<<< Date Index >>>     <<< Thread Index >>>

Re: ISA Server 2004 Log Manipulation



Hey,

>I'm curious about why you regard this as security-relevant. I do not
>know what you mean by "log manipulation".

One possible attack vector would be to inject terminal emulator escape sequences into the log file to leverage attacks against vulnerable terminal emulator software. Let's say an admin has SSH'd into his ISA server remotely, and is using a terminal emulator program like eterm or rxvt. He may then 'more' or 'type' the log file to stdout, causing his terminal emulator to interpret and act upon the escape sequences found. The results of this could be pretty nasty, depending on the term emulator being used, including arbitrary file creation and worse. H. D. Moore wrote a nice summary about some issues in popular terminal emulator software a while ago.

http://archives.neohapsis.com/archives/vulnwatch/2003-q1/att-0093/01-Termulation.txt

Obviously, these possibilities are not directly attributable to ISA server itself, but to the terminal emulator programs. However, I suppose many people would expect log files to be trusted and safe, so this could just provide a possible means for leveraging attacks against already known bugs.

Cheers,
Shaun