Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Multiple vulnerabilities in w3who ISAPI DLL
From: Nicolas Gregoire <ngregoire () exaprobe com>
Date: Mon, 06 Dec 2004 12:40:39 +0100


                         Security Advisory

 Advisory Name: Multiple vulnerabilities in w3who
  Release Date: 6 December 2004
   Application: Microsoft ISAPI extension w3who.dll
      Platform: Windows 2000/XP Resource Kit
      Severity: Remote code execution
        Author: Nicolas Gregoire <ngregoire () exaprobe com>
 Vendor Status: Affected code is no more available
CVE Candidates: CAN-2004-1133 and CAN-2004-1135
     Reference: www.exaprobe.com/labs/advisories/esa-2004-1206.html

Overview :

From the Windows 2000 Resource Kit documentation :

"W3Who is an Internet Server Application Programming Interface
(ISAPI) application dynamic-link library (DLL) that works within
a Web page to display information about the calling context of
the client browser and the configuration of the host server."

Details :

There're two basic XSS vulnerabilities, and an easily exploitable

XSS vulnerability when displaying HTTP headers :
Connection: keep-alive<script>alert("Hello")</script>

XSS vulnerability in error message :

Buffer overflow when called with long parameters :
/scripts/w3who.dll?AAAAAAAAA...[519 to 12571]....AAAAAAAAAAAAA

Vendor Response :

After notification by Exaprobe, Microsoft choosed to remove
the web download of this component and do not have any plans
to issue an updated version.

Recommendation :

Restrict access to the DLL.
Do not use it on production servers. 

Related code :

Thanks to HD Moore, a Metasploit plugin will be integrated in the
upcoming release of the Metasploit Framework.
A NASL script has been sent to Nessus developpers.

CVE Information :

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.

  CAN-2004-1133  Cross-site scripting issues in w3who.dll
  CAN-2004-1134  Buffer-overflow in w3who.dll

Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
ngregoire () exaprobe com ------[ ExaProbe ]------ http://www.exaprobe.com/
PGP KeyID:CA61B44F  FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • Multiple vulnerabilities in w3who ISAPI DLL Nicolas Gregoire (Dec 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]