Re: [Full-disclosure] ISA Server 2004 Log Manipulation
- From: beSIRT <beSIRT@xxxxxxxxxxxxxxxxxx>
- Date: Fri, 5 May 2006 11:25:28 +0300
Perhaps it wasn't clear in the original post. Sending:
Host: %01%02%03%04
Results in the ASCII *values* 0x01, 0x02, 0x03, 0x04 being placed in the logs.
--
beSIRT - Beyond Security's Incident Response Team
beSIRT@xxxxxxxxxxxxxxxxxxx
www.BeyondSecurity.com
On Thursday 04 May 2006 22:16, Christian Swartzbaugh wrote:
why do you consider this a vulnerability. the host parameter is client
based and can't be trusted. many servers ignore it altogether
On 5/4/06, beSIRT <beSIRT@xxxxxxxxxxxxxxxxxx> wrote:
Discovered by: Noam Rathaus using the beSTORM fuzzer.
Reported to vendor: December, 2005.
Vendor response: Microsoft does not consider this issue to be a security
vulnerability.
Public release date: 4th of May, 2006.
Advisory URL:
http://www.beyondsecurity.com/besirt/advisories/042006-001-ISA-LM.txt
Introduction
------------
There is a Log Manipulation vulnerability in Microsoft ISA Server 2004,
which
when exploited will enable a malicious user to manipulate the Destination
Host parameter of the log file.
Technical Details
-----------------
By sending the following request to the server:
GET / HTTP/1.0
Host: %01%02%03%04
Transfer-Encoding: whatever
We were able to insert arbitrary characters, in this case the ASCII
characters
1, 2, 3 (respectively) into the Destination Host parameter of the log
file.
This has been found after 3 days of running the beSTORM fuzzer at 600+
Sessions per Second while monitoring the ISA Server log file for
problems.
About ISA Server 2004
---------------------
"Microsoft Internet Security and Acceleration (ISA) Server 2004 is the
advanced stateful packet and application-layer inspection firewall,
virtual
private network (VPN), and Web cache solution that enables enterprise
customers to easily maximize existing information technology (IT)
investments
by improving network security and performance."
Product URL: http://www.microsoft.com/isaserver/default.mspx
--
beSIRT - Beyond Security's Incident Response Team
beSIRT@xxxxxxxxxxxxxxxxxxx
www.BeyondSecurity.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- References:
- [Full-disclosure] ISA Server 2004 Log Manipulation
- From: beSIRT
- Re: [Full-disclosure] ISA Server 2004 Log Manipulation
- From: Christian Swartzbaugh
- [Full-disclosure] ISA Server 2004 Log Manipulation
- Prev by Date: Re: [Full-disclosure] IE7 Zero Day
- Next by Date: Re: [Full-disclosure] IE7 Zero Day
- Previous by thread: Re: [Full-disclosure] ISA Server 2004 Log Manipulation
- Next by thread: Re: [Full-disclosure] ISA Server 2004 Log Manipulation
- Index(es):
Relevant Pages
|
