[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 5 May 2006 11:22:16 +0300
From: beSIRT <beSIRT@...ondsecurity.com>
To: "Steven M. Christey" <coley@...re.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: ISA Server 2004 Log Manipulation
On Friday 05 May 2006 09:16, Steven M. Christey wrote:
> >There is a Log Manipulation vulnerability in Microsoft ISA Server
> >2004, which when exploited will enable a malicious user to manipulate
> >the Destination Host parameter of the log file.
>
> ...
>
> >We were able to insert arbitrary characters, in this case the ASCII
> >characters 1, 2, 3 (respectively) into the Destination Host parameter
> >of the log file.
Just to clarify - these are the ASCII *values* 1,2,3 (or: 0x01, 0x02, 0x03).
You can potentially insert any ASCII value you want using character encoding.
>
> I'm curious about why you regard this as security-relevant. I do not
> know what you mean by "log manipulation".
>
You can insert the 'tab' value and possibly break 3rd party log analyzers.
Other interesting characters may be the EOF or EOD value, a "<" character for
CSS, and whatever else your heart desires.
As for the attack vectors, we think there's a lot you can do with being able
to inject practically arbitrary characters into a corporate firewall's logs,
but it's not our job to judge the severity of the problem, every ISA server
user should know if this is relevant for them.
>
> - Steve
--
beSIRT - Beyond Security's Incident Response Team
beSIRT@...ondsecurity.com.
www.BeyondSecurity.com
Powered by blists - more mailing lists