Bugtraq mailing list archives
Re: ISA Server 2004 Log Manipulation
From: Shaun Colley <shaun () ngssoftware com>
Date: Sat, 06 May 2006 01:00:59 +0100
Hey, >I'm curious about why you regard this as security-relevant. I do not >know what you mean by "log manipulation".One possible attack vector would be to inject terminal emulator escape sequences into the log file to leverage attacks against vulnerable terminal emulator software. Let's say an admin has SSH'd into his ISA server remotely, and is using a terminal emulator program like eterm or rxvt. He may then 'more' or 'type' the log file to stdout, causing his terminal emulator to interpret and act upon the escape sequences found. The results of this could be pretty nasty, depending on the term emulator being used, including arbitrary file creation and worse. H. D. Moore wrote a nice summary about some issues in popular terminal emulator software a while ago.
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/att-0093/01-Termulation.txtObviously, these possibilities are not directly attributable to ISA server itself, but to the terminal emulator programs. However, I suppose many people would expect log files to be trusted and safe, so this could just provide a possible means for leveraging attacks against already known bugs.
Cheers, Shaun
Current thread:
- ISA Server 2004 Log Manipulation beSIRT (May 04)
- <Possible follow-ups>
- Re: ISA Server 2004 Log Manipulation Steven M. Christey (May 05)
- Re: ISA Server 2004 Log Manipulation beSIRT (May 05)
- Re: ISA Server 2004 Log Manipulation Thor (Hammer of God) (May 06)
- Re: ISA Server 2004 Log Manipulation beSIRT (May 05)
- Re: ISA Server 2004 Log Manipulation Shaun Colley (May 06)
- Re: ISA Server 2004 Log Manipulation Steven M. Christey (May 09)