lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu May 4 20:39:30 2006 From: ragdelaed at gmail.com (ragdelaed) Subject: ISA Server 2004 Log Manipulation 3 days at 600 per second non stop = 86400 sec/day * 600 = 51 840 000 attempts. after 51.8 million tries, the product was able to inject the numbers 1,2,3 into a parameter into a log that many see as non-critical. and it looks like you tried 1,2,3,4 but it only did 1,2,3. c'mon. log manipulation should mean more than that, shouldnt it? hmmmm. beSIRT wrote: > Discovered by: Noam Rathaus using the beSTORM fuzzer. > Reported to vendor: December, 2005. > Vendor response: Microsoft does not consider this issue to be a security > vulnerability. > > Public release date: 4th of May, 2006. > Advisory URL: > http://www.beyondsecurity.com/besirt/advisories/042006-001-ISA-LM.txt > > Introduction > ------------ > There is a Log Manipulation vulnerability in Microsoft ISA Server 2004, which > when exploited will enable a malicious user to manipulate the Destination > Host parameter of the log file. > > Technical Details > ----------------- > By sending the following request to the server: > GET / HTTP/1.0 > Host: %01%02%03%04 > Transfer-Encoding: whatever > > We were able to insert arbitrary characters, in this case the ASCII characters > 1, 2, 3 (respectively) into the Destination Host parameter of the log file. > > This has been found after 3 days of running the beSTORM fuzzer at 600+ > Sessions per Second while monitoring the ISA Server log file for problems. > > About ISA Server 2004 > --------------------- > "Microsoft Internet Security and Acceleration (ISA) Server 2004 is the > advanced stateful packet and application-layer inspection firewall, virtual > private network (VPN), and Web cache solution that enables enterprise > customers to easily maximize existing information technology (IT) investments > by improving network security and performance." > > Product URL: http://www.microsoft.com/isaserver/default.mspx > > -- > beSIRT - Beyond Security's Incident Response Team > beSIRT@...ondsecurity.com. > > www.BeyondSecurity.com > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > >
Powered by blists - more mailing lists