http://www.ISAserver.org ------------------------------------------------------- None Zip Zero Nada ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Friday, May 05, 2006 15:49 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Fwd: [Full-disclosure] ISA Server 2004 Log Manipulation http://www.ISAserver.org ------------------------------------------------------- So??? What exactly is the issue? Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Danny > Sent: Friday, May 05, 2006 6:42 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Fwd: [Full-disclosure] ISA Server 2004 Log > Manipulation > > http://www.ISAserver.org > ------------------------------------------------------- > > FYI... discussion contines in Full-disclosure > > ---------- Forwarded message ---------- > From: beSIRT <beSIRT@xxxxxxxxxxxxxxxxxx> > Date: May 4, 2006 9:22 AM > Subject: [Full-disclosure] ISA Server 2004 Log Manipulation > To: full-disclosure@xxxxxxxxxxxxxxxxx > > > Discovered by: Noam Rathaus using the beSTORM fuzzer. > Reported to vendor: December, 2005. > Vendor response: Microsoft does not consider this issue to be a > security vulnerability. > > Public release date: 4th of May, 2006. > Advisory URL: > http://www.beyondsecurity.com/besirt/advisories/042006-001-ISA-LM.txt > > Introduction > ------------ > There is a Log Manipulation vulnerability in Microsoft ISA Server > 2004, which when exploited will enable a malicious user to manipulate > the Destination Host parameter of the log file. > > Technical Details > ----------------- > By sending the following request to the server: > GET / HTTP/1.0 > Host: %01%02%03%04 > Transfer-Encoding: whatever > > We were able to insert arbitrary characters, in this case the ASCII > characters 1, 2, 3 (respectively) into the Destination Host parameter > of the log file. > > This has been found after 3 days of running the beSTORM fuzzer at 600+ > Sessions per Second while monitoring the ISA Server log file for > problems. > > About ISA Server 2004 > --------------------- > "Microsoft Internet Security and Acceleration (ISA) Server 2004 is the > advanced stateful packet and application-layer inspection firewall, > virtual private network (VPN), and Web cache solution that enables > enterprise customers to easily maximize existing information > technology > (IT) investments > by improving network security and performance." > > Product URL: http://www.microsoft.com/isaserver/default.mspx > > -- > beSIRT - Beyond Security's Incident Response Team > beSIRT@xxxxxxxxxxxxxxxxxxx > > www.BeyondSecurity.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > -- > CPDE - Certified Petroleum Distribution Engineer CCBC - Certified > Canadian Beer Consumer > > > -- > CPDE - Certified Petroleum Distribution Engineer CCBC - Certified > Canadian Beer Consumer > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx