[NT] Flaw in Winsock Proxy Service and ISA Firewall Service Can Cause Denial of Service

• Previous message: support@securiteam.com: "[TOOL] PKZip Plaintext Attack Using Pkcrack (Step by Step)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 12 Apr 2003 21:22:13 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Flaw in Winsock Proxy Service and ISA Firewall Service Can Cause Denial of
Service
------------------------------------------------------------------------

SUMMARY

Microsoft Proxy Server 2.0 and Microsoft Internet Security and
Acceleration (ISA) Server 2000 contain support for Windows Sockets
(Winsock) proxy communications. Winsock is an API that handles
communications requests for Internet applications in a Microsoft Windows
operating system.

The Winsock proxy service works with FTP, Telnet, mail, news, Internet
Relay Chat (IRC), and other client applications that are compatible with
Winsock. The proxy service makes these applications perform as if they
were directly connected to the Internet. The service redirects the
necessary communications functions to a computer that is running either
Proxy Server 2.0 or ISA Server. This establishes a communication path from
the internal application to the Internet.

A flaw in the Winsock Proxy service allows users from the internal network
to cause a Denial-of-Service condition on Microsoft proxy and on ISA
server.

DETAILS

There is a flaw in the Winsock Proxy service in Microsoft Proxy Server
2.0, and the Microsoft Firewall service in ISA Server 2000, that would
allow an attacker on the internal network to send a specially crafted
packet that would cause the server to stop responding to internal and
external requests. Receipt of such a packet would cause CPU utilization on
the server to reach 100%, and thus make the server unresponsive. The
Winsock Proxy service and Microsoft Firewall service work with FTP,
telnet, mail, news, Internet Relay Chat (IRC), or other client
applications that are compatible with Windows Sockets (Winsock). These
services allow these applications to perform as if they were directly
connected to the Internet. These services redirect the necessary
communications functions to a Proxy Server 2.0 or ISA Server computer,
thus establishing a communication path from the internal application to
the Internet through it.

Mitigating factors:

The vulnerability would not enable an attacker to gain any privileges on
an affected Proxy Server 2.0 or ISA Server computer or compromise any
cached content. It is strictly a denial of service.
ISA Server computers running in cache mode are not affected because the
Microsoft Firewall service is disabled by default.

Patch:
Patch can be found at:
 <http://support.microsoft.com/default.aspx?scid=kb;en-us;331066>
http://support.microsoft.com/default.aspx?scid=kb;en-us;331066

ADDITIONAL INFORMATION

The original Microsoft security advisory can be found at:
 
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-012.asp> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-012.asp

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: support@securiteam.com: "[TOOL] PKZip Plaintext Attack Using Pkcrack (Step by Step)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: ISA Server Problems, please help ... Based on the rules you have listed, SecureNAT clients should only be allowed ... The All access rule for SBS Internet Users ... Web Proxy and/or Firewall Client ... > header to the publishing server instead of the actual one. ... (microsoft.public.windows.server.sbs) << SBS news of the week 12/6/2004>> ... Simply connecting to the Internet — and doing ... You would NEVER set up a server with file and printing sharing ports ... McAfee says 'Skulls' mobile security threat still low ... ISPs raise the stakes on DDoS attacks ... (microsoft.public.backoffice.smallbiz2000) << SBS news of the week 12/6/2004>> ... Simply connecting to the Internet — and doing ... You would NEVER set up a server with file and printing sharing ports ... McAfee says 'Skulls' mobile security threat still low ... ISPs raise the stakes on DDoS attacks ... (microsoft.public.windows.server.sbs) << SBS news of the week 12/6/2004>> ... Simply connecting to the Internet — and doing ... You would NEVER set up a server with file and printing sharing ports ... McAfee says 'Skulls' mobile security threat still low ... ISPs raise the stakes on DDoS attacks ... (microsoft.public.backoffice.smallbiz) Re: AD Design Question ... "Jon" wrote in message ... What is the security ... If you have a publicly accessible machine such as an ISA Server that you may ... be using as the access point to your network from the public Internet. ... (microsoft.public.windows.server.active_directory)