[Snort-sigs] WEB-IIS w3who.dll overflow attempt

nnposter nnposter at ...592...
Tue Dec 7 10:42:05 EST 2004

Notes about this new rule submission:

* The rule fires on a combination of an overly long, HTTP request-like 
string and a URI that includes w3who.dll so false positives are 
certainly possible but they should be fairly rare. If anybody knows 
how to intelligently combine the two parts then I would be interested 
to hear about it. (The only thing that comes to my mind is pcre /U but
it seems to have more problems than benefits in this particular case.)

* The original request-like regular expression was

  /^\s*\w+[ \t]+\S{500,}+[ \t]+HTTP\//mi

but a very large request would cause stream4 to flush the beginning of 
the request before it can get to the "HTTP/" tail. That would be 
a vector for a false negative so the "HTTP/" tail test was removed:

  /^\s*\w+[ \t]+\S{500}/m

The downside is that it potentially increases the occurrence of false 

* Only GET method-like requests are detected.


# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

(msg:"WEB-IIS w3who.dll overflow attempt"; flow:to_server,established; 
uricontent:"/w3who.dll?"; nocase; pcre:"/^\s*\w+[ \t]+\S{500}/m"; 
classtype:web-application-attack; sid:(tbd); rev:1;) 


This event is generated when an attempt is made to exploit a buffer 
overflow in Microsoft Browser Client Context Tool (W3Who.dll).

Denial of service or remote access. If the exploit is successful, 
an attacker can gain remote access to the host with system privileges.

Detailed Information:
W3Who is an Internet Server Application Programming Interface (ISAPI) 
application dynamic-link library (DLL) that works within a Web page to 
display information about the calling context of the client browser and 
the configuration of the host server. W3Who is included in the Windows 
2000 Server Resource Kit.

A boundary error within the processing of parameters can be exploited 
to cause a buffer overflow by passing an overly long parameter.

Affected Systems:
Microsoft IIS with W3Who.dll. (W3Who.dll is not automatically installed 
with IIS.)

Attack Scenarios:
An attacker can send a malformed HTTP request with an overly long 
parameter to W3Who DLL, subsequently causing a buffer overflow.

Ease of Attack:

False Positives:
Any overly large request URI with a reference to w3who.dll will be

False Negatives:
This signature only detects the attack when the parameters are passed 
as part of the URI (GET method).

Corrective Action:
Disable the W3Who.dll ISAPI extension.

nnposter at ...592...

Additional References:

More information about the Snort-sigs mailing list