[Snort-sigs] WEB-IIS w3who.dll overflow attempt

nnposter nnposter at ...592...
Tue Dec 7 10:42:05 EST 2004


Notes about this new rule submission:


* The rule fires on a combination of an overly long, HTTP request-like 
string and a URI that includes w3who.dll so false positives are 
certainly possible but they should be fairly rare. If anybody knows 
how to intelligently combine the two parts then I would be interested 
to hear about it. (The only thing that comes to my mind is pcre /U but
it seems to have more problems than benefits in this particular case.)


* The original request-like regular expression was

  /^\s*\w+[ \t]+\S{500,}+[ \t]+HTTP\//mi

but a very large request would cause stream4 to flush the beginning of 
the request before it can get to the "HTTP/" tail. That would be 
a vector for a false negative so the "HTTP/" tail test was removed:

  /^\s*\w+[ \t]+\S{500}/m

The downside is that it potentially increases the occurrence of false 
positives.


* Only GET method-like requests are detected.


Cheers,
nnposter



# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"WEB-IIS w3who.dll overflow attempt"; flow:to_server,established; 
uricontent:"/w3who.dll?"; nocase; pcre:"/^\s*\w+[ \t]+\S{500}/m"; 
reference:cve,2004-1135;
reference:url,www.exaprobe.com/labs/advisories/esa-2004-1206.html; 
classtype:web-application-attack; sid:(tbd); rev:1;) 

--
Sid:
(new)

--
Summary:
This event is generated when an attempt is made to exploit a buffer 
overflow in Microsoft Browser Client Context Tool (W3Who.dll).

--
Impact:
Denial of service or remote access. If the exploit is successful, 
an attacker can gain remote access to the host with system privileges.

--
Detailed Information:
W3Who is an Internet Server Application Programming Interface (ISAPI) 
application dynamic-link library (DLL) that works within a Web page to 
display information about the calling context of the client browser and 
the configuration of the host server. W3Who is included in the Windows 
2000 Server Resource Kit.

A boundary error within the processing of parameters can be exploited 
to cause a buffer overflow by passing an overly long parameter.

--
Affected Systems:
Microsoft IIS with W3Who.dll. (W3Who.dll is not automatically installed 
with IIS.)

--
Attack Scenarios:
An attacker can send a malformed HTTP request with an overly long 
parameter to W3Who DLL, subsequently causing a buffer overflow.

--
Ease of Attack:
Simple

--
False Positives:
Any overly large request URI with a reference to w3who.dll will be
detected.

--
False Negatives:
This signature only detects the attack when the parameters are passed 
as part of the URI (GET method).

--
Corrective Action:
Disable the W3Who.dll ISAPI extension.

--
Contributors:
http://www.exaprobe.com/labs/advisories/esa-2004-1206.html
nnposter at ...592...

-- 
Additional References:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q323640#3




More information about the Snort-sigs mailing list