http://www.ISAserver.org ------------------------------------------------------- Don't forget IPX/SPX -- hey wait, I think I found a new *exploit* ;P~~~ Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Sunday, May 07, 2006 10:21 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Fwd: [Full-disclosure] ISA Server 2004 > Log Manipulation > > http://www.ISAserver.org > ------------------------------------------------------- > > ..unless of course, you add IPV6 and a dash of NetBEUI for > good measure... > > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Sunday, May 07, 2006 18:17 > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Fwd: [Full-disclosure] ISA Server 2004 > Log Manipulation > > http://www.ISAserver.org > ------------------------------------------------------- > > OK great. That's what I figured. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > Sent: Sunday, May 07, 2006 7:09 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Fwd: [Full-disclosure] ISA Server 2004 Log > > Manipulation > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > None > > Zip > > Zero > > Nada > > > > > > > > ------------------------------------------------------- > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/Jim_Harrison/ > > http://isatools.org > > Read the help / books / articles! > > ------------------------------------------------------- > > > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > > Sent: Friday, May 05, 2006 15:49 > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Fwd: [Full-disclosure] ISA Server 2004 Log > > Manipulation > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > So??? What exactly is the issue? > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > > > > > > > > -----Original Message----- > > > From: isalist-bounce@xxxxxxxxxxxxx > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny > > > Sent: Friday, May 05, 2006 6:42 AM > > > To: isalist@xxxxxxxxxxxxx > > > Subject: [isalist] Fwd: [Full-disclosure] ISA Server 2004 Log > > > Manipulation > > > > > > http://www.ISAserver.org > > > ------------------------------------------------------- > > > > > > FYI... discussion contines in Full-disclosure > > > > > > ---------- Forwarded message ---------- > > > From: beSIRT <beSIRT@xxxxxxxxxxxxxxxxxx> > > > Date: May 4, 2006 9:22 AM > > > Subject: [Full-disclosure] ISA Server 2004 Log Manipulation > > > To: full-disclosure@xxxxxxxxxxxxxxxxx > > > > > > > > > Discovered by: Noam Rathaus using the beSTORM fuzzer. > > > Reported to vendor: December, 2005. > > > Vendor response: Microsoft does not consider this issue to be a > > > security vulnerability. > > > > > > Public release date: 4th of May, 2006. > > > Advisory URL: > > > > > > http://www.beyondsecurity.com/besirt/advisories/042006-001-ISA-LM.txt > > > > > > Introduction > > > ------------ > > > There is a Log Manipulation vulnerability in Microsoft ISA Server > > > 2004, which when exploited will enable a malicious user to > > manipulate > > > the Destination Host parameter of the log file. > > > > > > Technical Details > > > ----------------- > > > By sending the following request to the server: > > > GET / HTTP/1.0 > > > Host: %01%02%03%04 > > > Transfer-Encoding: whatever > > > > > > We were able to insert arbitrary characters, in this case > the ASCII > > > characters 1, 2, 3 (respectively) into the Destination Host > > parameter > > > of the log file. > > > > > > This has been found after 3 days of running the beSTORM > > fuzzer at 600+ > > > Sessions per Second while monitoring the ISA Server log file for > > > problems. > > > > > > About ISA Server 2004 > > > --------------------- > > > "Microsoft Internet Security and Acceleration (ISA) Server > > 2004 is the > > > advanced stateful packet and application-layer inspection > firewall, > > > virtual private network (VPN), and Web cache solution > that enables > > > enterprise customers to easily maximize existing information > > > technology > > > (IT) investments > > > by improving network security and performance." > > > > > > Product URL: http://www.microsoft.com/isaserver/default.mspx > > > > > > -- > > > beSIRT - Beyond Security's Incident Response Team > > > beSIRT@xxxxxxxxxxxxxxxxxxx > > > > > > www.BeyondSecurity.com > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > > -- > > > CPDE - Certified Petroleum Distribution Engineer CCBC - Certified > > > Canadian Beer Consumer > > > > > > > > > -- > > > CPDE - Certified Petroleum Distribution Engineer CCBC - Certified > > > Canadian Beer Consumer > > > ------------------------------------------------------ > > > List Archives: //www.freelists.org/archives/isalist/ > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server Articles and Tutorials: > > > http://www.isaserver.org/articles_tutorials/ > > > ISA Server Blogs: http://blogs.isaserver.org/ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > All mail to and from this domain is GFI-scanned. > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > All mail to and from this domain is GFI-scanned. > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx