Rule:

--
Sid:
3087

--
Summary:
This event is generated when an attempt is made to exploit a buffer
overflow in Microsoft Browser Client Context Tool (W3Who.dll).

--
Impact:
Denial of service or remote access. If the exploit is successful,
an attacker can gain remote access to the host with system privileges.

--
Detailed Information:
W3Who is an Internet Server Application Programming Interface (ISAPI)
application dynamic-link library (DLL) that works within a Web page to
display information about the calling context of the client browser and
the configuration of the host server. W3Who is included in the Windows
2000 Server Resource Kit.

A boundary error within the processing of parameters can be exploited
to cause a buffer overflow by passing an overly long parameter.

--
Affected Systems:
Microsoft IIS with W3Who.dll. (W3Who.dll is not automatically installed
with IIS.)

--
Attack Scenarios:
An attacker can send a malformed HTTP request with an overly long
parameter to W3Who DLL, subsequently causing a buffer overflow.

--
Ease of Attack:
Simple

--
False Positives:
Any overly large request URI with a reference to w3who.dll will be
detected.

--
False Negatives:
This rule only detects the attack when the parameters are passed
as part of the URI (GET method).

--
Corrective Action:
Disable the W3Who.dll ISAPI extension.

--
Contributors:
nnposter@users.sourceforge.net

--
Additional References:

Microsoft:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q323640

--