Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPacket StormPACKETSTORM:11769
HistoryAug 17, 1999 - 12:00 a.m.

cognos.powerplay.txt

1999-08-1700:00:00
Packet Storm
packetstormsecurity.com
25
JSON
`Date: Mon, 28 Jun 1999 07:29:37 -0400  
From: Darin White <[email protected]>  
To: [email protected]  
Subject: Cognos PowerPlay Web Edition security  
  
WEB SECURITY ADVISORY  
  
-------------  
Release Date: 1999-06-25  
Application: Cognos PowerPlay Web Edition  
Severity: Unauthenticated web users can sniff cube data  
Author: Darin White  
Operating Sys: Microsoft NT Server  
--------------  
  
I. Description  
  
Due to design problems as well as some potential web server  
misconfiguration PowerPlay Web Edition may serve up data cubes  
in a non-secure manner. Execution of the PowerPlay CGI  
pulls cube data into files in an unprotected temporary  
directory. Those files are then fed back to frames in the  
browser. In some cases it is trivial for an unauthenticated  
user to tap into those data files before they are purged.  
Cognos has been contacted but does not regard this as a  
serious exposure (see appendix B below).  
  
The issues are:  
(a) dynamic directory listing  
(b) weak temporary filename algorithm  
(c) ad hoc parameters to the CGI  
  
  
II. Details  
  
Identifying PowerPlay sites is quickly accomplished using AltaVista  
http://www.altavista.com/cgi-bin/query?  
pg=q&kl=XX&q=%2Blink%3Appdscgi.exe&search=Search  
(join last two lines) which hits all pages containing a link to the  
PowerPlay CGI ppdscgi.exe on NT.  
  
Normal authentication for protected cubes occurs when a user selects  
a link like:  
<A href="/cgi-bin/ppdscgi.exe?XT=EXAMPLE&LA=en&LO=en">Example</a>  
At this point the user is prompted for a userid and password.  
Beyond this check there seems to be no verification that data  
is being fed out to the browser that requested it and was  
authorized.  
  
(a) dynamic directory listing  
Netscape Enterprise Server 3.5.1 appears to be serving up dynamic  
directory listings by default. A known PowerPlay site can be hit  
with a request for http://www.example.com/ppwb/Temp/ which will  
return something like:  
  
/ppwb/Temp/ -  
  
6/25/99 9:17 AM 17904 1ad6t.htm  
6/25/99 9:17 AM 37828 1ad6x.htm  
  
Here we see two temporary files created by one initial cube request.  
The suffix 't' in the first filename denotes the PowerPlay toolbar  
and 'x' denotes the data content. These files are fed back to the  
browser to populate two frames. Clicking on the content filename  
will allow any user to browse the current cube view with no  
authentication challenge even if the cube has been password-protected.  
Once into the cube the user may continue to drill for further data.  
  
(b) weak temporary filename algorithm  
Sites that have disabled directory listing may still be vulnerable.  
Many sites using PowerPlay offer a mix of protected and unprotected  
cubes. Some sites also offer an anonymous user account (let's say  
"guest" for example). The PowerPlay CGI uses a common temporary  
directory for serving all cubes back to the browser. Using the  
guest account or viewing an unprotected cube a user may right-click  
the content area and select View Frame Info which will display  
the temporary filename. By repeatedly reloading the initial cube  
view and viewing frame info a list of temporary filenames may be  
generated in order to analyze the filename algorithm. e.g.  
http://www.example.com/ppwb/Temp/1eeex.htm  
http://www.example.com/ppwb/Temp/1f77x.htm  
http://www.example.com/ppwb/Temp/1fcfx.htm  
http://www.example.com/ppwb/Temp/1ff6x.htm  
http://www.example.com/ppwb/Temp/2014x.htm  
  
Analysis of the filename progression shows:  
* the last char is 'x' for the data and 't' for the toolbar  
* first n-1 chars are hexadecimal chars only  
* the hexadecimal "numbers" comprising the filename are ascending only  
* the first char is never 0. e.g. fffx.htm => 1000x.htm  
* simple hexadecimal subtraction on the first n-1 chars of consecutive  
filenames shows a very predictable pattern (see appendix A)  
  
A user may orient themselves in the namespace (the set of all possible  
filenames) by using a guest account or unprotected cube. Once oriented  
a set of candidate filenames may be generated and requested from  
/ppwb/Temp on the server. Of course this approach assumes valid  
users are hitting the cubes at the same time. Once a successful  
hit has been made on a temporary file the user may drill further  
into the data as described in (a) above.  
  
Alternatively a brute force attack on a server could be attempted  
by just submitting requests for all possible filenames. Of course if  
you could establish some idea of how long the site has been operational  
you might start with 4-char filenames. A very new site with low traffic  
(if the owner displays a page counter) might be best approached with  
3-char names. This type of attack would present a beat-the-clock  
situation as the ~65000 requests (for 4-char) scanned for an existing  
file before it was purged from the Temp directory.  
  
