OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Peter Gründl (peter.grundlDEFCOM.COM)
Date: Mon Apr 02 2001 - 05:28:22 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ======================================================================
                      Defcom Labs Advisory def-2001-16

                  Internet & Acceleration Server Event DoS

    Authors: Peter Gründl <peter.grundldefcom.com>
      Andreas Sandor <andreas.sandordefcom.com>
    Release Date: 2001-04-02
    ======================================================================
    ------------------------=[Brief Description]=-------------------------
    If an alert action has been chosen in the ISA server console, a
    malicious attacker can cause a Denial of Service situation on the ISA
    server.

    ------------------------=[Affected Systems]=--------------------------
    - Internet & Acceleration Server for Windows 2000 Server

    ----------------------=[Detailed Description]=------------------------
    By default the log settings on the Windows 2000 server are not set to
    overwrite the log files as needed, and since the installation of the
    ISA server does not change these settings, this is also the case with
    the ISA server. If you enable the "Event Log Failure" option in the
    ISA console, an attacker can send in any kind of spoofed packets that
    will trigger event logs and cause the ISA server to start spawning a
    CMD.EXE for each event log failure. This will result in the server
    running very slowly and consuming all available memory.

    This will go on even after the ISA server is rebooted until the event
    log is cleaned.

    We used ISIC to create a flood of spoofed, random packets:
    http://www.packetfactory.net/Projects/ISIC/

    Whether you chalk this one up as a security vulnerability or not, it
    is still a potential problem that should be given attention if you
    set up an "Internet Security and Acceleration" Server.

    ---------------------------=[Workaround]=-----------------------------
    Make sure your log file is either overwritten as needed or that you
    have the "event log failure" option disabled in the ISA firewall.

    The issue is now described in Q284800 by MSRC:
    http://support.microsoft.com/support/kb/articles/q284/8/00.ASP

    -------------------------=[Vendor Response]=--------------------------
    This issue was brought to the vendor's attention on the 20th of
    February, 2001. The vendor replied:

    "There are two issues here: the particular alert action (i.e., opening
     the command prompt in response to the log becoming full), and the fact
     that the alert action recurs each time you boot.

     * Alert action. By default, there is no alert action selected -- you
     have to have enabled alerts. Once they're enabled, the default alert
     mechanism is to run a program. This is usually used to run a program
     to, for instance, send a mail to the administrator. If you want to,
     you can select a different alert mechanism.

     * Recurrence. By default, ISA will continue to take the alert action
     each time the machine is booted, until the "log full" condition no
     longer applies. Again, the idea here is that ISA will give the
     administrator a signal that he needs to tend to his logs. You can
     reset the recurrence so that the alert action is only take at
     predefined intervals, or only after a manual reset of the event log."

    Also:

    "Thanks for letting me review the draft. I don't see anything in it
     that's factually incorrect. However, classifying this as a denial of
     service vulnerability seems excessive, don't you think? There isn't
     a product flaw here -- the only issue is that if the user
     deliberately turns on a feature, but doesn't configure it correctly,
     he can hurt the performance of his machine. That is, there isn't any
     way for a bad guy to force the admin to turn on the Event Log Failure
     option, nor is there any way for him to prevent the admin from
     properly configuring it. It seems much more appropriate to discuss
     this as an issue of proper use of the product, rather than as a
     security vulnerability."

    And finally:

    "I agree that the right way to use the alert mechanism isn't intuitive,
     and that we need to get the word out so folks will use it
     appropriately."

    ======================================================================
                This release was brought to you by Defcom Labs

                  labsdefcom.com www.defcom.com
    ======================================================================

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net