[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ISA Server 2004 Log Manipulation

To: beSIRT <beSIRT@xxxxxxxxxxxxxxxxxx>, "Steven M. Christey" <coley@xxxxxxxxx>, Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: ISA Server 2004 Log Manipulation
From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
Date: Sat, 06 May 2006 12:34:46 -0700

Can you provide some more information, please?  Where in relation to the
server did you perform the GET request?  As an internal proxy or firewall
client or an external client?

If from the outside, what publishing rules are you using?  The only way you
could issue this request from the outside is if you either have server or
web publishing rules in place for HTTP.

In either case, I cannot reproduce this at all:  internal clients issuing
this request to the web proxy listener fail, and with no "arbitrary"
characters in the logs- just a "/" in the URI and an ACTION of "failed" just
as it is supposed to do.  External clients attempting this fail with a 403
(URL denied), again with no "arbitrary" characters in the log- the failed
attempt is of course logged the way it is supposed to be, but no garbage is
present.  

Did you turn off the HTTP filter that is on by default for all HTTP traffic
(inbound and outbound)?  Did you create some "special" firewall rules for
this to happen?  Can you post an ISAINFO dump so that anyone concerned with
this "log file manipulation vulnerability" can see exactly what your
configuration is?  

In my opinion, the responsible thing to do would be to provide full details
on your configuration with reproducible steps - particularly when you use
words like "inject arbitrary data" and "log file manipulation."

t

On 5/5/06 1:22 AM, "beSIRT" <beSIRT@xxxxxxxxxxxxxxxxxx> spoketh to all:

> On Friday 05 May 2006 09:16, Steven M. Christey wrote:
>>> There is a Log Manipulation vulnerability in Microsoft ISA Server
>>> 2004, which when exploited will enable a malicious user to manipulate
>>> the Destination Host parameter of the log file.
>> 
>> ...
>> 
>>> We were able to insert arbitrary characters, in this case the ASCII
>>> characters 1, 2, 3 (respectively) into the Destination Host parameter
>>> of the log file.
> 
> Just to clarify - these are the ASCII *values* 1,2,3 (or: 0x01, 0x02, 0x03).
> You can potentially insert any ASCII value you want using character encoding.
> 
>> 
>> I'm curious about why you regard this as security-relevant.  I do not
>> know what you mean by "log manipulation".
>> 
> You can insert the 'tab' value and possibly break 3rd party log analyzers.
> Other interesting characters may be the EOF or EOD value, a "<" character for
> CSS, and whatever else your heart desires.
> 
> As for the attack vectors, we think there's a lot you can do with being able
> to inject practically arbitrary characters into a corporate firewall's logs,
> but it's not our job to judge the severity of the problem, every ISA server
> user should know if this is relevant for them.
> 
>> 
>> - Steve
> 
> --
> beSIRT - Beyond Security's Incident Response Team
> beSIRT@xxxxxxxxxxxxxxxxxxx
> 
> www.BeyondSecurity.com
> 
> 
>

References:
- Re: ISA Server 2004 Log Manipulation
  - From: beSIRT

Prev by Date: Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw
Next by Date: X-POLL admin By-Pass
Previous by thread: Re: ISA Server 2004 Log Manipulation
Next by thread: Re: ISA Server 2004 Log Manipulation
Index(es):
- Date
- Thread