Đề tài Từ chối dịch vụ (DoS) trong Microsoft ProxyServer, and Internet Security and Acceleration S

Từ chối dịch vụ (DoS) trong Microsoft ProxyServer, and Internet Security and Acceleration S: -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1iDEFENSE Security Advisory 04.09.03:Denial of Service in Microsoft Proxy Server 2.0 and Internet Security andAcceleration Server 2000April 9, 2003I. BACKGROUNDMicrosoft Corp.'s Internet Security and Acceleration Server (ISA) Serverintegrates an extensible, multi-layer enterprise firewall and a scalablehigh-performance web cache. It builds on Microsoft Windows 2000 securityand directory for policy-based security, acceleration and management ofinternetworking. More information is available at . MS Proxy 2.0 is the predecessor toISA Server, more information is available at.II. DESCRIPTIONA vulnerability exists in ISA Server and MS Proxy 2.0 that allowsattackers to cause a denial-of-service condition by spoofing a speciallycrafted packet to the target system. Another impact of this vulnerabilityis the capability of a remote attacker to generate an infinite packetstorm between two unpatched systems implementing ISA Server or MS Proxy2.0 over the Internet.Both ISA Server and MS Proxy 2.0, by default, install a WinSock Proxy(WSP) service wspsrv.exe, designed for testing and diagnostic purposes.The WSP service creates a User Datagram Protocol socket bound to port1745. A specially crafted packet can cause WSP to generate a continuousflood of requests and reply requirements.III. ANALYSISIn the case of the attack scenario for an internal LAN attacker causing adenial of service, this malformed packet must meet the following criteria:* The source and destination IP are the same as the ISA Server.* The source and destination port is 1745.* The data field is specially crafted and resembles the request format.An attacker with access to the LAN can anonymously generate a speciallycrafted UDP packet that will cause the target ISA Server to fall into acontinuous loop of processing request and reply packets. This will causethe ISA Server to consume 100 percent of the underlying system's CPU usage. It will continue to do so until the system reboots or the WinSock Proxy (WSP) service restarts.In the case of the attack scenario of a remote attacker causing a packetstorm between two systems running ISA Server or MS Proxy 2.0, themalformed packet must meet the following criteria:* The source IP is one of the targets* The destination IP is the other target* The source and destination port is 1745.* The data field is specially crafted and resembles the request format.IV. DETECTIONiDEFENSE has verified that Microsoft ISA Server 2000 and MS Proxy 2.0 areboth vulnerable to the same malformed packet characteristics describedabove.Wspsrv.exe is enabled by default in Proxy Server 2.0. The MicrosoftFirewall server is enabled by default in ISA Server firewall mode and ISAServer integrated mode installations. It is disabled in ISA Server cachemode installations.V. WORKAROUNDTo prevent the second attack scenario, apply ingress filtering on theInternet router on UDP port 1745 to prevent a malformed packet fromreaching the ISA Server and causing a packet storm.VI. RECOVERYRestart either the WinSock Proxy Service or the affected system to resumenormal operation.VII. VENDOR FIX/RESPONSEMicrosoft has provided fixes for Proxy Server 2.0 and ISA Server at .VIII. CVE INFORMATIONThe Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project hasassigned the identification number CAN-2003-0110 to this issue.IX. DISCLOSURE TIMELINE01/23/2003 Issue disclosed to iDEFENSE02/24/2003 security@microsoft.com contacted02/24/2003 Response from Iain Mulholland, MSRC02/25/2003 iDEFENSE clients notified03/03/2003 Status request from iDEFENSE03/11/2003 Status request from iDEFENSE03/11/2003 Response from Iain Mulholland, MSRC03/13/2003 Status request from iDEFENSE03/18/2003 Status request from iDEFENSE03/18/2003 Response from Iain Mulholland, MSRC03/24/2003 Status request from iDEFENSE03/25/2003 Response from Iain Mulholland, MSRC04/09/2003 Public DisclosureGet paid for security researchSubscribe to iDEFENSE Advisories:send email to listserv@idefense.com, subject line: "subscribe"About iDEFENSE:iDEFENSE is a global security intelligence company that proactivelymonitors sources throughout the world — from technicalvulnerabilities and hacker profiling to the global spread of virusesand other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligenceand decision support on cyber-related threats. For more information,visit .-----BEGIN PGP SIGNATURE-----Version: PGP 8.0iQA/AwUBPpR3/frkky7kqW5PEQKypwCdGfcO0FcsIAohajEwZMfnZrmGYh4AoMc5S+jzjh3evev/30oPRtg/1W75=N1F/-----END PGP SIGNATURE-----