On Friday 05 May 2006 09:16, Steven M. Christey wrote: > >There is a Log Manipulation vulnerability in Microsoft ISA Server > >2004, which when exploited will enable a malicious user to manipulate > >the Destination Host parameter of the log file. > > ... > > >We were able to insert arbitrary characters, in this case the ASCII > >characters 1, 2, 3 (respectively) into the Destination Host parameter > >of the log file. Just to clarify - these are the ASCII *values* 1,2,3 (or: 0x01, 0x02, 0x03). You can potentially insert any ASCII value you want using character encoding. > > I'm curious about why you regard this as security-relevant. I do not > know what you mean by "log manipulation". > You can insert the 'tab' value and possibly break 3rd party log analyzers. Other interesting characters may be the EOF or EOD value, a "<" character for CSS, and whatever else your heart desires. As for the attack vectors, we think there's a lot you can do with being able to inject practically arbitrary characters into a corporate firewall's logs, but it's not our job to judge the severity of the problem, every ISA server user should know if this is relevant for them. > > - Steve -- beSIRT - Beyond Security's Incident Response Team beSIRT@xxxxxxxxxxxxxxxxxxx www.BeyondSecurity.com
