Bugtraq mailing list archives
Re: ISA Server 2004 Log Manipulation
From: beSIRT <beSIRT () beyondsecurity com>
Date: Fri, 5 May 2006 11:22:16 +0300
On Friday 05 May 2006 09:16, Steven M. Christey wrote:
There is a Log Manipulation vulnerability in Microsoft ISA Server 2004, which when exploited will enable a malicious user to manipulate the Destination Host parameter of the log file....We were able to insert arbitrary characters, in this case the ASCII characters 1, 2, 3 (respectively) into the Destination Host parameter of the log file.
Just to clarify - these are the ASCII *values* 1,2,3 (or: 0x01, 0x02, 0x03). You can potentially insert any ASCII value you want using character encoding.
I'm curious about why you regard this as security-relevant. I do not know what you mean by "log manipulation".
You can insert the 'tab' value and possibly break 3rd party log analyzers. Other interesting characters may be the EOF or EOD value, a "<" character for CSS, and whatever else your heart desires. As for the attack vectors, we think there's a lot you can do with being able to inject practically arbitrary characters into a corporate firewall's logs, but it's not our job to judge the severity of the problem, every ISA server user should know if this is relevant for them.
- Steve
-- beSIRT - Beyond Security's Incident Response Team beSIRT () beyondsecurity com. www.BeyondSecurity.com
Current thread:
- ISA Server 2004 Log Manipulation beSIRT (May 04)
- <Possible follow-ups>
- Re: ISA Server 2004 Log Manipulation Steven M. Christey (May 05)
- Re: ISA Server 2004 Log Manipulation beSIRT (May 05)
- Re: ISA Server 2004 Log Manipulation Thor (Hammer of God) (May 06)
- Re: ISA Server 2004 Log Manipulation beSIRT (May 05)
- Re: ISA Server 2004 Log Manipulation Shaun Colley (May 06)
- Re: ISA Server 2004 Log Manipulation Steven M. Christey (May 09)