imperva.crystal2.txt

2004-06-09T00:00:00
ID PACKETSTORM:33511
Type packetstorm
Reporter Amichai Shulman
Modified 2004-06-09T00:00:00

Description

                                        
                                            `Dear List,  
  
Imperva(tm)'s Applidcation Defense Center has recently discovered a  
vulnerability in Business Objects' Crystal Reports Web Delivery Modules.  
This vulnerability may lead to arbitrary file access and denial of  
service.  
  
Following are the advisory's details.  
========================================================================  
===  
  
Title  
=====  
Arbitrary File Access and Denial of Service Vulnerabilities in the  
Business Objects' Crystal Report Web Delivery Modules  
  
Background  
==========  
Crystal Reports and Crystal Enterprise are a leading reporting and data  
presentation solution from Business Objects(r) (who acquired Business  
Decisions earlier this year). Both contain components for web delivery  
of reports, using various common web technologies (ASP, ASP.NET, jsp  
etc.). Those web presentation components render the requested report  
into HTML documents delivered to the end user through a web server.  
Images, especially charts and graphs, included in the report are  
rendered as temporary PNG files linked to from the HTML document. The  
temporary PNG files are delivered through a dedicated module upon  
request from a client (e.g. a web browser) and then deleted.  
  
Scope  
=====  
Imperva(tm)'s Application Defense Center has conducted research on the  
widely used Crystal Reports product and have determined that the modules  
which deliver image files through the web are vulnerable in a way that  
can be exploited for arbitrary file access and denial of service.  
  
The Findings  
============  
While using Crystal Report in a web environment, there are modules for  
delivering image files (charts, graphs, dynamically chosen pictures,  
etc.). There is one such module for each prominent web delivery  
technology (ASP, ASP.NET and jsp). These modules deliver an image file  
by its name and then remove it from hard disk. An attacker is able to  
use this module to access arbitrary files on the server and remove them.  
  
Details  
=======  
1. Arbitrary File Access and Removal  
------------------------------------  
The web reporting engine of the Crystal Reports package renders a report  
as an HTML document that contains hyperlinks to images. The images are  
not accessed directly from the client but rather delivered through a  
dedicated module (crystalimagehandler.aspx, crystalimagehandler.asp or  
crystalimagehandler.jsp). This module accepts a single parameter called  
dynamicimage that specifies the name of a temporary image file created  
by the rendering engine. The file is delivered to the client and then,  
by default, removed from the disk. A common request would be similar to  
the following:  
http://foo.bar/crystalreportviewers/crystalimagehandler.aspx?dynamicimag  
e=2a7173aa-a2e4-4f96-b9e1-11332c696bbd.png  
Which will send the file named 2a7173aa-a2e4-4f96-b9e1-11332c696bbd.png  
to the requesting client, and delete it. The module is susceptible to  
directory traversal and would deliver any file on the disk that is  
specified by the parameter dynamiciamge. Hence, if the image files are  
created in c:\winnt\temp then the following request:  
http://foo.bar/crystalreportviewers/crystalimagehandler.aspx?dynamicimag  
e=..\win.ini  
delivers the file win.ini and the following request:  
http://foo.bar/crystalreportviewers/crystalimagehandler.aspx?dynamicimag  
e=..\..\boot.ini  
delivers the file boot.ini from the disk's root directory.  
In addition to delivering the request file which may contain  
confidential information the module removes the file from the disk. This  
of course may lead to a denial of service. For example, if win.ini is  
request through this module it will be removed from the disk and the  
attacked server will not be able to reboot.  
  
2. Disk Space Exhaustion  
------------------------  
The Crystal Reports web delivery module relies on the image delivery  
module to both deliver the image file and cleanup the disk space it  
occupies. Hence, calling the report generation modules repeatedly  
without retrieving the related images (e.g. by using a Perl script)  
causes the report engine to take up more and more space in the image  
file folder. Not only is disk space consumed quickly but response time  
for other users become substantially longer as the number of files in  
the folder increase. Eventually disk space will become exhausted.  
  
Exploit  
=======  
The exploit is carried out by simply sending a request URL to the  
crystal reports server that looks like this:  
http://foo.bar/crystalreportviewers/crystalimagehandler.aspx?dynamicimag  
e=..\..\..\..\..\mydocuments\private\passwords.txt  
  
Version Tested  
==============  
Crystal Reports version 9  
Crystal Enterprise version 9  
Crystal Reports version 10  
Crystal Enterprise version 10  
  
Vendor's Response  
=================  
Business Objects were notified of the vulnerability on April 26th 2004,  
and acknowledged the vulnerability on May 4th. They published a security  
bulletin and a patch for the problem on June 8th.   
Business Objects' security bulletin is avialable at  
http://support.businessobjects.com/fix/hot/critical/bulletins/security_b  
ulletin_june04.asp  
The patch for the vulnerability is available at  
http://support.businessobjects.com/fix/hot/critical/default.asp  
  
Credit  
======  
The vulnerabilirty was discovered on April 20th, 2004, by Moran Surf and  
Amichai Shulman, as part of Imperva's Application Defense Center  
research activities.  
  
  
  
  
---  
Imperva Application Defense Center  
http://www.imperva.com/adc/  
`