| GEN:SID | 1:3087 |
| Message | WEB-IIS w3who.dll buffer overflow attempt |
| Summary | This event is generated when an attempt is made to exploit a buffer overflow in Microsoft Browser Client Context Tool (W3Who.dll).
|
| Impact | Denial of service or remote access. If the exploit is successful, an attacker can gain remote access to the host with system privileges.
|
| Detailed Information | W3Who is an Internet Server Application Programming Interface (ISAPI) application dynamic-link library (DLL) that works within a Web page to display information about the calling context of the client browser and the configuration of the host server. W3Who is included in the Windows 2000 Server Resource Kit.
A boundary error within the processing of parameters can be exploited to cause a buffer overflow by passing an overly long parameter.
|
| Affected Systems | Microsoft IIS with W3Who.dll. (W3Who.dll is not automatically installed with IIS.)
|
| Attack Scenarios | An attacker can send a malformed HTTP request with an overly long parameter to W3Who DLL, subsequently causing a buffer overflow.
|
| Ease of Attack | Simple
|
| Corrective Action | Disable the W3Who.dll ISAPI extension.
|
| Additional References | Microsoft: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q323640
|
| Rule References | bugtraq: 11820
cve: 2004-1134
|