<<< Date Index >>>     <<< Thread Index >>>

Re: ISA Server 2004 Log Manipulation



On Friday 05 May 2006 09:16, Steven M. Christey wrote:
> >There is a Log Manipulation vulnerability in Microsoft ISA Server
> >2004, which when exploited will enable a malicious user to manipulate
> >the Destination Host parameter of the log file.
>
> ...
>
> >We were able to insert arbitrary characters, in this case the ASCII
> >characters 1, 2, 3 (respectively) into the Destination Host parameter
> >of the log file.

Just to clarify - these are the ASCII *values* 1,2,3 (or: 0x01, 0x02, 0x03). 
You can potentially insert any ASCII value you want using character encoding.

>
> I'm curious about why you regard this as security-relevant.  I do not
> know what you mean by "log manipulation".
>
You can insert the 'tab' value and possibly break 3rd party log analyzers. 
Other interesting characters may be the EOF or EOD value, a "<" character for 
CSS, and whatever else your heart desires. 

As for the attack vectors, we think there's a lot you can do with being able 
to inject practically arbitrary characters into a corporate firewall's logs, 
but it's not our job to judge the severity of the problem, every ISA server 
user should know if this is relevant for them.

>
> - Steve

--
beSIRT - Beyond Security's Incident Response Team
beSIRT@xxxxxxxxxxxxxxxxxxx

www.BeyondSecurity.com