>There is a Log Manipulation vulnerability in Microsoft ISA Server
>2004, which when exploited will enable a malicious user to manipulate
>the Destination Host parameter of the log file.
...
>We were able to insert arbitrary characters, in this case the ASCII
>characters 1, 2, 3 (respectively) into the Destination Host parameter
>of the log file.
I'm curious about why you regard this as security-relevant. I do not
know what you mean by "log manipulation".
Certainly the Host header is unusual in the sense that it is not an
expected format or syntax, although if I recall correctly, it's not
required in HTTP/1.0, which is the format of your request. Does it
violate the syntactic requirements as dictated by the associated RFCs?
Is the Host field expected to be consistent with some set of valid
Host values, e.g. some set of supported virtual hosts? Is it used as
part of the filename of the log file? Do these specific characters
cause some parsing error that prevents other log entries from being
accessed or causes them to be desynchronized (e.g. if they are field
or record separator characters in the log file)? Do these characters
a GUI obfuscation problem in which data is not properly rendered in a
window? Do the characters have special meaning if the log file is
viewed by external tools such as "more" or Notepad, which would not be
under the control of ISA (and thus arguably not a vulnerability in ISA
itself)? Was encoded CRLF injection tried but not successful?
>There is a Log Manipulation vulnerability in Microsoft ISA Server
>2004, which when exploited will enable a malicious user to manipulate
>the Destination Host parameter of the log file.
...
>We were able to insert arbitrary characters, in this case the ASCII
>characters 1, 2, 3 (respectively) into the Destination Host parameter
>of the log file.
I'm curious about why you regard this as security-relevant. I do not
know what you mean by "log manipulation".
Certainly the Host header is unusual in the sense that it is not an
expected format or syntax, although if I recall correctly, it's not
required in HTTP/1.0, which is the format of your request. Does it
violate the syntactic requirements as dictated by the associated RFCs?
Is the Host field expected to be consistent with some set of valid
Host values, e.g. some set of supported virtual hosts? Is it used as
part of the filename of the log file? Do these specific characters
cause some parsing error that prevents other log entries from being
accessed or causes them to be desynchronized (e.g. if they are field
or record separator characters in the log file)? Do these characters
a GUI obfuscation problem in which data is not properly rendered in a
window? Do the characters have special meaning if the log file is
viewed by external tools such as "more" or Notepad, which would not be
under the control of ISA (and thus arguably not a vulnerability in ISA
itself)? Was encoded CRLF injection tried but not successful?
Or is there some other reason?
- Steve
[ reply ]