Re: ISA Server 2004 Log Manipulation
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- Date: Sat, 06 May 2006 12:34:46 -0700
Can you provide some more information, please? Where in relation to the
server did you perform the GET request? As an internal proxy or firewall
client or an external client?
If from the outside, what publishing rules are you using? The only way you
could issue this request from the outside is if you either have server or
web publishing rules in place for HTTP.
In either case, I cannot reproduce this at all: internal clients issuing
this request to the web proxy listener fail, and with no "arbitrary"
characters in the logs- just a "/" in the URI and an ACTION of "failed" just
as it is supposed to do. External clients attempting this fail with a 403
(URL denied), again with no "arbitrary" characters in the log- the failed
attempt is of course logged the way it is supposed to be, but no garbage is
present.
Did you turn off the HTTP filter that is on by default for all HTTP traffic
(inbound and outbound)? Did you create some "special" firewall rules for
this to happen? Can you post an ISAINFO dump so that anyone concerned with
this "log file manipulation vulnerability" can see exactly what your
configuration is?
In my opinion, the responsible thing to do would be to provide full details
on your configuration with reproducible steps - particularly when you use
words like "inject arbitrary data" and "log file manipulation."
t
On 5/5/06 1:22 AM, "beSIRT" <beSIRT@xxxxxxxxxxxxxxxxxx> spoketh to all:
On Friday 05 May 2006 09:16, Steven M. Christey wrote:
There is a Log Manipulation vulnerability in Microsoft ISA Server
2004, which when exploited will enable a malicious user to manipulate
the Destination Host parameter of the log file.
...
We were able to insert arbitrary characters, in this case the ASCII
characters 1, 2, 3 (respectively) into the Destination Host parameter
of the log file.
Just to clarify - these are the ASCII *values* 1,2,3 (or: 0x01, 0x02, 0x03).
You can potentially insert any ASCII value you want using character encoding.
You can insert the 'tab' value and possibly break 3rd party log analyzers.
I'm curious about why you regard this as security-relevant. I do not
know what you mean by "log manipulation".
Other interesting characters may be the EOF or EOD value, a "<" character for
CSS, and whatever else your heart desires.
As for the attack vectors, we think there's a lot you can do with being able
to inject practically arbitrary characters into a corporate firewall's logs,
but it's not our job to judge the severity of the problem, every ISA server
user should know if this is relevant for them.
- Steve
--
beSIRT - Beyond Security's Incident Response Team
beSIRT@xxxxxxxxxxxxxxxxxxx
www.BeyondSecurity.com
- References:
- Re: ISA Server 2004 Log Manipulation
- From: beSIRT
- Re: ISA Server 2004 Log Manipulation
- Prev by Date: Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw
- Next by Date: X-POLL admin By-Pass
- Previous by thread: Re: ISA Server 2004 Log Manipulation
- Next by thread: Re: ISA Server 2004 Log Manipulation
- Index(es):
Relevant Pages
|
