Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Cumulative Security Update for ISA Server 2000 (MS05-034)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Cumulative Security Update for ISA Server 2000 (MS05-034)
Date: 15 Jun 2005 15:29:01 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Cumulative Security Update for ISA Server 2000 (MS05-034)
------------------------------------------------------------------------


SUMMARY

ISA Server 2000 provides "an enterprise firewall and a high-performance 
Web cache. The firewall helps protect the network by regulating which 
resources can be accessed through the firewall, and under what conditions. 
The Web cache helps improve network performance by storing local copies of 
frequently-requested Web content. ISA Server can be installed in three 
modes: firewall mode, cache mode, and integrated mode. Firewall mode 
allows an administrator to secure network communication by configuring 
rules that control communication between the corporate network and the 
Internet. Cache mode improves network performance by storing 
frequently-accessed Web pages on the server. In integrated mode, all cache 
and firewall features are available".

Two security vulnerabilities have been discovered in the ISA server, one 
allows remote attackers to poison the cache of the ISA server, while the 
other allows remote attackers to initiate a NetBIOS connection with the 
ISA server.

A vulnerability exists in ISA Server 2000 because of the way that it 
handles malformed HTTP requests. An attacker could exploit the 
vulnerability by constructing a malicious HTTP request that could 
potentially allow an attacker to poison the cache of the affected ISA 
server. As a result, the attacker could either bypass content restrictions 
and access content that they would normally not have access to or they 
could cause users to be directed to unexpected content. Additionally, an 
attacker could use this in combination with a separate Cross Site 
Scripting vulnerability to obtain sensitive information such as logon 
credentials.

An elevation of privilege vulnerability exists in ISA Server 2000 that 
allows an attacker who successfully exploited this vulnerability to create 
a NetBIOS connection with an ISA Server by utilizing the NetBIOS (all) 
predefined packet filter. The attacker would be limited to services that 
use the NetBIOS protocol running on the affected ISA Server.

DETAILS

Vulnerable Systems:
 * Microsoft Internet Security and Acceleration (ISA) Server 2000 Service 
Pack 2    
<http://www.microsoft.com/downloads/details.aspx?FamilyId=E579813B-0372-45BE-8070-3F4D7D4CB89C>
 Download the update
Note The following software programs include ISA Server 2000. Customers 
who use these software programs should install the provided ISA Server 
2000 security update.
 * Microsoft Small Business Server 2000
 * Microsoft Small Business Server 2003 Premium Edition

Immune Systems:
 * Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard 
Edition
 * Microsoft Internet Security and Acceleration (ISA) Server 2004 
Enterprise Edition

HTTP Content Header Vulnerability:
This is an elevation of privilege vulnerability. An attacker who 
successfully exploited this vulnerability could either bypass content 
restrictions and access content that they would normally not have access 
to or they could cause users to be directed to unexpected content. 
Additionally, an attacker could use this in conjunction with a separate 
Cross Site Scripting vulnerability to obtain sensitive information such as 
logon credentials.

Mitigating Factors for HTTP Content Header Vulnerability - CAN-2005-1215:
 * An attacker would only be able to poison the cache with existing 
content from the IP address or domain name of the targeted server
 * Due to the way that caching works, an attacker would need to be able to 
submit a malicious request before a valid version of the page is cached 
via another method, either user or automatically invoked.
 * ISA Servers that are configured in Firewall Mode are not vulnerable to 
this issue.
 * Typical usage of Internet Explorer will not produce malformed HTTP 
requests.

How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a specially 
crafted HTTP request packet and sending the packet to an affected ISA 
Server.

What systems are primarily at risk from the vulnerability?
ISA Servers that are configured to cache Web requests or to publish Web 
servers.


NetBIOS Predefined Filter:
This is an elevation of privilege vulnerability. An attacker who 
successfully exploited this vulnerability could connect to services 
utilizing the NetBIOS protocol on the affected ISA Server.

Mitigating Factors for NetBIOS Predefined Filter Vulnerability - 
CAN-2005-1216:
An ISA administrator would have to enable the NetBIOS (all) predefined 
packet filter to allow access to local services that use the NetBIOS 
protocol.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could connect to 
services on the ISA Server that use the NetBIOS protocol. However, these 
connection attempts are subject to the typical security checks that are 
employed by the respective services.

Who could exploit the vulnerability?
On ISA Server 2000, any anonymous user who could create a NetBIOS 
connection to the affected ISA Server could try to exploit this 
vulnerability.

How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a NetBIOS 
connection with an ISA Server that uses the NetBIOS (all) predefined 
packet filter. The attacker would be limited to services by using the 
NetBIOS protocol running on the affected ISA Server.

What systems are primarily at risk from the vulnerability?
ISA Servers that have been configured to allow inbound NetBIOS traffic by 
using the NetBIOS (all) predefined packet filter are primarily at risk 
from this vulnerability.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1215> 
CAN-2005-1215
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1216> 
CAN-2005-1216


ADDITIONAL INFORMATION

The information has been provided by Microsoft Security.
The original article can be found at:  
<http://www.microsoft.com/technet/security/Bulletin/MS05-034.mspx> 
http://www.microsoft.com/technet/security/Bulletin/MS05-034.mspx



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Cumulative Security Update for ISA Server 2000 (MS05-034), SecuriTeam <=
Previous by Date:  [NT] Cumulative Security Update of Outlook Express (MS05-030), SecuriTeam
Next by Date:  [NEWS] Multiple Telnet Client Information Disclosure Vulnerabilities (MS05-033), SecuriTeam
Previous by Thread:  [NT] Cumulative Security Update of Outlook Express (MS05-030), SecuriTeam
Next by Thread:  [NEWS] Multiple Telnet Client Information Disclosure Vulnerabilities (MS05-033), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]