Reported August 17, 2001, by Microsoft.

VERSION AFFECTED

  • Microsoft ISA Server 2000

 

DESCRIPTION
Two vulnerabilities exist in Microsoft ISA Server 2000. The first problem stems from a memory leak condition in the H323asn1.dll used to process H.323 Gatekeeper Voice over IP (VoIP) data and Winsock Proxy services. An attacker can send malformed H.323 data repeatedly to the server, consuming small amounts of memory until it consumes all of the server's memory. This results in a Denial of Server (DoS) condition. To restore normal operation, a user must restart the H.323 service. According to Microsoft article Q289503, if the gatekeeper service is not running, such an attack is ineffective.

 

The second vulnerability is a cross-site scripting problem affecting the error page that ISA Server generates in response to a request for a non-existent page or an unsuccessful connection attempt to a page. This vulnerability occurs because the ISA Server returns the original requested URL to the browser in the error message along with the reason why the user can't access the URL. Because the original request contains a script, the browser runs the script on receipt. This lets an attacker either run a script in the security domain of another Web site or access cookies that a site has written to the user's computer. For more details, read Microsoft article Q295389.

 

VENDOR RESPONSE

The vendor, Microsoft, has released security bulletin MS01-045 to address these vulnerabilities and recommends that affected users apply the patch provided at this URL.

 

CREDIT
Discovered by Peter Grundl and Dr. Hiromitsu Takagi.