 
report.

But I can never repair the image demolition resulting from such false reports.

Therefore I will close the open source project Pi3Web for that reason, because wrong reports happened multiple times in 
the past.

My E-Mail to the original issuer of the report is attached below.
-- 
kind regards,
Holger Zimmermnn


Hi Hamid,

I cannot reproduce, what you have tested. Whenever I enter
the following URL (hz is my test host):

http://hz/isapi/users.txt

I get the HTTP error 500 and a normal error page
as the response:

"500 Internal server error

The server encountered an internal error while processing this request."

Here is the access log fragment of this request (I tried it
multiple times):

192.168.1.5 hz.t-online.de - [22/Nov/2008:17:02:12 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:02:13 +0100] "GET /favicon.ico HTTP/1.1" 200 973
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:12 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:14 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:14 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:14 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339
192.168.1.5 hz.t-online.de - [22/Nov/2008:17:05:15 +0100] "GET /isapi/users.txt HTTP/1.1" 500 339

And here is the error log: fragment

[Fri Nov 21 16:53:17 2008 GMT] Server error log started
[Sat Nov 22 16:02:12 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error 
description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:12 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error 
description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:14 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error 
description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:14 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error 
description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:14 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error 
description is 'Win32 error code: 193'.
[Sat Nov 22 16:05:15 2008 GMT] ISAPI20: ISAPI DLL with path 'C:\Pi3Web\Isapi\users.txt' could not be loaded, error 
description is 'Win32 error code: 193'.

As you can see, the system error is catched and handled by the server, nothing crashes or stops the server. There's no 
reason for a DOS
vulnerability at all.

My server is Pi3Web 2.03 PL 2 and runs with Windows XP prof. DE SP 3.
I repeated the test with Pi3Web 2.03 PL 2 running on Windows XP
Embedded with exactly the same result.

I don't know about Pi3Web version 2.013 at all! The latest release
is Pi3Web 2.03 PL2. The older releases available at sourcforge.net
or pi3.org are Pi3Web 2.02, 2.01, 2.00 and 1.03.

Please check your results and don't publish the report, before
a vulnerability has been proofed.
-- 
regards,
Holger Zimmermann


Amirkabir University CSIRT Laboratory schrieb:
> *Pi3Web ISAPI DoS vulnerability *
>
>
>
> Discovered by: Hamid Ebadi
>
> CSIRT Team Member
>
> Amirkabir University CSIRT Laboratory (APA Laboratory)
>
>
>
> autcert () aut ac ir
>
> *   *
>
> *   *
>
> *Introduction *
>
> Pi3Web is a free, multithreaded, highly configurable and extensible HTTP server and development environment for cross 
> platform internet server development and deployment. Pi3web is vulnerable to a denial of service (DoS) vulnerability 
> whenever an invalid ISAPI module is requested from server.
>
>
>
> *Vulnerable version *
>
> Pi3Web <=2.0.13
>
>
>
> *Vulnerability *
>
> By requesting the following URL from pi3web the server crashes:
>
> http://WEB_SITE/isapi/users.txt
>
>
>
> EnhPi3.exe -Bad Image
>
> The application or DLL c:\Pi3Web\Isapi\users.txt is not a valid Windows image. Please check this against your 
> installation diskette The vulnerability is caused.
>
>
>
> The crash is due to insufficient checks for incoming requests. Whenever a file in ISAPI directory, which is not a 
> valid DLL is requested, the server tries to load it into memory as a DLL library and a crash happens.
>
>
>
> *Workaround *
>
> Before an official patch is released, use one of the following workarounds to mitigate the problem:
>
>
>
> 1. Disable ISAPI mapping in server configuration in Server Admin > Mapping Tab.
>
> 2. Delete the users.txt, install.daf and readme.daf in ISAPI folder.
>
>
>
>
>
> *Credit*
>
> This vulnerability has been discovered by Hamid Ebadi from Amirkabir university CSIRT laboratory.
>
>
>
> autcert () aut ac ir
>
> https://www.ircert.cc