http://www.ISAserver.org ------------------------------------------------------- OK great. That's what I figured. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Sunday, May 07, 2006 7:09 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Fwd: [Full-disclosure] ISA Server 2004 > Log Manipulation > > http://www.ISAserver.org > ------------------------------------------------------- > > None > Zip > Zero > Nada > > > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Friday, May 05, 2006 15:49 > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Fwd: [Full-disclosure] ISA Server 2004 > Log Manipulation > > http://www.ISAserver.org > ------------------------------------------------------- > > So??? What exactly is the issue? > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny > > Sent: Friday, May 05, 2006 6:42 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Fwd: [Full-disclosure] ISA Server 2004 Log > > Manipulation > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > FYI... discussion contines in Full-disclosure > > > > ---------- Forwarded message ---------- > > From: beSIRT <beSIRT@xxxxxxxxxxxxxxxxxx> > > Date: May 4, 2006 9:22 AM > > Subject: [Full-disclosure] ISA Server 2004 Log Manipulation > > To: full-disclosure@xxxxxxxxxxxxxxxxx > > > > > > Discovered by: Noam Rathaus using the beSTORM fuzzer. > > Reported to vendor: December, 2005. > > Vendor response: Microsoft does not consider this issue to be a > > security vulnerability. > > > > Public release date: 4th of May, 2006. > > Advisory URL: > > > http://www.beyondsecurity.com/besirt/advisories/042006-001-ISA-LM.txt > > > > Introduction > > ------------ > > There is a Log Manipulation vulnerability in Microsoft ISA Server > > 2004, which when exploited will enable a malicious user to > manipulate > > the Destination Host parameter of the log file. > > > > Technical Details > > ----------------- > > By sending the following request to the server: > > GET / HTTP/1.0 > > Host: %01%02%03%04 > > Transfer-Encoding: whatever > > > > We were able to insert arbitrary characters, in this case the ASCII > > characters 1, 2, 3 (respectively) into the Destination Host > parameter > > of the log file. > > > > This has been found after 3 days of running the beSTORM > fuzzer at 600+ > > Sessions per Second while monitoring the ISA Server log file for > > problems. > > > > About ISA Server 2004 > > --------------------- > > "Microsoft Internet Security and Acceleration (ISA) Server > 2004 is the > > advanced stateful packet and application-layer inspection firewall, > > virtual private network (VPN), and Web cache solution that enables > > enterprise customers to easily maximize existing information > > technology > > (IT) investments > > by improving network security and performance." > > > > Product URL: http://www.microsoft.com/isaserver/default.mspx > > > > -- > > beSIRT - Beyond Security's Incident Response Team > > beSIRT@xxxxxxxxxxxxxxxxxxx > > > > www.BeyondSecurity.com > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > -- > > CPDE - Certified Petroleum Distribution Engineer CCBC - Certified > > Canadian Beer Consumer > > > > > > -- > > CPDE - Certified Petroleum Distribution Engineer CCBC - Certified > > Canadian Beer Consumer > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > All mail to and from this domain is GFI-scanned. > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx