[VulnWatch] Multiple vulnerabilities in w3who ISAPI DLL

From: Nicolas Gregoire (ngregoire_at_exaprobe.com)
Date: 12/06/04

  • Next message: GreyMagic Security: "[VulnWatch] Online Script Decoder"
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org
    Date: Mon, 06 Dec 2004 12:40:39 +0100
    
    

                                 Exaprobe
                             www.exaprobe.com

                             Security Advisory

     Advisory Name: Multiple vulnerabilities in w3who
      Release Date: 6 December 2004
       Application: Microsoft ISAPI extension w3who.dll
          Platform: Windows 2000/XP Resource Kit
          Severity: Remote code execution
            Author: Nicolas Gregoire <ngregoire@exaprobe.com>
     Vendor Status: Affected code is no more available
    CVE Candidates: CAN-2004-1133 and CAN-2004-1135
         Reference: www.exaprobe.com/labs/advisories/esa-2004-1206.html

    Overview :
    ==========

    >From the Windows 2000 Resource Kit documentation :

    "W3Who is an Internet Server Application Programming Interface
    (ISAPI) application dynamic-link library (DLL) that works within
    a Web page to display information about the calling context of
    the client browser and the configuration of the host server."

    Details :
    =========

    There're two basic XSS vulnerabilities, and an easily exploitable
    buffer-overflow.

    XSS vulnerability when displaying HTTP headers :
    Connection: keep-alive<script>alert("Hello")</script>

    XSS vulnerability in error message :
    /scripts/w3who.dll?bogus=<script>alert("Hello")</script>

    Buffer overflow when called with long parameters :
    /scripts/w3who.dll?AAAAAAAAA...[519 to 12571]....AAAAAAAAAAAAA

    Vendor Response :
    =================

    After notification by Exaprobe, Microsoft choosed to remove
    the web download of this component and do not have any plans
    to issue an updated version.

    Recommendation :
    ================

    Restrict access to the DLL.
    Do not use it on production servers.

    Related code :
    ==============

    Thanks to HD Moore, a Metasploit plugin will be integrated in the
    upcoming release of the Metasploit Framework.
    A NASL script has been sent to Nessus developpers.

    CVE Information :
    =================

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the following names to these issues. These are candidates for
    inclusion in the CVE list (http://cve.mitre.org), which standardizes
    names for security problems.

      CAN-2004-1133 Cross-site scripting issues in w3who.dll
      CAN-2004-1134 Buffer-overflow in w3who.dll

    -- 
    Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
    ngregoire@exaprobe.com ------[ ExaProbe ]------ http://www.exaprobe.com/
    PGP KeyID:CA61B44F  FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F
    

  • Next message: GreyMagic Security: "[VulnWatch] Online Script Decoder"

    Relevant Pages