Re: ISA Server 2004 Log Manipulation

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: ISA Server 2004 Log Manipulation
From: Shaun Colley <shaun@xxxxxxxxxxxxxxx>
Date: Sat, 06 May 2006 01:00:59 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20051013

Hey,

>I'm curious about why you regard this as security-relevant. I do not
>know what you mean by "log manipulation".

One possible attack vector would be to inject terminal emulator escapesequences into the log file to leverage attacks against vulnerableterminal emulator software. Let's say an admin has SSH'd into his ISAserver remotely, and is using a terminal emulator program like eterm orrxvt. He may then 'more' or 'type' the log file to stdout, causing histerminal emulator to interpret and act upon the escape sequences found.The results of this could be pretty nasty, depending on the termemulator being used, including arbitrary file creation and worse. H. D.Moore wrote a nice summary about some issues in popular terminalemulator software a while ago.


http://archives.neohapsis.com/archives/vulnwatch/2003-q1/att-0093/01-Termulation.txt

Obviously, these possibilities are not directly attributable to ISAserver itself, but to the terminal emulator programs. However, Isuppose many people would expect log files to be trusted and safe, sothis could just provide a possible means for leveraging attacks againstalready known bugs.


Cheers,
Shaun

Prev by Date: Firefox 1.5.0.3 code execution exploit
Next by Date: Idle scan rediscovered!!!
Previous by thread: Re: ISA Server 2004 Log Manipulation
Next by thread: Re: ISA Server 2004 Log Manipulation
Index(es):
- Date
- Thread