Từ chối dịch vụ (DoS) trong Microsoft ProxyServer, and Internet Security and Acceleration

Microsoft Corp.s Internet Security and Acceleration Server (ISA)Serverintegrates an extensible, multilayerenterprise firewall and ascalablehighperformanceweb cache. It builds on Microsoft Windows 2000security...
Nội dung trích xuất từ tài liệu:
Từ chối dịch vụ (DoS) trong Microsoft ProxyServer, and Internet Security and AccelerationTừchốidịchvụ(DoS)trongMicrosoftProxyServer,andInternetSecurityandAccelerationS:trangnàyđãđượcđọc lầnBEGINPGPSIGNEDMESSAGEHash:SHA1iDEFENSESecurityAdvisory04.09.03:http://www.idefense.com/advisory/04.09.03.txtDenialofServiceinMicrosoftProxyServer2.0andInternetSecurityandAccelerationServer2000April9,2003I.BACKGROUNDMicrosoftCorp.sInternetSecurityandAccelerationServer(ISA)Serverintegratesanextensible,multilayerenterprisefirewallandascalablehighperformancewebcache.ItbuildsonMicrosoftWindows2000securityanddirectoryforpolicybasedsecurity,accelerationandmanagementofinternetworking.Moreinformationisavailableathttp://www.microsoft.com/isaserver/.MSProxy2.0isthepredecessortoISAServer,moreinformationisavailableathttp://www.microsoft.com/isaserver/evaluation/previousversions/default.asp.II.DESCRIPTIONAvulnerabilityexistsinISAServerandMSProxy2.0thatallowsattackerstocauseadenialofserviceconditionbyspoofingaspeciallycraftedpackettothetargetsystem.AnotherimpactofthisvulnerabilityisthecapabilityofaremoteattackertogenerateaninfinitepacketstormbetweentwounpatchedsystemsimplementingISAServerorMSProxy2.0overtheInternet.BothISAServerandMSProxy2.0,bydefault,installaWinSockProxy(WSP)servicewspsrv.exe,designedfortestinganddiagnosticpurposes.TheWSPservicecreatesaUserDatagramProtocolsocketboundtoport1745.AspeciallycraftedpacketcancauseWSPtogenerateacontinuousfloodofrequestsandreplyrequirements.III.ANALYSISInthecaseoftheattackscenarioforaninternalLANattackercausingadenialofservice,thismalformedpacketmustmeetthefollowingcriteria:*ThesourceanddestinationIParethesameastheISAServer.*Thesourceanddestinationportis1745.*Thedatafieldisspeciallycraftedandresemblestherequestformat.AnattackerwithaccesstotheLANcananonymouslygenerateaspeciallycraftedUDPpacketthatwillcausethetargetISAServertofallintoacontinuousloopofprocessingrequestandreplypackets.ThiswillcausetheISAServertoconsume100percentoftheunderlyingsystemsCPUusage.ItwillcontinuetodosountilthesystemrebootsortheWinSockProxy(WSP)servicerestarts.InthecaseoftheattackscenarioofaremoteattackercausingapacketstormbetweentwosystemsrunningISAServerorMSProxy2.0,themalformedpacketmustmeetthefollowingcriteria:*ThesourceIPisoneofthetargets*ThedestinationIPistheothertarget*Thesourceanddestinationportis1745.*Thedatafieldisspeciallycraftedandresemblestherequestformat.IV.DETECTIONiDEFENSEhasverifiedthatMicrosoftISAServer2000andMSProxy2.0arebothvulnerabletothesamemalformedpacketcharacteristicsdescribedabove.Wspsrv.exeisenabledbydefaultinProxyServer2.0.TheMicrosoftFirewallserverisenabledbydefaultinISAServerfirewallmodeandISAServerintegratedmodeinstallations.ItisdisabledinISAServercachemodeinstallations.V.WORKAROUNDTopreventthesecondattackscenario,applyingressfilteringontheInternetrouteronUDPport1745topreventamalformedpacketfromreachingtheISAServerandcausingapacketstorm.VI.RECOVERYRestarteithertheWinSockProxyServiceortheaffectedsystemtoresumenormaloperation.VII.VENDORFIX/RESPONSEMicrosofthasprovidedfixesforProxyServer2.0andISAServerathttp://www.microsoft.com/technet/security/bulletin/MS03012.asp.VIII.CVEINFORMATIONTheMitreCorp.sCommonVulnerabilitiesandExposures(CVE)ProjecthasassignedtheidentificationnumberCAN20030110tothisissue.IX.DISCLOSURETIMELINE01/23/2003IssuedisclosedtoiDEFENSE02/24/2003security@microsoft.comcontacted02/24/2003ResponsefromIainMulholland,MSRC02/25/2003iDEFENSEclientsnotified03/03/2003StatusrequestfromiDEFENSE03/11/2003StatusrequestfromiDEFENSE03/11/2003ResponsefromIainMulholland,MSRC03/13/2003StatusrequestfromiDEFENSE03/18/2003StatusrequestfromiDEFENSE03/18/2003ResponsefromIainMulholland,MSRC03/24/2003StatusrequestfromiDEFENSE03/25/2003ResponsefromIainMulholland,MSRC04/09/2003PublicDisclosureGetpaidforsecurityresearchhttp://www.idefense.com/contributor.htmlSubscribetoiDEFENSEAdvisories:sendemailtolistserv@idefense.com,subjectline:subscribeAboutiDEFENSE:iDEFENSEisaglobalsecurityintelligencecompanythatproactivelymonitorssourcesthroughouttheworld—fromtechnicalvulnerabilitiesandhackerprofilingtotheglobalspreadofvirusesandothermaliciouscode.Oursecurityintelligenceservicesprovidedecisionmakers,frontline ...