SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   Microsoft Internet Security and Acceleration Server Vendors:   Microsoft
Microsoft Internet Security and Acceleration (ISA) Server 2000 Can Be Disrupted By Remote Users Due to Memory Leaks and Also Allows Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1002206
SecurityTracker URL:  http://securitytracker.com/id/1002206
CVE Reference:   CAN-2001-0546, CAN-2001-0547, CAN-2001-0658   (Links to External Site)
Updated:  Dec 1 2003
Original Entry Date:  Aug 17 2001
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Microsoft reported three separate vulnerabilities in their Internet Security and Acceleration (ISA) Server 2000. Two of the security flaws allow remote users to cause the server to consume available memory, one via the H.323 service and the other via the Proxy service. The third flaw allows for cross-site scripting attacks.

A memory leak in the H.323 Gatekeeper Service for voice-over-IP traffic processing can reportedly be triggered by a remote user sending malformed H.323 data through the server. If a remote user repeatedly sends this malformed data, all available memory on the server could be consumed, causing performance to degrade or causing communication services to be disrupted. Normal service can be restored by cycling the H.323 service.

Another memory leak exists in the Proxy service that can similarly be triggered by a malformed connection (the specific nature of this malformed data was not disclosed). If a remote user repeatedly sends this malformed data, all available memory on the server could be consumed, causing performance to degrade or causing communication services to be disrupted. Normal service can be restored by cycling the Proxy service.

Finally, the ISA Server 2000 permits cross-site scripting attacks. The server generates error pages that reference the failed URL when a remote user causes a page error (e.g., page not found). This allows a remote user to create a web page or HTML-based e-mail that includes specially crafted scripts pointing to the ISA server that will cause the scripts to be executed in another user's browser when the page is viewed. The script would run in the security domain of the ISA server and would be able to access any cookies the ISA server has written to the user s machine.
Impact:   A remote user can cause the communication services to be disrupted, requiring the affected services to be restarted. A remote user can also issue a cross-site scripting attack referencing the ISA server.
Solution:   The vendor has released a patch for Microsoft ISA Server 2000:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=32094

This patch can reportedly be installed on systems running ISA Server 2000 Gold. Microsoft plans to include the fix for this issue in ISA Server 2000 Service Pack 1.

The vendor notes that this patch supersedes the one provided via Microsoft Security Bulletin MS01-021.

The patch should create the following registry key:

HKEY_LOCAL_MACHINE \Software\Microsoft\FPC\Hotfixes\ISA3.0\68.

For further information, see Knowledge Base article Q289503:

http://support.microsoft.com/support/kb/articles/q289/5/03.ASP
Vendor URL:  www.microsoft.com/technet/security/bulletin/MS01-045.asp (Links to External Site)
Cause:   Resource error
Underlying OS:   Windows (NT), Windows (2000)

Message History:   None.

 Source Message Contents
Date:  Thu, 16 Aug 2001 14:03:51 -0700
Subject:  Microsoft Security Bulletin MS01-045


The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      ISA Server H.323 Gatekeeper Service Contains Memory Leak
Date:       16 August 2001
Software:   ISA Server 2000
Impact:     Denial of service, cross-site scripting
Bulletin:   MS01-045

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-045.asp.
- ----------------------------------------------------------------------

Issue:
======
This bulletin discusses three security vulnerabilities that are
unrelated except in the sense that both affect ISA Server 2000: 

 - A denial of service vulnerability involving the H.323 Gatekeeper
   Service, a service that supports the transmission of voice-over-IP
   traffic through the firewall. The service contains a memory leak
   that is triggered by a particular type of malformed H.323 data.
   Each time such data is received, the memory available on the
   server is depleted by a small amount; if an attacker repeatedly
   sent such data, the performance of the server could deteriorate to
   the point where it would effectively disrupt all communications
   across the firewall. A server administrator could restore normal
   service by cycling the H.323 service. 
 - A denial of service vulnerability in the in the Proxy service.
   Like the vulnerability above, this one is caused by a memory leak,
   and could be used to degrade the performance of the server to
   the point where is disrupted communcations. 
 - A cross-site scripting vulnerability affecting the error page
   that ISA Server 2000 generates in response to a failed request
   for a web page. An attacker could exploit the vulnerability by
   tricking a user into submitting to ISA Server 2000 an URL that
   has the following characteristics: (a) it references a valid
   web site; (b)it requests a page within that site that can't be
   retrieved - that is, a non-existent page or one that generates
   an error; and (c) it contains script within the URL. The error
   page generated by ISA Server 2000 would contain the embedded
   script commands, which would execute when the page was displayed
   in the user's browser. The script would run in the security domain
   of the web site referenced in the URL, and would be able to access
   any cookies that site has written to the user's machine. 

Mitigating Factors:
====================
H.323 Denial of service vulnerability: 
 - The vulnerability could only be exploited if the H.323 Gatekeeper
   Service was installed. It is only installed by default if "Full
   Installation" is chosen; if "Typical Installation" is selected,
   it is not installed. 
 - The vulnerability would not enable an attacker to gain any
   privileges on an affected server or add any traffic to an existing
   voice-over-IP session. It is strictly a denial of service
   vulnerability. 

Proxy Service Denial of service vulnerability: 
 - The vulnerability could only be exploited by an internal user; it
   could not be exploited by an Internet user. 
 - The vulnerability would not enable an attacker to gain any
   privileges on an affected server or compromise any cached content
   on the server. It is strictly a denial of service vulnerability. 

Cross-site scripting vulnerability: 
 - In order to run script in the security domain of a trusted site,
   the attacker would need to know which sites, if any, a user
   trusted. Most users use the default security settings for all web
   sites, which would effectively deny an attacker any gain in
   exploiting the vulnerability for the purposes of running script. 
 - An attacker who wished to read other sites' cookies on a user's
   machine would have no way to know which sites had placed cookies
   there. The attacker would need to exploit the vulnerability once
   for every web site whose cookies she wished to access. 
 - Even if the attacker correctly guessed which sites had placed
   cookies on a user's machine, there should be no sensitive
   information in the cookies, if best practices have been followed. 

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin
   http://www.microsoft.com/technet/security/bulletin/ms01-045.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Peter Grundl for reporting the memory leaks in the H.323
   Gatekeeper Service and the Proxy Service. 
 - Dr. Hiromitsu Takagi for reporting the cross-site scripting
   vulnerability. 

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBO3w1N40ZSRQxA/UrAQGRTAf/f+CsYKPRvC/a/AlMO6gUVCOP3MA9zvtU
hKQBFvmNsAho2TFXgk/uYeoQ1ACRJQ3rXLrciaYnyPpdofZUT2dgoehWCEwWCIw4
Bjw9A0lplVgOQCMFDuMciKISjgaBfNG8wpj9tEwBLRqZ2O0CgF5D6kQgOcrOryg/
eDc4sQWX6S6oGVPvMgsRCVLu4yOUiO589Vaf63P44h47Z5b4T0TqVOKcB2PDBtjq
v03Cq+7pApbD9hOD6lUUd9DHF1kWVVcO4HoufdH1rkCyHrG70ZclpHt3qK+jFdJP
fPPThkAmtQpppwBhXN46Tvk8/N7lhIVScTTGCFuOh0SEIkpQWffNkA==
=kH78
-----END PGP SIGNATURE-----

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

For  more  information on  the  Microsoft  Security Notification  Service
please  visit  http://www.microsoft.com/technet/security/notify.asp.  For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC