[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] ISA Server 2004 Log Manipulation

To: "Christian Swartzbaugh" <feofil@xxxxxxxxx>
Subject: Re: [Full-disclosure] ISA Server 2004 Log Manipulation
From: beSIRT <beSIRT@xxxxxxxxxxxxxxxxxx>
Date: Fri, 5 May 2006 11:25:28 +0300

Perhaps it wasn't clear in the original post. Sending:
Host: %01%02%03%04

Results in the ASCII *values* 0x01, 0x02, 0x03, 0x04 being placed in the logs.

--
beSIRT - Beyond Security's Incident Response Team 
beSIRT@xxxxxxxxxxxxxxxxxxx

www.BeyondSecurity.com

On Thursday 04 May 2006 22:16, Christian Swartzbaugh wrote:
> why do you consider this a vulnerability. the host parameter is client
> based and can't be trusted. many servers ignore it altogether
>
> On 5/4/06, beSIRT <beSIRT@xxxxxxxxxxxxxxxxxx> wrote:
> > Discovered by: Noam Rathaus using the beSTORM fuzzer.
> > Reported to vendor: December, 2005.
> > Vendor response: Microsoft does not consider this issue to be a security
> > vulnerability.
> >
> > Public release date: 4th of May, 2006.
> > Advisory URL:
> > http://www.beyondsecurity.com/besirt/advisories/042006-001-ISA-LM.txt
> >
> > Introduction
> > ------------
> > There is a Log Manipulation vulnerability in Microsoft ISA Server 2004,
> > which
> > when exploited will enable a malicious user to manipulate the Destination
> > Host parameter of the log file.
> >
> > Technical Details
> > -----------------
> > By sending the following request to the server:
> > GET / HTTP/1.0
> > Host: %01%02%03%04
> > Transfer-Encoding: whatever
> >
> > We were able to insert arbitrary characters, in this case the ASCII
> > characters
> > 1, 2, 3 (respectively) into the Destination Host parameter of the log
> > file.
> >
> > This has been found after 3 days of running the beSTORM fuzzer at 600+
> > Sessions per Second while monitoring the ISA Server log file for
> > problems.
> >
> > About ISA Server 2004
> > ---------------------
> > "Microsoft Internet Security and Acceleration (ISA) Server 2004 is the
> > advanced stateful packet and application-layer inspection firewall,
> > virtual
> > private network (VPN), and Web cache solution that enables enterprise
> > customers to easily maximize existing information technology (IT)
> > investments
> > by improving network security and performance."
> >
> > Product URL: http://www.microsoft.com/isaserver/default.mspx
> >
> > --
> > beSIRT - Beyond Security's Incident Response Team
> > beSIRT@xxxxxxxxxxxxxxxxxxx
> >
> > www.BeyondSecurity.com
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] ISA Server 2004 Log Manipulation
  - From: beSIRT
- Re: [Full-disclosure] ISA Server 2004 Log Manipulation
  - From: Christian Swartzbaugh

Prev by Date: Re: [Full-disclosure] IE7 Zero Day
Next by Date: Re: [Full-disclosure] IE7 Zero Day
Previous by thread: Re: [Full-disclosure] ISA Server 2004 Log Manipulation
Next by thread: Re: [Full-disclosure] ISA Server 2004 Log Manipulation
Index(es):
- Date
- Thread