Exaprobe www.exaprobe.com Security Advisory Advisory Name: Multiple vulnerabilities in w3who Release Date: 6 December 2004 Application: Microsoft ISAPI extension w3who.dll Platform: Windows 2000/XP Resource Kit Severity: Remote code execution Author: Nicolas Gregoire Vendor Status: Affected code is no more available CVE Candidates: CAN-2004-1133 and CAN-2004-1135 Reference: www.exaprobe.com/labs/advisories/esa-2004-1206.html Overview : ========== >>From the Windows 2000 Resource Kit documentation : "W3Who is an Internet Server Application Programming Interface (ISAPI) application dynamic-link library (DLL) that works within a Web page to display information about the calling context of the client browser and the configuration of the host server." Details : ========= There're two basic XSS vulnerabilities, and an easily exploitable buffer-overflow. XSS vulnerability when displaying HTTP headers : Connection: keep-alive XSS vulnerability in error message : /scripts/w3who.dll?bogus= Buffer overflow when called with long parameters : /scripts/w3who.dll?AAAAAAAAA...[519 to 12571]....AAAAAAAAAAAAA Vendor Response : ================= After notification by Exaprobe, Microsoft choosed to remove the web download of this component and do not have any plans to issue an updated version. Recommendation : ================ Restrict access to the DLL. Do not use it on production servers. Related code : ============== Thanks to HD Moore, a Metasploit plugin will be integrated in the upcoming release of the Metasploit Framework. A NASL script has been sent to Nessus developpers. CVE Information : ================= The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2004-1133 Cross-site scripting issues in w3who.dll CAN-2004-1134 Buffer-overflow in w3who.dll -- Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information ngregoire@exaprobe.com ------[ ExaProbe ]------ http://www.exaprobe.com/ PGP KeyID:CA61B44F FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F