(c) ad hoc parameters to the CGI  
A variety of parameters to http://www.example.com/cgi-bin/ppdscgi.exe  
provide additional information on the PowerPlay server.  
* ?ABOUT= will return the version of PowerPlay.  
* ?TOC (or no parameter) presents a table of contents list of all  
web-enabled cubes on the server. Some sites are using static page  
links to hit cubes rather than relying on PowerPlay's generated TOC.  
They may not be aware that all cubes are available.  
* the hidden parm PPWB in the data contents frame details the unaliased  
location of the temporary directory. e.g.  
INPUT TYPE="HIDDEN" NAME="PPWB" VALUE="C:/Netscape/SuiteSpot/docs/ppwb">  
  
  
III. Solution  
  
(a) dynamic directory listing  
Turn this feature off on you web server following the directions  
provided by the server vendor. If you are unable to disable this  
feature you may create an index.html file in the /ppwb/Temp directory  
that will load when a filename has not been specified in the URL.  
  
(b) weak temporary filename algorithm  
This is really on Cognos' plate. Watch your error logfile for  
a lot of failed requests for /ppwb/Temp/*.htm to at least detect  
an attack. Removing anonymous cube access may slow an attack.  
  
(c) ad hoc parameters to the CGI  
Just be aware of what is available by altering the parameters.  
Don't assume your cubes are hidden because there is no direct  
link to the table of contents from the web. Password protect  
your cubes.  
  
DW  
  
APPENDIX A  
  
Here's the output of one subtraction run which shows the v6.5  
temporary filenames and then the hex delta between adjacent filenames:  
  
Processing test.dat ...  
2161x.htm  
216bx.htm Ax  
2188x.htm 1Dx  
2192x.htm Ax  
219cx.htm Ax  
21a6x.htm Ax  
21afx.htm 9x  
21b9x.htm Ax  
21c3x.htm Ax  
21cdx.htm Ax  
21d7x.htm Ax  
21e0x.htm 9x  
21eax.htm Ax  
21f4x.htm Ax  
21fex.htm Ax  
2207x.htm 9x  
2211x.htm Ax  
221bx.htm Ax  
2225x.htm Ax  
222fx.htm Ax  
2238x.htm 9x  
2242x.htm Ax  
224cx.htm Ax  
2256x.htm Ax  
2260x.htm Ax  
2269x.htm 9x  
2273x.htm Ax  
227dx.htm Ax  
2287x.htm Ax  
2291x.htm Ax  
229ax.htm 9x  
  
SUMMARY  
diff count  
A : 23  
1D : 1  
9 : 6  
out of 31 filenames  
  
Here are some other summaries:  
  
SUMMARY  
diff count  
203B : 1  
DF : 1  
13 : 4  
A : 10  
14 : 3  
27 : 1  
9 : 1  
out of 22 filenames  
  
SUMMARY  
diff count  
3E : 1  
A : 19  
9 : 5  
out of 26 filenames  
  
Analysis of filenames created under v6.0 of PowerPlay Web Ed. showed:  
  
25bx.htm  
25cx.htm 1x  
25dx.htm 1x  
25ex.htm 1x  
25fx.htm 1x  
260x.htm 1x  
261x.htm 1x  
262x.htm 1x  
263x.htm 1x  
264x.htm 1x  
265x.htm 1x  
266x.htm 1x  
267x.htm 1x  
268x.htm 1x  
269x.htm 1x  
26ax.htm 1x  
26bx.htm 1x  
26cx.htm 1x  
  
SUMMARY  
diff count  
1 : 17  
out of 18 filenames  
  
SUMMARY  
diff count  
37E : 1  
1 : 491  
out of 493 filenames  
  
SUMMARY  
diff count  
1E7 : 1  
1 : 295  
out of 297 filenames  
  
SUMMARY  
diff count  
1 : 1255  
out of 1256 filenames  
  
  
APPENDIX B  
  
1999-06-10 analysis submitted to Cognos  
1999-06-11 submission acknowledged  
1999-06-18 response from Cognos (below)  
-----------------------------  
Hello Darin,  
  
Thank you for the descriptive analysis of your problem. I understand that  
you have set up anonymous access and therefore you are aware of the security  
risk. I agree that the temp file generation is predictable and would suggest  
logging an enhancement through our web site.  
  
In the interim you have to weigh what is acceptable in terms of security  
knowing that there are other alternatives such as SSL and LDAP. These other  
options will of course offer substantially more protection.  
  
In conclusion your analysis is correct, now it is a factor of weighing your  
security wants and needs.  
  
Regards,  
  
Michael Bockholt  
Cognos Support Specialist  
Tel: 1-800-637-7447  
email: [email protected]  
-----------------------------  
  
  
--------------------------------------------------------------------  
Darin White  
[email protected]  
--------------------------------------------------------------------  
  
`
JSON