[NT] Multiple Vulnerabilities in SuperScout Web Reports Server

From: support@securiteam.com
Date: 10/02/02


From: support@securiteam.com
To: list@securiteam.com
Date: Wed,  2 Oct 2002 23:14:52 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Multiple Vulnerabilities in SuperScout Web Reports Server
------------------------------------------------------------------------

SUMMARY

Surfcontrol's SuperScout Web Filter for Windows allows companies to
monitor and regulate their employees' use of the Internet. It offers
comprehensive reporting capabilities, and provides a 'web' interface for
report retrieval.

Multiple vulnerabilities in the Web Reports Server could allow remote
attackers to compromise the host on which SuperScout is installed and also
modify or remove information from the database that it uses.

DETAILS

Usernames and Passwords Retrievable
The file located at:

http://reports-server:8888/surf/scwebusers

Contains the usernames and passwords for each user of the reports server.
The usernames are in plain text, whilst the passwords are encrypted.

Weak Encryption
The encryption is implemented via a simple JavaScript, located at:

http://reports-server:8888/surf/JavaScript/UserManager.js

The EncryptString function takes two parameters 'text string' and 'key'.

Unfortunately, the key is hard-coded into another JavaScript function and
hence it is trivial to decrypt the passwords. (The key is 'test').

The default administrative password, '3&8>>' decrypts to 'admin'.

As a result of this, an attacker can access any reports available on the
server.

DoS via Large GET request
Repeated large GET requests can cause the reports service to consume 100%
CPU, at which point it no longer services requests. The server does appear
to recover eventually. However, this was not tested extensively.

Triple Dot Directory Traversal
An attacker can retrieve any file on the server via a simple directory
traversal attack, e.g.

http://reports-server:8888/.../.../.../.../.../.../.../winnt/win.ini

SQL Injection Vulnerability
The various reports available are implemented as .dll's. Several of these
perform no input validation, and hence it is possible that an attacker
could execute arbitrary SQL queries against the database:

http://reports-server:8888/SimpleBar.dll/RunReport ?...< various
parameters >

Note:
The banner returned by the server is 'MS-MFC-HttpSvr/1.0'. A search for
this returned the following link:

 
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcsample98/html/_sample_mfc_httpsvr.asp> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcsample98/html/_sample_mfc_httpsvr.asp

The reports server appears to be based on a sample application from
Microsoft. Other servers based on this may be vulnerable to the directory
traversal and DoS attacks.

Vendor Response:
The vendor, SurfControl was initially contacted on 18/07/02.

The vendor stated that they were looking at ways to deliver reports in
different formats, and that these would encompass tighter security. They
had no definite timescales for this, but suggested the following
workaround (below).

Patch Information:
No patch available. Vendor supplied workaround:

Disable the reports server and consider using a terminal session to the
server to access the reports.

ADDITIONAL INFORMATION

This advisory is available online at:
 <http://www.westpoint.ltd.uk/wp-02-0005.txt>
http://www.westpoint.ltd.uk/wp-02-0005.txt

The information has been provided by <mailto:matt@westpoint.ltd.uk> Matt
Moore.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: << SBS News of the week - Sept 26 >>
    ... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: << SBS News of the week - Sept 26 >>
    ... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
    (microsoft.public.windows.server.sbs)
  • [REVS] Combating Reverse Telnet using OpenBSD Packet Filter
    ... Beyond Security would like to welcome Tiscali World Online ... could give you access to the files in the server that is running DragonFly ... The attacker can simply implant or upload backdoor ... block in quick on $EXTIF inet proto tcp from any to any flags FUP/FUP ...
    (Securiteam)
  • [NEWS] Oracle9i Application Server Format String Vulnerability
    ... Beyond Security would like to welcome Tiscali World Online ... Oracle's 9i Application Server offers a highly functional web server ... If an attacker uses ... NGSSoftware alerted Oracle to this vulnerability on 24 September 2002. ...
    (Securiteam)
  • wp--02-0005: Multiple Vulnerabilities in SuperScout Web Reports Server
    ... Vendor URL: www.surfcontrol.com ... contains the usernames and passwords for each user of the reports server. ... An attacker can retrieve any file on the server via a simple directory ...
    (Bugtraq)