Re: ISA Server 2004 Log Manipulation

[beSIRT <beSIRT () beyondsecurity com>]

On Friday 05 May 2006 09:16, Steven M. Christey wrote:
> > There is a Log Manipulation vulnerability in Microsoft ISA Server
> > 2004, which when exploited will enable a malicious user to manipulate
> > the Destination Host parameter of the log file.
>
> ...
>
> > We were able to insert arbitrary characters, in this case the ASCII
> > characters 1, 2, 3 (respectively) into the Destination Host parameter
> > of the log file.

Just to clarify - these are the ASCII *values* 1,2,3 (or: 0x01, 0x02, 0x03). 
You can potentially insert any ASCII value you want using character encoding.

> I'm curious about why you regard this as security-relevant.  I do not
> know what you mean by "log manipulation".
You can insert the 'tab' value and possibly break 3rd party log analyzers. 
Other interesting characters may be the EOF or EOD value, a "<" character for 
CSS, and whatever else your heart desires. 

As for the attack vectors, we think there's a lot you can do with being able 
to inject practically arbitrary characters into a corporate firewall's logs, 
but it's not our job to judge the severity of the problem, every ISA server 
user should know if this is relevant for them.

> - Steve

--
beSIRT - Beyond Security's Incident Response Team
beSIRT () beyondsecurity com.

www.BeyondSecurity.com