wp--02-0005: Multiple Vulnerabilities in SuperScout Web Reports Server

[Matt Moore <matt () westpoint ltd uk>]

Westpoint Security Advisory

Title:         Multiple Vulnerabilities in SuperScout Web Reports Server
Risk Rating:   High
Software:      SurfControl SuperScout WebFilter
Platforms:     Win32 (WinNT/ Win2k)
Vendor URL:    www.surfcontrol.com
Author:        Matt Moore <matt () westpoint ltd uk>
Date:          1st October 2002
Advisory ID#:  wp-02-0005
CVE#:          CAN-2002-0705 - username/passwords accessible
               CAN-2002-0706 - weak encryption for passwords
               CAN-2002-0707 - large GET requests
               CAN-2002-0708 - Triple dot directory traversal
               CAN-2002-0709 - SQL injection

Overview:
=========

Surfcontrol's SuperScout Web Filter for Windows allows companies to monitor
and regulate their employees use of the internet. It offers comprehensive
reporting capabilities, and provides a 'web' interface for report 
retrieval.

Multiple vulnerabilities in the Web Reports Server could allow remote 
attackers
to compromise the host on which SuperScout is installed and also modify 
or remove
information from the database that it uses.

Details:
========

Usernames and Passwords Retrievable.
------------------------------------
The file located at:

http://reports-server:8888/surf/scwebusers

contains the usernames and passwords for each user of the reports server.
The usernames are in plain text, whilst the passwords are encrypted.

Weak Encryption
---------------
The encryption is implemented via a simple JavaScript, located at:

http://reports-server:8888/surf/JavaScript/UserManager.js

The EncryptString function takes two parameters 'text string' and 'key'.

Unfortunately, the key is hard-coded into another javaScript function and
hence it is trivial to decrypt the passwords. (The key is 'test').

The default administrative password, '3&8>>' decrypts to 'admin'.

As a result of this, an attacker can access any reports available
on the server.

DoS via Large GET request
-------------------------
Repeated large GET requests cause the reports service to consume 100% CPU,
at which point it no longer services requests. The server does appear to
recover eventually. However, this was not tested extensively.

Triple Dot Directory Traversal
------------------------------
An attacker can retrieve any file on the server via a simple directory
traversal attack, e.g.

http://reports-server:8888/.../.../.../.../.../.../.../winnt/win.ini

SQL Injection Vulnerability
---------------------------
The various reports available are implemented as .dll's. Several of 
these perform
no input validation, and hence it is possible that an attacker could 
execute
arbitrary SQL queries against the database:

http://reports-server:8888/SimpleBar.dll/RunReport ?...<various parameters>

Note:
-----
The banner returned by the server is 'MS-MFC-HttpSvr/1.0'. A search for 
this
returned the following link:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcsample98/ 

html/_sample_mfc_httpsvr.asp

The reports server appears to be based on a sample application from 
Microsoft.
Other servers based on this may be vulnerable to the directory traversal
and DoS attacks.

Vendor Response:
================
The vendor, SurfControl was initially contacted on 18/07/02.

The vendor stated that they were looking at ways to deliver reports
in different formats, and that these would encompass tighter security.
They had no definite timescales for this, but suggested the following
workaround (below).

Patch Information:
==================

No patch available. Vendor supplied workaround:

Disable the reports server and consider using a terminal session to
the server to access the reports.

This advisory is available online at:

http://www.westpoint.ltd.uk/wp-02-0005.txt