From d.w@IBM.NET Fri Sep 3 12:38:26 1999 From: Darin White X-Sender: cainet.darinw1@pop5.ibm.net Resent-From: mea culpa To: BUGTRAQ@netspace.org Resent-To: jericho@attrition.org Date: Mon, 28 Jun 1999 07:29:37 -0400 Subject: Cognos PowerPlay Web Edition security WEB SECURITY ADVISORY ------------- Release Date: 1999-06-25 Application: Cognos PowerPlay Web Edition Severity: Unauthenticated web users can sniff cube data Author: Darin White Operating Sys: Microsoft NT Server -------------- I. Description Due to design problems as well as some potential web server misconfiguration PowerPlay Web Edition may serve up data cubes in a non-secure manner. Execution of the PowerPlay CGI pulls cube data into files in an unprotected temporary directory. Those files are then fed back to frames in the browser. In some cases it is trivial for an unauthenticated user to tap into those data files before they are purged. Cognos has been contacted but does not regard this as a serious exposure (see appendix B below). The issues are: (a) dynamic directory listing (b) weak temporary filename algorithm (c) ad hoc parameters to the CGI II. Details Identifying PowerPlay sites is quickly accomplished using AltaVista http://www.altavista.com/cgi-bin/query? pg=q&kl=XX&q=%2Blink%3Appdscgi.exe&search=Search (join last two lines) which hits all pages containing a link to the PowerPlay CGI ppdscgi.exe on NT. Normal authentication for protected cubes occurs when a user selects a link like: Example At this point the user is prompted for a userid and password. Beyond this check there seems to be no verification that data is being fed out to the browser that requested it and was authorized. (a) dynamic directory listing Netscape Enterprise Server 3.5.1 appears to be serving up dynamic directory listings by default. A known PowerPlay site can be hit with a request for http://www.example.com/ppwb/Temp/ which will return something like: /ppwb/Temp/ - 6/25/99 9:17 AM 17904 1ad6t.htm 6/25/99 9:17 AM 37828 1ad6x.htm Here we see two temporary files created by one initial cube request. The suffix 't' in the first filename denotes the PowerPlay toolbar and 'x' denotes the data content. These files are fed back to the browser to populate two frames. Clicking on the content filename will allow any user to browse the current cube view with no authentication challenge even if the cube has been password-protected. Once into the cube the user may continue to drill for further data. (b) weak temporary filename algorithm Sites that have disabled directory listing may still be vulnerable. Many sites using PowerPlay offer a mix of protected and unprotected cubes. Some sites also offer an anonymous user account (let's say "guest" for example). The PowerPlay CGI uses a common temporary directory for serving all cubes back to the browser. Using the guest account or viewing an unprotected cube a user may right-click the content area and select View Frame Info which will display the temporary filename. By repeatedly reloading the initial cube view and viewing frame info a list of temporary filenames may be generated in order to analyze the filename algorithm. e.g. http://www.example.com/ppwb/Temp/1eeex.htm http://www.example.com/ppwb/Temp/1f77x.htm http://www.example.com/ppwb/Temp/1fcfx.htm http://www.example.com/ppwb/Temp/1ff6x.htm http://www.example.com/ppwb/Temp/2014x.htm Analysis of the filename progression shows: * the last char is 'x' for the data and 't' for the toolbar * first n-1 chars are hexadecimal chars only * the hexadecimal "numbers" comprising the filename are ascending only * the first char is never 0. e.g. fffx.htm => 1000x.htm * simple hexadecimal subtraction on the first n-1 chars of consecutive filenames shows a very predictable pattern (see appendix A) A user may orient themselves in the namespace (the set of all possible filenames) by using a guest account or unprotected cube. Once oriented a set of candidate filenames may be generated and requested from /ppwb/Temp on the server. Of course this approach assumes valid users are