[SX-20010320-2b] - Followup re. Microsoft ISA Server Denial of Service

FSC Internet Corp. / SecureXpert Labs Advisory [SX-20010320-2b]

This is a follow-up to:
[SX-20010320-2] Denial of Service in Microsoft ISA server v1.0

Several individuals have pointed out an easier exploit scenario for this
vulnerability, which additionally does NOT require the Web Publishing
feature of ISA server to be active.

The new exploit consists simply of sending an HTML email message containing
an IMG tag with a SRC value URL of the form described in [SX-20010320-2] to a
recipient within the protected network.

When this message is read, the recipient's web browser will generate an
HTTP request which will trigger the W3PROXY.EXE access violation and therefore
the denial of service.

Another variation involves sending an HTML email message containing Javascript
or VBScript which generates such a URL request to a recipient within the
protected network. However, some web browsers may be configured not to
execute Javascript VBScript within the context of an email message.

Status

Microsoft Corp. was informed of this additional exploit scenario on April 17,
2001. The hotfix issued by Microsoft on April 16, 2001 already provides a
solution for this additional scenario.

Credits

Richard Reiner, SecureXpert Labs
Graham Wiseman, SecureXpert Labs
Matthew Siemens, SecureXpert Labs
Kent Nicolson, SecureXpert Labs
Hank Leininger <[email protected]>

About SecureXpert DIRECT

SecureXpert DIRECT is an advance security advisory service provided to qualified
subscribers by SecureXpert Labs. Subscriptions are free of charge and may be
obtained at http://www.securexpert.com/services.html.