ISA Server 2004 divulges IP addresses
The Zero-Day Initiative has published details of a hole that has already been closed in Microsoft's ISA Server 2004 through which attackers can apparently retrieve internal IP addresses. According to the report, all attackers need to do is send an empty SOCKS4 packet to the server. The proxy then sends back a packet containing the IP address of the last packet that went through the proxy. ISA Server 2004 with SP1 and SP2 are affected. Service Pack 3, which was released at the end of May, remedies the flaw. It is not clear why ZDI only now reported it.
- Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard Edition Service Pack 3, description of SP3
- Microsoft ISA Server SOCKS4 Proxy Connection Leakage, ZDI's security advisory
(mba)