Multiple vulnerabilities in w3who ISAPI DLL
Exaprobe
www.exaprobe.com
Security Advisory
Advisory Name: Multiple vulnerabilities in w3who
Release Date: 6 December 2004
Application: Microsoft ISAPI extension w3who.dll
Platform: Windows 2000/XP Resource Kit
Severity: Remote code execution
Author: Nicolas Gregoire <ngregoire@xxxxxxxxxxxx>
Vendor Status: Affected code is no more available
CVE Candidates: CAN-2004-1133 and CAN-2004-1135
Reference: www.exaprobe.com/labs/advisories/esa-2004-1206.html
Overview :
==========
>From the Windows 2000 Resource Kit documentation :
"W3Who is an Internet Server Application Programming Interface
(ISAPI) application dynamic-link library (DLL) that works within
a Web page to display information about the calling context of
the client browser and the configuration of the host server."
Details :
=========
There're two basic XSS vulnerabilities, and an easily exploitable
buffer-overflow.
XSS vulnerability when displaying HTTP headers :
Connection: keep-alive<script>alert("Hello")</script>
XSS vulnerability in error message :
/scripts/w3who.dll?bogus=<script>alert("Hello")</script>
Buffer overflow when called with long parameters :
/scripts/w3who.dll?AAAAAAAAA...[519 to 12571]....AAAAAAAAAAAAA
Vendor Response :
=================
After notification by Exaprobe, Microsoft choosed to remove
the web download of this component and do not have any plans
to issue an updated version.
Recommendation :
================
Restrict access to the DLL.
Do not use it on production servers.
Related code :
==============
Thanks to HD Moore, a Metasploit plugin will be integrated in the
upcoming release of the Metasploit Framework.
A NASL script has been sent to Nessus developpers.
CVE Information :
=================
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2004-1133 Cross-site scripting issues in w3who.dll
CAN-2004-1134 Buffer-overflow in w3who.dll
--
Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
ngregoire@xxxxxxxxxxxx ------[ ExaProbe ]------ http://www.exaprobe.com/
PGP KeyID:CA61B44F FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F