[isalist] Re: Fwd: [Full-disclosure] ISA Server 2004 Log Manipulation
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sun, 7 May 2006 10:43:27 -0500
http://www.ISAserver.org
-------------------------------------------------------
Don't forget IPX/SPX -- hey wait, I think I found a new *exploit* ;P~~~
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Sunday, May 07, 2006 10:21 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Fwd: [Full-disclosure] ISA Server 2004
> Log Manipulation
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> ..unless of course, you add IPV6 and a dash of NetBEUI for
> good measure...
>
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Sunday, May 07, 2006 18:17
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Fwd: [Full-disclosure] ISA Server 2004
> Log Manipulation
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> OK great. That's what I figured.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>
>
>
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Sunday, May 07, 2006 7:09 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Fwd: [Full-disclosure] ISA Server 2004 Log
> > Manipulation
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > None
> > Zip
> > Zero
> > Nada
> >
> >
> >
> > -------------------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > Sent: Friday, May 05, 2006 15:49
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Fwd: [Full-disclosure] ISA Server 2004 Log
> > Manipulation
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > So??? What exactly is the issue?
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >
> >
> >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny
> > > Sent: Friday, May 05, 2006 6:42 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Fwd: [Full-disclosure] ISA Server 2004 Log
> > > Manipulation
> > >
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > FYI... discussion contines in Full-disclosure
> > >
> > > ---------- Forwarded message ----------
> > > From: beSIRT <beSIRT@xxxxxxxxxxxxxxxxxx>
> > > Date: May 4, 2006 9:22 AM
> > > Subject: [Full-disclosure] ISA Server 2004 Log Manipulation
> > > To: full-disclosure@xxxxxxxxxxxxxxxxx
> > >
> > >
> > > Discovered by: Noam Rathaus using the beSTORM fuzzer.
> > > Reported to vendor: December, 2005.
> > > Vendor response: Microsoft does not consider this issue to be a
> > > security vulnerability.
> > >
> > > Public release date: 4th of May, 2006.
> > > Advisory URL:
> > >
> >
> http://www.beyondsecurity.com/besirt/advisories/042006-001-ISA-LM.txt
> > >
> > > Introduction
> > > ------------
> > > There is a Log Manipulation vulnerability in Microsoft ISA Server
> > > 2004, which when exploited will enable a malicious user to
> > manipulate
> > > the Destination Host parameter of the log file.
> > >
> > > Technical Details
> > > -----------------
> > > By sending the following request to the server:
> > > GET / HTTP/1.0
> > > Host: %01%02%03%04
> > > Transfer-Encoding: whatever
> > >
> > > We were able to insert arbitrary characters, in this case
> the ASCII
> > > characters 1, 2, 3 (respectively) into the Destination Host
> > parameter
> > > of the log file.
> > >
> > > This has been found after 3 days of running the beSTORM
> > fuzzer at 600+
> > > Sessions per Second while monitoring the ISA Server log file for
> > > problems.
> > >
> > > About ISA Server 2004
> > > ---------------------
> > > "Microsoft Internet Security and Acceleration (ISA) Server
> > 2004 is the
> > > advanced stateful packet and application-layer inspection
> firewall,
> > > virtual private network (VPN), and Web cache solution
> that enables
> > > enterprise customers to easily maximize existing information
> > > technology
> > > (IT) investments
> > > by improving network security and performance."
> > >
> > > Product URL: http://www.microsoft.com/isaserver/default.mspx
> > >
> > > --
> > > beSIRT - Beyond Security's Incident Response Team
> > > beSIRT@xxxxxxxxxxxxxxxxxxx
> > >
> > > www.BeyondSecurity.com
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > >
> > > --
> > > CPDE - Certified Petroleum Distribution Engineer CCBC - Certified
> > > Canadian Beer Consumer
> > >
> > >
> > > --
> > > CPDE - Certified Petroleum Distribution Engineer CCBC - Certified
> > > Canadian Beer Consumer
> > > ------------------------------------------------------
> > > List Archives: //www.freelists.org/archives/isalist/
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials:
> > > http://www.isaserver.org/articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> > All mail to and from this domain is GFI-scanned.
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
