From matt@westpoint.ltd.uk Fri Oct 4 02:10:19 2002 From: Matt Moore To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Date: Wed, 02 Oct 2002 16:53:18 +0100 Subject: [VulnWatch] wp--02-0005: Multiple Vulnerabilities in SuperScout Web Reports Server Westpoint Security Advisory Title: Multiple Vulnerabilities in SuperScout Web Reports Server Risk Rating: High Software: SurfControl SuperScout WebFilter Platforms: Win32 (WinNT/ Win2k) Vendor URL: www.surfcontrol.com Author: Matt Moore Date: 1st October 2002 Advisory ID#: wp-02-0005 CVE#: CAN-2002-0705 - username/passwords accessible CAN-2002-0706 - weak encryption for passwords CAN-2002-0707 - large GET requests CAN-2002-0708 - Triple dot directory traversal CAN-2002-0709 - SQL injection Overview: ========= Surfcontrol's SuperScout Web Filter for Windows allows companies to monitor and regulate their employees use of the internet. It offers comprehensive reporting capabilities, and provides a 'web' interface for report retrieval. Multiple vulnerabilities in the Web Reports Server could allow remote attackers to compromise the host on which SuperScout is installed and also modify or remove information from the database that it uses. Details: ======== Usernames and Passwords Retrievable. ------------------------------------ The file located at: http://reports-server:8888/surf/scwebusers contains the usernames and passwords for each user of the reports server. The usernames are in plain text, whilst the passwords are encrypted. Weak Encryption --------------- The encryption is implemented via a simple JavaScript, located at: http://reports-server:8888/surf/JavaScript/UserManager.js The EncryptString function takes two parameters 'text string' and 'key'. Unfortunately, the key is hard-coded into another javaScript function and hence it is trivial to decrypt the passwords. (The key is 'test'). The default administrative password, '3&8>>' decrypts to 'admin'. As a result of this, an attacker can access any reports available on the server. DoS via Large GET request ------------------------- Repeated large GET requests cause the reports service to consume 100% CPU, at which point it no longer services requests. The server does appear to recover eventually. However, this was not tested extensively. Triple Dot Directory Traversal ------------------------------ An attacker can retrieve any file on the server via a simple directory traversal attack, e.g. http://reports-server:8888/.../.../.../.../.../.../.../winnt/win.ini SQL Injection Vulnerability --------------------------- The various reports available are implemented as .dll's. Several of these perform no input validation, and hence it is possible that an attacker could execute arbitrary SQL queries against the database: http://reports-server:8888/SimpleBar.dll/RunReport ?... Note: ----- The banner returned by the server is 'MS-MFC-HttpSvr/1.0'. A search for this returned the following link: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcsample98/ html/_sample_mfc_httpsvr.asp The reports server appears to be based on a sample application from Microsoft. Other servers based on this may be vulnerable to the directory traversal and DoS attacks. Vendor Response: ================ The vendor, SurfControl was initially contacted on 18/07/02. The vendor stated that they were looking at ways to deliver reports in different formats, and that these would encompass tighter security. They had no definite timescales for this, but suggested the following workaround (below). Patch Information: ================== No patch available. Vendor supplied workaround: Disable the reports server and consider using a terminal session to the server to access the reports. This advisory is available online at: http://www.westpoint.ltd.uk/wp-02-0005.txt