[VulnWatch] Multiple vulnerabilities in w3who ISAPI DLL

From: Nicolas Gregoire (ngregoire@private)
Date: Mon Dec 06 2004 - 03:40:39 PST

Next in thread: Nicolas Gregoire: "[VulnWatch] Re: [Full-Disclosure] Multiple vulnerabilities in w3who ISAPI DLL"
Reply: Nicolas Gregoire: "[VulnWatch] Re: [Full-Disclosure] Multiple vulnerabilities in w3who ISAPI DLL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

                             Exaprobe
                         www.exaprobe.com

                         Security Advisory


 Advisory Name: Multiple vulnerabilities in w3who
  Release Date: 6 December 2004
   Application: Microsoft ISAPI extension w3who.dll
      Platform: Windows 2000/XP Resource Kit
      Severity: Remote code execution
        Author: Nicolas Gregoire <ngregoire@private>
 Vendor Status: Affected code is no more available
CVE Candidates: CAN-2004-1133 and CAN-2004-1135
     Reference: www.exaprobe.com/labs/advisories/esa-2004-1206.html


Overview :
==========

>From the Windows 2000 Resource Kit documentation :

"W3Who is an Internet Server Application Programming Interface
(ISAPI) application dynamic-link library (DLL) that works within
a Web page to display information about the calling context of
the client browser and the configuration of the host server."


Details :
=========

There're two basic XSS vulnerabilities, and an easily exploitable
buffer-overflow.

XSS vulnerability when displaying HTTP headers :
Connection: keep-alive<script>alert("Hello")</script>

XSS vulnerability in error message :
/scripts/w3who.dll?bogus=<script>alert("Hello")</script>

Buffer overflow when called with long parameters :
/scripts/w3who.dll?AAAAAAAAA...[519 to 12571]....AAAAAAAAAAAAA


Vendor Response :
=================

After notification by Exaprobe, Microsoft choosed to remove
the web download of this component and do not have any plans
to issue an updated version.


Recommendation :
================

Restrict access to the DLL.
Do not use it on production servers. 


Related code :
==============

Thanks to HD Moore, a Metasploit plugin will be integrated in the
upcoming release of the Metasploit Framework.
A NASL script has been sent to Nessus developpers.


CVE Information :
=================

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.

  CAN-2004-1133  Cross-site scripting issues in w3who.dll
  CAN-2004-1134  Buffer-overflow in w3who.dll


-- 
Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
ngregoire@private ------[ ExaProbe ]------ http://www.exaprobe.com/
PGP KeyID:CA61B44F  FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F

Next in thread: Nicolas Gregoire: "[VulnWatch] Re: [Full-Disclosure] Multiple vulnerabilities in w3who ISAPI DLL"
Reply: Nicolas Gregoire: "[VulnWatch] Re: [Full-Disclosure] Multiple vulnerabilities in w3who ISAPI DLL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Dec 06 2004 - 08:16:55 PST