Vulnerabilities > CVE-2004-1134 - Unspecified vulnerability in Microsoft W3Who.Dll

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
critical
nessus
exploit available
metasploit
NVD
Published: 2005-01-10
Updated: 2017-07-11

Summary

Buffer overflow in the Microsoft W3Who ISAPI (w3who.dll) allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long query string.

Vulnerable Configurations

Part Description Count
Application
Microsoft
1

Exploit-Db

descriptionMicrosoft IIS ISAPI w3who.dll Query String Overflow. CVE-2004-1134. Remote exploit for windows platform
idEDB-ID:16354
last seen2016-02-01
modified2010-07-07
published2010-07-07
reportermetasploit
sourcehttps://www.exploit-db.com/download/16354/
titleMicrosoft IIS ISAPI w3who.dll Query String Overflow

Metasploit

descriptionThis module exploits a stack buffer overflow in the w3who.dll ISAPI application. This vulnerability was discovered Nicolas Gregoire and this code has been successfully tested against Windows 2000 and Windows XP (SP2). When exploiting Windows XP, the payload must call RevertToSelf before it will be able to spawn a command shell.
idMSF:EXPLOIT/WINDOWS/ISAPI/W3WHO_QUERY
last seen2020-05-22
modified2017-07-24
published2006-07-31
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/isapi/w3who_query.rb
titleMicrosoft IIS ISAPI w3who.dll Query String Overflow

Nessus

NASL familyCGI abuses
NASL idW3WHO_DLL.NASL
descriptionThe Windows 2000 Resource Kit ships with a DLL that displays the browser client context. It lists security identifiers, privileges and $ENV variables. Nessus has determined that this file is installed on the remote host. The w3who.dll ISAPI may allow an attacker to execute arbitrary commands on this host, through a buffer overflow, or to mount cross-site scripting attacks.
last seen2020-06-01
modified2020-06-02
plugin id15910
published2004-12-06
reporterThis script is Copyright (C) 2004-2018 Nicolas Gregoire <[email protected]>
sourcehttps://www.tenable.com/plugins/nessus/15910
titleMicrosoft W3Who ISAPI w3who.dll Multiple Remote Vulnerabilities
code
# 
# (C) Nicolas Gregoire <[email protected]>
#
# Rewritten by Tenable Network Security
#

# Changes by Tenable:
# - Revised plugin title, changed family (6/1/09)


include("compat.inc");

if(description)
{
 script_id(15910);
 script_version ("1.23");
 script_cve_id("CVE-2004-1133", "CVE-2004-1134");
 script_bugtraq_id(11820);

 script_name(english:"Microsoft W3Who ISAPI w3who.dll Multiple Remote Vulnerabilities");

 script_set_attribute(attribute:"synopsis", value:
"It is possible to execute code on the remote host." );
 script_set_attribute(attribute:"description", value:
"The Windows 2000 Resource Kit ships with a DLL that displays the browser 
client context. It lists security identifiers, privileges and $ENV variables. 

Nessus has determined that this file is installed on the remote host.

The w3who.dll ISAPI may allow an attacker to execute arbitrary commands 
on this host, through a buffer overflow, or to mount cross-site 
scripting attacks." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2004/Dec/174");
 script_set_attribute(attribute:"solution", value:
"Delete this file." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"metasploit_name", value:'Microsoft IIS ISAPI w3who.dll Query String Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/12/06");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/12/06");

 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_summary(english:"Determines the presence of w3who.dll");
 script_category(ACT_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2004-2020 Nicolas Gregoire <[email protected]>");
 script_family(english:"CGI abuses");
 script_dependencie("http_version.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80, embedded:TRUE);

sig = get_kb_item("www/hmap/" + port + "/description");
if ( sig && "IIS" >!< sig ) exit(0);

req  = http_get(item:"/scripts/w3who.dll", port:port);
res  = http_keepalive_send_recv(port:port, data:req);

if ("Access Token" >< res && "Environment variables" >< res)
{
 req  = http_get(item:"/scripts/w3who.dll?bogus=<script>alert('Hello')</script>", port:port);
 res  = http_keepalive_send_recv(port:port, data:req);

 if ("<script>alert('Hello')</script>" >< res)
 {
   security_hole(port);
   set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
 }
}

Packetstorm

References