On Friday 05 May 2006 09:16, Steven M. Christey wrote:
> >There is a Log Manipulation vulnerability in Microsoft ISA Server
> >2004, which when exploited will enable a malicious user to manipulate
> >the Destination Host parameter of the log file.
>
> ...
>
> >We were able to insert arbitrary characters, in this case the ASCII
> >characters 1, 2, 3 (respectively) into the Destination Host parameter
> >of the log file.
Just to clarify - these are the ASCII *values* 1,2,3 (or: 0x01, 0x02, 0x03).
You can potentially insert any ASCII value you want using character encoding.
>
> I'm curious about why you regard this as security-relevant. I do not
> know what you mean by "log manipulation".
>
You can insert the 'tab' value and possibly break 3rd party log analyzers.
Other interesting characters may be the EOF or EOD value, a "<" character for
CSS, and whatever else your heart desires.
As for the attack vectors, we think there's a lot you can do with being able
to inject practically arbitrary characters into a corporate firewall's logs,
but it's not our job to judge the severity of the problem, every ISA server
user should know if this is relevant for them.
> >There is a Log Manipulation vulnerability in Microsoft ISA Server
> >2004, which when exploited will enable a malicious user to manipulate
> >the Destination Host parameter of the log file.
>
> ...
>
> >We were able to insert arbitrary characters, in this case the ASCII
> >characters 1, 2, 3 (respectively) into the Destination Host parameter
> >of the log file.
Just to clarify - these are the ASCII *values* 1,2,3 (or: 0x01, 0x02, 0x03).
You can potentially insert any ASCII value you want using character encoding.
>
> I'm curious about why you regard this as security-relevant. I do not
> know what you mean by "log manipulation".
>
You can insert the 'tab' value and possibly break 3rd party log analyzers.
Other interesting characters may be the EOF or EOD value, a "<" character for
CSS, and whatever else your heart desires.
As for the attack vectors, we think there's a lot you can do with being able
to inject practically arbitrary characters into a corporate firewall's logs,
but it's not our job to judge the severity of the problem, every ISA server
user should know if this is relevant for them.
>
> - Steve
--
beSIRT - Beyond Security's Incident Response Team
beSIRT (at) beyondsecurity (dot) com. [email concealed]
www.BeyondSecurity.com
[ reply ]