[VulnWatch] ISA Server 2004 Log Manipulation



Discovered by: Noam Rathaus using the beSTORM fuzzer.
Reported to vendor: December, 2005.
Vendor response: Microsoft does not consider this issue to be a security
vulnerability.

Public release date: 4th of May, 2006.
Advisory URL:
http://www.beyondsecurity.com/besirt/advisories/042006-001-ISA-LM.txt

Introduction
------------
There is a Log Manipulation vulnerability in Microsoft ISA Server 2004, which
when exploited will enable a malicious user to manipulate the Destination
Host parameter of the log file.

Technical Details
-----------------
By sending the following request to the server:
GET / HTTP/1.0
Host: %01%02%03%04
Transfer-Encoding: whatever

We were able to insert arbitrary characters, in this case the ASCII characters
1, 2, 3 (respectively) into the Destination Host parameter of the log file.

This has been found after 3 days of running the beSTORM fuzzer at 600+
Sessions per Second while monitoring the ISA Server log file for problems.

About ISA Server 2004
---------------------
"Microsoft Internet Security and Acceleration (ISA) Server 2004 is the
advanced stateful packet and application-layer inspection firewall, virtual
private network (VPN), and Web cache solution that enables enterprise
customers to easily maximize existing information technology (IT) investments
by improving network security and performance."

Product URL: http://www.microsoft.com/isaserver/default.mspx

--
beSIRT - Beyond Security's Incident Response Team
beSIRT@xxxxxxxxxxxxxxxxxxx

www.BeyondSecurity.com



Relevant Pages

  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #242
    ... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ... The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. ...
    (Focus-Microsoft)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
    ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter # 87
    ... Meeting IT Security Benchmarks Through IT Audits ... MICROSOFT VULNERABILITY SUMMARY ... Bypassing Windows 2000 Domain Password settings ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #75
    ... Microsoft's Internet Security & Acceleration Server with fault-tolerance ... The Microsoft UPnP Vulnerability ... Relevant URL: ...
    (Focus-Microsoft)