[NT] Microsoft ISA Server 2004 Log Manipulation
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 4 May 2006 16:50:10 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft ISA Server 2004 Log Manipulation
------------------------------------------------------------------------
SUMMARY
" <http://www.microsoft.com/isaserver/default.mspx> Microsoft Internet
Security and Acceleration (ISA) Server 2004 is the advanced stateful
packet and application-layer inspection firewall, virtual private network
(VPN), and Web cache solution that enables enterprise customers to easily
maximize existing information technology (IT) investments by improving
network security and performance."
There is a Log Manipulation vulnerability in Microsoft ISA Server 2004,
which when exploited will enable a malicious user to manipulate the
Destination Host parameter of the log file.
DETAILS
Vulnerable Systems:
* Microsoft ISA Server 2004
By sending the following request to the server:
GET / HTTP/1.0
Host: %01%02%03%04
Transfer-Encoding: whatever
We were able to insert arbitrary characters, in this case the ASCII
characters 1, 2, 3 (respectively) into the Destination Host parameter of
the log file.
This has been found after 3 days of running the beSTORM fuzzer at 600+
Sessions per Second while monitoring the ISA Server log file for problems.
Vendor response:
"Microsoft does not consider this issue to be a security vulnerability."
Disclosure Timeline:
Reported to vendor: December, 2005
Public release date: 4th of May, 2006
ADDITIONAL INFORMATION
The information has been provided by Noam Rathaus using the beSTORM
fuzzer.
The original article can be found at:
<http://www.beyondsecurity.com/besirt/advisories/042006-001-ISA-LM.txt>
http://www.beyondsecurity.com/besirt/advisories/042006-001-ISA-LM.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] Findnot.com VPN Service Address Privacy Breach and Unencrypted Data
- Next by Date: [EXPL] zawhttpd Buffer Overflow (Exploit)
- Previous by thread: [NEWS] Findnot.com VPN Service Address Privacy Breach and Unencrypted Data
- Next by thread: [EXPL] zawhttpd Buffer Overflow (Exploit)
- Index(es):
Relevant Pages
|
|
