Full Disclosure mailing list archives
Re: ISA Server 2004 Log Manipulation
From: ragdelaed <ragdelaed () gmail com>
Date: Thu, 04 May 2006 15:39:19 -0400
3 days at 600 per second non stop = 86400 sec/day * 600 = 51 840 000 attempts.
after 51.8 million tries, the product was able to inject the numbers 1,2,3 into a parameter into a log that many see as non-critical. and it looks like you tried 1,2,3,4 but it only did 1,2,3.
c'mon. log manipulation should mean more than that, shouldnt it? hmmmm. beSIRT wrote:
Discovered by: Noam Rathaus using the beSTORM fuzzer. Reported to vendor: December, 2005.Vendor response: Microsoft does not consider this issue to be a security vulnerability.Public release date: 4th of May, 2006.Advisory URL: http://www.beyondsecurity.com/besirt/advisories/042006-001-ISA-LM.txtIntroduction ------------There is a Log Manipulation vulnerability in Microsoft ISA Server 2004, which when exploited will enable a malicious user to manipulate the Destination Host parameter of the log file.Technical Details ----------------- By sending the following request to the server: GET / HTTP/1.0 Host: %01%02%03%04 Transfer-Encoding: whatever We were able to insert arbitrary characters, in this case the ASCII characters 1, 2, 3 (respectively) into the Destination Host parameter of the log file.This has been found after 3 days of running the beSTORM fuzzer at 600+ Sessions per Second while monitoring the ISA Server log file for problems.About ISA Server 2004 ---------------------"Microsoft Internet Security and Acceleration (ISA) Server 2004 is the advanced stateful packet and application-layer inspection firewall, virtual private network (VPN), and Web cache solution that enables enterprise customers to easily maximize existing information technology (IT) investments by improving network security and performance."Product URL: http://www.microsoft.com/isaserver/default.mspx -- beSIRT - Beyond Security's Incident Response Team beSIRT () beyondsecurity com. www.BeyondSecurity.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ISA Server 2004 Log Manipulation beSIRT (May 04)
- Re: ISA Server 2004 Log Manipulation Christian Swartzbaugh (May 04)
- Re: ISA Server 2004 Log Manipulation beSIRT (May 05)
- Re: ISA Server 2004 Log Manipulation ragdelaed (May 04)
- Re: ISA Server 2004 Log Manipulation Christian Swartzbaugh (May 04)