Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:3087 |
Message | WEB-IIS w3who.dll buffer overflow attempt |
Summary | This event is generated when an attempt is made to exploit a buffer overflow in Microsoft Browser Client Context Tool (W3Who.dll). |
Impact | Denial of service or remote access. If the exploit is successful, an attacker can gain remote access to the host with system privileges. |
Detailed Information | W3Who is an Internet Server Application Programming Interface (ISAPI) application dynamic-link library (DLL) that works within a Web page to display information about the calling context of the client browser and the configuration of the host server. W3Who is included in the Windows 2000 Server Resource Kit. A boundary error within the processing of parameters can be exploited to cause a buffer overflow by passing an overly long parameter. |
Affected Systems | Microsoft IIS with W3Who.dll. (W3Who.dll is not automatically installed with IIS.) |
Attack Scenarios | An attacker can send a malformed HTTP request with an overly long parameter to W3Who DLL, subsequently causing a buffer overflow. |
Ease of Attack | Simple |
Corrective Action | Disable the W3Who.dll ISAPI extension. |
Additional References | Microsoft: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q323640 |
Rule References | bugtraq: 11820 cve: 2004-1134 |
--
DID:232017
--
http://www.aanval.com/