Full Disclosure mailing list archives
Re: ISA Server 2004 Log Manipulation
From: "Christian Swartzbaugh" <feofil () gmail com>
Date: Thu, 4 May 2006 12:16:44 -0700
why do you consider this a vulnerability. the host parameter is client based and can't be trusted. many servers ignore it altogether On 5/4/06, beSIRT <beSIRT () beyondsecurity com> wrote:
Discovered by: Noam Rathaus using the beSTORM fuzzer. Reported to vendor: December, 2005. Vendor response: Microsoft does not consider this issue to be a security vulnerability. Public release date: 4th of May, 2006. Advisory URL: http://www.beyondsecurity.com/besirt/advisories/042006-001-ISA-LM.txt Introduction ------------ There is a Log Manipulation vulnerability in Microsoft ISA Server 2004, which when exploited will enable a malicious user to manipulate the Destination Host parameter of the log file. Technical Details ----------------- By sending the following request to the server: GET / HTTP/1.0 Host: %01%02%03%04 Transfer-Encoding: whatever We were able to insert arbitrary characters, in this case the ASCII characters 1, 2, 3 (respectively) into the Destination Host parameter of the log file. This has been found after 3 days of running the beSTORM fuzzer at 600+ Sessions per Second while monitoring the ISA Server log file for problems. About ISA Server 2004 --------------------- "Microsoft Internet Security and Acceleration (ISA) Server 2004 is the advanced stateful packet and application-layer inspection firewall, virtual private network (VPN), and Web cache solution that enables enterprise customers to easily maximize existing information technology (IT) investments by improving network security and performance." Product URL: http://www.microsoft.com/isaserver/default.mspx -- beSIRT - Beyond Security's Incident Response Team beSIRT () beyondsecurity com. www.BeyondSecurity.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ISA Server 2004 Log Manipulation beSIRT (May 04)
- Re: ISA Server 2004 Log Manipulation Christian Swartzbaugh (May 04)
- Re: ISA Server 2004 Log Manipulation beSIRT (May 05)
- Re: ISA Server 2004 Log Manipulation ragdelaed (May 04)
- Re: ISA Server 2004 Log Manipulation Christian Swartzbaugh (May 04)