[VulnWatch] Microsoft ISA Server HTTP error handler XSS (TL#007)

From: Thor Larholm (thor_at_pivx.com)
Date: 07/16/03

  • Next message: KF: "[VulnWatch] SRT2003-07-16-0358 - bru has buffer overflow and format issues"
    To: <vulnwatch@vulnwatch.org>
    Date: Wed, 16 Jul 2003 21:47:54 +0200

    Thor Larholm security advisory TL#006

    16 July 2003

    HTML format: http://pivx.com/larholm/adv/TL006

    Topic: ISA Server HTTP error handler XSS.

    Discovery date: 25 June 2002.

    Severity: Medium

    Affected applications:

    Any Microsoft Internet Security and Acceleration (ISA) Server installation
    that hosts the default HTTP error pages. This includes:

    ISA Server 2000


    Stealing cookies from any ISA-protected site, cross-site scripting to any
    ISA-protected site, hijacking Hotmail and Passport accounts, elevating
    priveleges through ActiveX components, hijacking the MSN Messenger client,


    CrossSiteScripting is a term that describes the injection of script code on
    foreign sites. A very likely scenario is where a malicious programmer would
    inject code on e.g. hotmail.com to steal a victims cookies, allowing him/her
    to hijack the victims email account.
    The default installation of ISA Server is suspectible to such a XSS error.


    Every time ISA Server encounters a HTTP errorcode such as 404 Not Found or
    500 Internal Server Error, ISA Server returns a HTTP error handler document
    which is an HTML file.
    These HTML files use scripting to output a link to the SERVER.TLD part of
    the URL, and by crafting a specially formed URL it is possible to include
    arbitrary script commands on the HTTP error handler document, thereby
    enabling CrossSiteScripting on any ISA-protected site.

    Unlike TL001 we will prefer to trigger a 500 Internal Server error instead
    of a 404 Not Found error, as the HTTP 500 error handler document can easily
    be lured out of ISA Server by appending %U0 to the querystring, resulting in
    an unparsable request.
    Many other requests can result in ISA Server handing out an HTTP error
    handler document.

    If we look at 404.htm or 500.htm we will notice a particular line of code:

    document.write( '<A HREF="' + escape(urlresult) + '">' + displayresult +

    displayResult is derived from the first instance of :// in the URL until the
    next instance of /.
    This means that we will have to include our script code before the path part
    of the URL. To accomplish this we include our script code in the Basic
    Authentication part of the URL, but we first have to escape any special
    characters in the code. Any / character will end displayresult prematurely
    and any spaces will corrupt the DNS lookup, and we therefor replace any
    space with a TAB (%09) and any / with %5Cx2f (\x2f, as we will dynamically
    reference an external file).



    The above will include and execute http://jscript.dk/test.js on YOUR.TLD,
    provided that YOUR.TLD is protected by an ISA Server installation.


    Apply the MS03-028 patch.
    You could also use the opportunity to make yourself some nice custom error
    handler documents.


    25 June 2003: Discovery
    27 June 2003: Notification to MS with complete advisory
    28 June 2003: Reply from MS:

    This has actually been reported to us by another finder a few weeks ago.
    We're nearing a release of a bulletin crediting the finder and a patch.

    16 July 2003: MS03-028 patch released by MS, no credit for discovery
    16 July 2003: Public advisory


    I have put together some proof-of-concept examples:

    Simple static examples - your cookies from a selection of domains:

    Short advanced example - get the cookies from any ISA-protected site:


    MS03-028 patch
    TL001 IIS allows universal CrossSite Scripting:
    - http://www.pivx.com/larholm/adv/TL001/
    CERT Cross Site Scripting advisory:
    - http://www.cert.org/advisories/CA-2000-02.html
    Unpatched IE vulnerabilities:
    - http://pivx.com/larholm/unpatched/

    Thor Larholm
    PivX Solutions, LLC - Senior Security Researcher

  • Next message: KF: "[VulnWatch] SRT2003-07-16-0358 - bru has buffer overflow and format issues"