ZDI-07-053: Microsoft ISA Server SOCKS4 Proxy Connection Leakage
http://www.zerodayinitiative.com/advisories/ZDI-07-053.html
September 20, 2007
-- CVE ID:
CVE-2007-4991
-- Affected Vendor:
Microsoft
Avira AntiVir Exchange
Avira AntiVir MIMEsweeper
Avira AntiVir Domino
Avira AntiVir WebGate
Avira WebGate Suite
Avira AntiVir ISA Server
Avira AntiVir MIMEsweeper
______________________________________________________________________
- McAfee VirusScan Enterprise
- McAfee VirusScan Enterprise Linux
- McAfee VirusScan Enterprise for SAP
- McAfee VirusScan Enterprise for Storage
- McAfee VirusScan Commandline
- Mcafee SecurityShield for Microsoft ISA Server
- Mcafee Security for Microsoft Sharepoint
- Mcafee Security for Email Servers
- McAfee Email Gateyway
- McAfee Total Protection for Endpoint
- McAfee Active Virus Defense
- Kaspersky Open Space Security
- Kaspersky Business Space Security
- Kaspersky Work Space Security
- Kaspersky Enterprise Space Security
- Kaspersky Targeted Security
- Kaspersky® Anti-Virus for Microsoft ISA Server
- Kaspersky® Anti-Virus for Proxy Server
- Kaspersky® Anti-Virus for Check Point Firewall-1
- Kaspersky® Anti-Virus for Windows Server
- Kaspersky® Anti-Virus for Windows Server Enterprise Edition
- Kaspersky® Anti-Virus for Novell NetWare
- McAfee VirusScan Enterprise
- McAfee VirusScan Enterprise Linux
- McAfee VirusScan Enterprise for SAP
- McAfee VirusScan Enterprise for Storage
- McAfee VirusScan Commandline
- Mcafee SecurityShield for Microsoft ISA Server
- Mcafee Security for Microsoft Sharepoint
- Mcafee Security for Email Servers
- McAfee Email Gateyway
- McAfee Total Protection for Endpoint
- McAfee Active Virus Defense
discussing how to secure Exchange Server deployments.
(http://www.securityfocus.com/infocus/1654 if you want to check up on
me). I would draw your attention to this excerpt in regard to using
ISA's SMTP application filter to inspect SMTP traffic:
"Though we are filtering the command set through the ISA server, it is
the element of the unknown that concerns me: we just don't know what
vulnerabilities the future may present, and the possibility of a
compromised Exchange server is just too much of a risk."
Fast forward to April of 2005 where Microsoft published "MS05-021:
- Avira AntiVir Premium Security Suite
- Avira AntiVir Professional (Desktop)
- Avira AntiVir Server
- Avira AntiVir Exchange
- Avira AntiVir SharePoint
- Avira AntiVir ISA Server
- Avira AntiVir MIMEsweeper
- Avira AntiVir for KEN! 4
- Avira AntiVir Virus Scan Adapter for SAP NetWeaver®
- Avira AntiVir Professional (Unix)
- Avira AntiVir Server (Unix)
PROOF OF CONCEPT
================
The following was tested in an unpatched 6.3.1 system using the ISA
Server
integration product. It is assumed it will work with other integration
products but this has not been tested. Other User Agents may also work.
I. Install FireFox 2.0.x
Interesting (and serendipitous, at that <g>).
ISA Server 2004+ allows you to configure "allowed / denied methods" in any rule for which the web proxy is involved; effectively nullifying this attack.
..of course, this requires the web devs to communicate the minimum required methods for their site - something I've rarely seen expressed with any real authority.
Jim
-----Original Message-----
From: Arshan Dabirsiaghi [mailto:arshan.dabirsiaghi@aspectsecurity.com]
to a lesser extent, monitoring in a Websense Enterprise 6.3.1 environment.
PROOF OF CONCEPT
================
The following was tested in an unpatched 6.3.1 system using the ISA Server
integration product. It is assumed it will work with other integration
products but this has not been tested. Other User Agents may also work.
I. Install FireFox 2.0.x
Corporate Protection
* avast! 4 Server Edition(impact high, complete bypass)
* avast! 4 Server Edition Plug-ins
* avast! 4 Exchange Server Edition (impact high, complete bypass)
* avast! 4 ISA Server Edition (impact high, complete bypass)
* avast! 4 SharePoint Server Edition (impact high, complete bypass)
* avast! 4 SMTP Server Edition (impact high, complete bypass)
* avast! 4 Lotus Domino Edition (impact high, complete bypass)
* avast! Distributed Network Manager (impact high, complete bypass)
* avast! 4 Professional (impact unknown)
> discussing how to secure Exchange Server deployments.
> (http://www.securityfocus.com/infocus/1654 if you want to check up on
> me). I would draw your attention to this excerpt in regard to using
> ISA's SMTP application filter to inspect SMTP traffic:
>
> "Though we are filtering the command set through the ISA server, it is
> the element of the unknown that concerns me: we just don't know what
> vulnerabilities the future may present, and the possibility of a
> compromised Exchange server is just too much of a risk."
