[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISA Server 2004 Log Manipulation

To: "Steven M. Christey" <coley@xxxxxxxxx>
Subject: Re: ISA Server 2004 Log Manipulation
From: beSIRT <beSIRT@xxxxxxxxxxxxxxxxxx>
Date: Fri, 5 May 2006 11:22:16 +0300

On Friday 05 May 2006 09:16, Steven M. Christey wrote:
> >There is a Log Manipulation vulnerability in Microsoft ISA Server
> >2004, which when exploited will enable a malicious user to manipulate
> >the Destination Host parameter of the log file.
>
> ...
>
> >We were able to insert arbitrary characters, in this case the ASCII
> >characters 1, 2, 3 (respectively) into the Destination Host parameter
> >of the log file.

Just to clarify - these are the ASCII *values* 1,2,3 (or: 0x01, 0x02, 0x03). 
You can potentially insert any ASCII value you want using character encoding.

>
> I'm curious about why you regard this as security-relevant.  I do not
> know what you mean by "log manipulation".
>
You can insert the 'tab' value and possibly break 3rd party log analyzers. 
Other interesting characters may be the EOF or EOD value, a "<" character for 
CSS, and whatever else your heart desires. 

As for the attack vectors, we think there's a lot you can do with being able 
to inject practically arbitrary characters into a corporate firewall's logs, 
but it's not our job to judge the severity of the problem, every ISA server 
user should know if this is relevant for them.

>
> - Steve

--
beSIRT - Beyond Security's Incident Response Team
beSIRT@xxxxxxxxxxxxxxxxxxx

www.BeyondSecurity.com

Follow-Ups:
- Re: ISA Server 2004 Log Manipulation
  - From: Thor (Hammer of God)

References:
- Re: ISA Server 2004 Log Manipulation
  - From: Steven M. Christey

Prev by Date: SaPHPLesson 3.0 Multbugs
Next by Date: Invision Community Blog .. Bugs
Previous by thread: Re: ISA Server 2004 Log Manipulation
Next by thread: Re: ISA Server 2004 Log Manipulation
Index(es):
- Date
- Thread