>I'm curious about why you regard this as security-relevant. I do not
>know what you mean by "log manipulation".
One possible attack vector would be to inject terminal emulator escape
sequences into the log file to leverage attacks against vulnerable
terminal emulator software. Let's say an admin has SSH'd into his ISA
server remotely, and is using a terminal emulator program like eterm or
rxvt. He may then 'more' or 'type' the log file to stdout, causing his
terminal emulator to interpret and act upon the escape sequences found.
The results of this could be pretty nasty, depending on the term
emulator being used, including arbitrary file creation and worse. H. D.
Moore wrote a nice summary about some issues in popular terminal
emulator software a while ago.
Obviously, these possibilities are not directly attributable to ISA
server itself, but to the terminal emulator programs. However, I
suppose many people would expect log files to be trusted and safe, so
this could just provide a possible means for leveraging attacks against
already known bugs.
>I'm curious about why you regard this as security-relevant. I do not
>know what you mean by "log manipulation".
One possible attack vector would be to inject terminal emulator escape
sequences into the log file to leverage attacks against vulnerable
terminal emulator software. Let's say an admin has SSH'd into his ISA
server remotely, and is using a terminal emulator program like eterm or
rxvt. He may then 'more' or 'type' the log file to stdout, causing his
terminal emulator to interpret and act upon the escape sequences found.
The results of this could be pretty nasty, depending on the term
emulator being used, including arbitrary file creation and worse. H. D.
Moore wrote a nice summary about some issues in popular terminal
emulator software a while ago.
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/att-0093/01-Ter
mulation.txt
Obviously, these possibilities are not directly attributable to ISA
server itself, but to the terminal emulator programs. However, I
suppose many people would expect log files to be trusted and safe, so
this could just provide a possible means for leveraging attacks against
already known bugs.
Cheers,
Shaun
[ reply ]