>
> Fast forward to April of 2005 where Microsoft published "MS05-021:
Avira AntiVir Exchange
Avira AntiVir MIMEsweeper
Avira AntiVir Domino
Avira AntiVir WebGate
Avira WebGate Suite
Avira AntiVir ISA Server
Avira AntiVir MIMEsweeper
Avira AntiVir Mobile
Avira SmallBusiness Suite
Avira Business Bundle
Avira AntiVir NetGate Bundle
Recently, David Litchfield asked me to help him out a bit with a research project he was working on by having me set up a network capture in my DMZ to log SQL Slammer attacks. I don't publish any services here at my Santa Cruz facility (meaning there are no required inbound protocols and no references in DNS anywhere) so I figured it would be nice "quiet" circuit to use for testing. I basically port-forwarded UDP 1434 to a laptop in my DMZ running NetMon3 also filtering for UDP 1434. After about 4 days of running NetMon, I had captured almost 30 (verified) random SQL Slammer attacks. What I found interesting was that every single one of them was sourced in China (all from different addresses).
Now, it's not my intent to start some geopolitical debate here, but I've long heard about how some people would block entire countries at the border in order to obviate issues with malicious traffic. There are obviously some issues with this (both from a technical and potential customer standpoint) so I set out to do a bit of research on my own. First thing I found out was that if one does decide to block entire countries, that it's going to be a bit of work from a rule standpoint. Sure, if I wanted to block all of China I could block APNIC, but that would block WAY more than I would want. So I set about finding a good resource for country-by-country IP ranges. Fortunately, Wade Alcorn, one of my colleagues at NGSSoftware turned me on to one that seemed pretty decent (there are a few around, though). But finding the resource was just the beginning... The list I got included 234 countries, comprised by almost 100,000 records of IP ranges.
Making a firewall rule to block China, for instance, would require entering in almost 600 IP ranges - so the "manual" route was clearly out. The thing is, I just didn't want to block countries without more research, so I needed a way to gather some statistics first. Enter ISA Server - as many of you know, I'm a big fan of ISA - it's a true enterprise security product with great scripting capabilities, so I set to work creating an automated method by which to create computer sets in ISA for each country. Basically, I created a SQL database and loaded all the records into it - I then wrote a little COM app to reach out and grab the data by countries, create the sets in ISA, and loop through the different ranges of IP's to add them to the set. It worked great.
This accomplished two things - one, I now have full detailed computer sets for each country to do with as I please. Secondly, I have an excellent way of producing detailed reports for traffic analysis in ISA- this was key. With data collection points set up at different places around the world, I was able to capture 3.1 million inbound connection attempts. The results were quite interesting. While China still led with connection attempts overall, it was interesting to see that Canada was a close second. However, while China's traffic consisted of SQL Slammer, HTTP, SMTP, probes for GhostProxy, etc, almost all of Canada's traffic was MESSENGER spam (UDP 1026,1027,1208). The world leader for HTTP was Brazil, strangely enough. Now, all of this will change based on who and where you are, and the types of services being offered. For example, I only got 5 SMTP connection attempts to my cable modem in a week, but my ISP in BM got hundreds of thousands (understandably) in the same time period. I'll whip up some cool reports for what I found and post them once I get some more data in from different collection points, but the valuable outcome of the project was the creation of these individual country-by-country Computer Sets for ISA.
Beforehand, I had no real way of easily and effectively reporting on traffic patterns by source country. Whether you can or can't block entire countries is your business, but at least this affords someone an easy way of doing research. You may not be able to (or even want) to block HTTP from China, but you very well may want to block SMTP - with ISA and computer sets, you can easily do this. Even if you don't block anything at all, you can use the sets to get rich reports of what kind of traffic your are getting from a particular country. While the validity of the practice of blocking entire countries (or particular protocols for that matter) may be up for debate, you now at least have the option to make your own decision based on factual information - to be sure, you've always been able to do this obviously, it's just been my experience that maintaining rule lists by country/protocol has been quite difficult and time consuming.
I've exported every countries entire list to ISA 2006 .XML format, and have posted them on the HoG site for community use. Since I've automated the Set creation process, I'll be updating the sets each month or so to ensure that changes are processed correctly. I would like to thank NGSSoftware for purchasing the required business services to receive the updates - their donation makes it possible for me to give you updated sets for free.
- Avira AntiVir Premium Security Suite
- Avira AntiVir Professional (Desktop)
- Avira AntiVir Server
- Avira AntiVir Exchange
- Avira AntiVir SharePoint
- Avira AntiVir ISA Server
- Avira AntiVir MIMEsweeper
- Avira AntiVir for KEN! 4
- Avira AntiVir Virus Scan Adapter for SAP NetWeaver®
- Avira AntiVir Professional (Unix)
- Avira AntiVir Server (Unix)
- Avira AntiVir Premium Security Suite (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Professional (Desktop) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Server (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Exchange (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir SharePoint (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir ISA Server (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir MIMEsweeper (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir for KEN! 4 (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Virus Scan Adapter for SAP NetWeaver®
- Avira AntiVir Professional (Unix) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
- Avira AntiVir Server (Unix) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
