Reported August 17, 2001, by Microsoft.
Microsoft ISA Server 2000
Two vulnerabilities exist in Microsoft ISA Server 2000. The first problem stems from a memory leak condition in the H323asn1.dll used to process H.323 Gatekeeper Voice over IP (VoIP) data and Winsock Proxy services. An attacker can send malformed H.323 data repeatedly to the server, consuming small amounts of memory until it consumes all of the server's memory. This results in a Denial of Server (DoS) condition. To restore normal operation, a user must restart the H.323 service. According to Microsoft article Q289503, if the gatekeeper service is not running, such an attack is ineffective.
The second vulnerability is a cross-site scripting problem affecting the error page that ISA Server generates in response to a request for a non-existent page or an unsuccessful connection attempt to a page. This vulnerability occurs because the ISA Server returns the original requested URL to the browser in the error message along with the reason why the user can't access the URL. Because the original request contains a script, the browser runs the script on receipt. This lets an attacker either run a script in the security domain of another Web site or access cookies that a site has written to the user's computer. For more details, read Microsoft article Q295389.
Discovered by Peter Grundl and Dr. Hiromitsu Takagi.