Westpoint Security Advisory
Title: Multiple Vulnerabilities in SuperScout Web Reports Server
Risk Rating: High
Software: SurfControl SuperScout WebFilter
Platforms: Win32 (WinNT/ Win2k)
Vendor URL: www.surfcontrol.com
Author: Matt Moore <[email protected]>
Date: 1st October 2002
Advisory ID#: wp-02-0005
CVE#: CAN-2002-0705 - username/passwords accessible
CAN-2002-0706 - weak encryption for passwords
CAN-2002-0707 - large GET requests
CAN-2002-0708 - Triple dot directory traversal
CAN-2002-0709 - SQL injection
Surfcontrol's SuperScout Web Filter for Windows allows companies to monitor
and regulate their employees use of the internet. It offers comprehensive
reporting capabilities, and provides a 'web' interface for report
retrieval.
Multiple vulnerabilities in the Web Reports Server could allow remote
attackers
to compromise the host on which SuperScout is installed and also modify
or remove
information from the database that it uses.
The file located at:
http://reports-server:8888/surf/scwebusers
contains the usernames and passwords for each user of the reports server.
The usernames are in plain text, whilst the passwords are encrypted.
The encryption is implemented via a simple JavaScript, located at:
http://reports-server:8888/surf/JavaScript/UserManager.js
The EncryptString function takes two parameters 'text string' and 'key'.
Unfortunately, the key is hard-coded into another javaScript function and
hence it is trivial to decrypt the passwords. (The key is 'test').
The default administrative password, '3&8>>' decrypts to 'admin'.
As a result of this, an attacker can access any reports available
on the server.
Repeated large GET requests cause the reports service to consume 100% CPU,
at which point it no longer services requests. The server does appear to
recover eventually. However, this was not tested extensively.
An attacker can retrieve any file on the server via a simple directory
traversal attack, e.g.
http://reports-server:8888/.../.../.../.../.../.../.../winnt/win.ini
The various reports available are implemented as .dll's. Several of
these perform
no input validation, and hence it is possible that an attacker could
execute
arbitrary SQL queries against the database:
http://reports-server:8888/SimpleBar.dll/RunReport ?..<various parameters>
The banner returned by the server is 'MS-MFC-HttpSvr/1.0'. A search for
this
returned the following link:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcsample98/
html/_sample_mfc_httpsvr.asp
The reports server appears to be based on a sample application from
Microsoft.
Other servers based on this may be vulnerable to the directory traversal
and DoS attacks.
The vendor, SurfControl was initially contacted on 18/07/02.
The vendor stated that they were looking at ways to deliver reports
in different formats, and that these would encompass tighter security.
They had no definite timescales for this, but suggested the following
workaround (below).
No patch available. Vendor supplied workaround:
Disable the reports server and consider using a terminal session to
the server to access the reports.
This advisory is available online at: