[VulnWatch] iDEFENSE Security Advisory 04.09.03: Denial of Service in Microsoft Proxy Server and Internet Security and Acceleration (ISA) S

From: labs@idefense.com
Date: 04/09/03

  • Next message: @stake Advisories: "[VulnWatch] MacOS X DirectoryService Privilege Escalation (a041003-1)" 
    From: labs@idefense.com
Date: 10 Apr 2003 08:31:14 +0900
To: undisclosed-recipients:;

    Date: Wed, 9 Apr 2003 15:49:14 -0400

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 04.09.03:
    http://www.idefense.com/advisory/04.09.03.txt
    Denial of Service in Microsoft Proxy Server 2.0 and Internet Security and
    Acceleration Server 2000
    April 9, 2003

    I. BACKGROUND

    Microsoft Corp.'s Internet Security and Acceleration Server (ISA) Server
    integrates an extensible, multi-layer enterprise firewall and a scalable
    high-performance web cache. It builds on Microsoft Windows 2000 security
    and directory for policy-based security, acceleration and management of
    internetworking. More information is available at
    http://www.microsoft.com/isaserver/ . MS Proxy 2.0 is the predecessor to
    ISA Server, more information is available at
    http://www.microsoft.com/isaserver/evaluation/previousversions/default.asp

    II. DESCRIPTION

    A vulnerability exists in ISA Server and MS Proxy 2.0 that allows
    attackers to cause a denial-of-service condition by spoofing a specially
    crafted packet to the target system. Another impact of this vulnerability
    is the capability of a remote attacker to generate an infinite packet
    storm between two unpatched systems implementing ISA Server or MS Proxy
    2.0 over the Internet.

    Both ISA Server and MS Proxy 2.0, by default, install a WinSock Proxy
    (WSP) service wspsrv.exe, designed for testing and diagnostic purposes.
    The WSP service creates a User Datagram Protocol socket bound to port
    1745. A specially crafted packet can cause WSP to generate a continuous
    flood of requests and reply requirements.

    III. ANALYSIS

    In the case of the attack scenario for an internal LAN attacker causing a
    denial of service, this malformed packet must meet the following criteria:

    * The source and destination IP are the same as the ISA Server.
    * The source and destination port is 1745.
    * The data field is specially crafted and resembles the request format.

    An attacker with access to the LAN can anonymously generate a specially
    crafted UDP packet that will cause the target ISA Server to fall into a
    continuous loop of processing request and reply packets. This will cause
    the ISA Server to consume 100 percent of the underlying system's CPU
    usage. It will continue to do so until the system reboots or the WinSock
    Proxy (WSP) service restarts.

    In the case of the attack scenario of a remote attacker causing a packet
    storm between two systems running ISA Server or MS Proxy 2.0, the
    malformed packet must meet the following criteria:

    * The source IP is one of the targets
    * The destination IP is the other target
    * The source and destination port is 1745.
    * The data field is specially crafted and resembles the request format.

    IV. DETECTION

    iDEFENSE has verified that Microsoft ISA Server 2000 and MS Proxy 2.0 are
    both vulnerable to the same malformed packet characteristics described
    above.

    Wspsrv.exe is enabled by default in Proxy Server 2.0. The Microsoft
    Firewall server is enabled by default in ISA Server firewall mode and ISA
    Server integrated mode installations. It is disabled in ISA Server cache
    mode installations.

    V. WORKAROUND

    To prevent the second attack scenario, apply ingress filtering on the
    Internet router on UDP port 1745 to prevent a malformed packet from
    reaching the ISA Server and causing a packet storm.

    VI. RECOVERY

    Restart either the WinSock Proxy Service or the affected system to resume
    normal operation.

    VII. VENDOR FIX/RESPONSE

    Microsoft has provided fixes for Proxy Server 2.0 and ISA Server at
    http://www.microsoft.com/technet/security/bulletin/MS03-012.asp .

    VIII. CVE INFORMATION

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has
    assigned the identification number CAN-2003-0110 to this issue.

    IX. DISCLOSURE TIMELINE

    01/23/2003 Issue disclosed to iDEFENSE
    02/24/2003 security@microsoft.com contacted
    02/24/2003 Response from Iain Mulholland, MSRC
    02/25/2003 iDEFENSE clients notified
    03/03/2003 Status request from iDEFENSE
    03/11/2003 Status request from iDEFENSE
    03/11/2003 Response from Iain Mulholland, MSRC
    03/13/2003 Status request from iDEFENSE
    03/18/2003 Status request from iDEFENSE
    03/18/2003 Response from Iain Mulholland, MSRC
    03/24/2003 Status request from iDEFENSE
    03/25/2003 Response from Iain Mulholland, MSRC
    04/09/2003 Public Disclosure

    Get paid for security research
    http://www.idefense.com/contributor.html

    Subscribe to iDEFENSE Advisories:
    send email to listserv@idefense.com, subject line: "subscribe"

    About iDEFENSE:

    iDEFENSE is a global security intelligence company that proactively
    monitors sources throughout the world — from technical
    vulnerabilities and hacker profiling to the global spread of viruses
    and other malicious code. Our security intelligence services provide
    decision-makers, frontline security professionals and network
    administrators with timely access to actionable intelligence
    and decision support on cyber-related threats. For more information,
    visit http://www.idefense.com .

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA/AwUBPpR3/frkky7kqW5PEQKypwCdGfcO0FcsIAohajEwZMfnZrmGYh4AoMc5
    S+jzjh3evev/30oPRtg/1W75
    =N1F/
    -----END PGP SIGNATURE-----

  • Next message: @stake Advisories: "[VulnWatch] MacOS X DirectoryService Privilege Escalation (a041003-1)"

    Relevant Pages