hitting the cubes at the same time. Once a successful hit has been made on a temporary file the user may drill further into the data as described in (a) above. Alternatively a brute force attack on a server could be attempted by just submitting requests for all possible filenames. Of course if you could establish some idea of how long the site has been operational you might start with 4-char filenames. A very new site with low traffic (if the owner displays a page counter) might be best approached with 3-char names. This type of attack would present a beat-the-clock situation as the ~65000 requests (for 4-char) scanned for an existing file before it was purged from the Temp directory. (c) ad hoc parameters to the CGI A variety of parameters to http://www.example.com/cgi-bin/ppdscgi.exe provide additional information on the PowerPlay server. * ?ABOUT= will return the version of PowerPlay. * ?TOC (or no parameter) presents a table of contents list of all web-enabled cubes on the server. Some sites are using static page links to hit cubes rather than relying on PowerPlay's generated TOC. They may not be aware that all cubes are available. * the hidden parm PPWB in the data contents frame details the unaliased location of the temporary directory. e.g. INPUT TYPE="HIDDEN" NAME="PPWB" VALUE="C:/Netscape/SuiteSpot/docs/ppwb"> III. Solution (a) dynamic directory listing Turn this feature off on you web server following the directions provided by the server vendor. If you are unable to disable this feature you may create an index.html file in the /ppwb/Temp directory that will load when a filename has not been specified in the URL. (b) weak temporary filename algorithm This is really on Cognos' plate. Watch your error logfile for a lot of failed requests for /ppwb/Temp/*.htm to at least detect an attack. Removing anonymous cube access may slow an attack. (c) ad hoc parameters to the CGI Just be aware of what is available by altering the parameters. Don't assume your cubes are hidden because there is no direct link to the table of contents from the web. Password protect your cubes. DW APPENDIX A Here's the output of one subtraction run which shows the v6.5 temporary filenames and then the hex delta between adjacent filenames: Processing test.dat ... 2161x.htm 216bx.htm Ax 2188x.htm 1Dx 2192x.htm Ax 219cx.htm Ax 21a6x.htm Ax 21afx.htm 9x 21b9x.htm Ax 21c3x.htm Ax 21cdx.htm Ax 21d7x.htm Ax 21e0x.htm 9x 21eax.htm Ax 21f4x.htm Ax 21fex.htm Ax 2207x.htm 9x 2211x.htm Ax 221bx.htm Ax 2225x.htm Ax 222fx.htm Ax 2238x.htm 9x 2242x.htm Ax 224cx.htm Ax 2256x.htm Ax 2260x.htm Ax 2269x.htm 9x 2273x.htm Ax 227dx.htm Ax 2287x.htm Ax 2291x.htm Ax 229ax.htm 9x SUMMARY diff count A : 23 1D : 1 9 : 6 out of 31 filenames Here are some other summaries: SUMMARY diff count 203B : 1 DF : 1 13 : 4 A : 10 14 : 3 27 : 1 9 : 1 out of 22 filenames SUMMARY diff count 3E : 1 A : 19 9 : 5 out of 26 filenames Analysis of filenames created under v6.0 of PowerPlay Web Ed. showed: 25bx.htm 25cx.htm 1x 25dx.htm 1x 25ex.htm 1x 25fx.htm 1x 260x.htm 1x 261x.htm 1x 262x.htm 1x 263x.htm 1x 264x.htm 1x 265x.htm 1x 266x.htm 1x 267x.htm 1x 268x.htm 1x 269x.htm 1x 26ax.htm 1x 26bx.htm 1x 26cx.htm 1x SUMMARY diff count 1 : 17 out of 18 filenames SUMMARY diff count 37E : 1 1 : 491 out of 493 filenames SUMMARY diff count 1E7 : 1 1 : 295 out of 297 filenames SUMMARY diff count 1 : 1255 out of 1256 filenames APPENDIX B 1999-06-10 analysis submitted to Cognos 1999-06-11 submission acknowledged 1999-06-18 response from Cognos (below) ----------------------------- Hello Darin, Thank you for the descriptive analysis of your problem. I understand that you have set up anonymous access and therefore you are aware of the security risk. I agree that the temp file generation is predictable and would suggest logging an enhancement through our web site. In the interim you have to weigh what is acceptable in terms of security knowing that there are other alternatives such as SSL and LDAP. These other options will of course offer substantially more protection. In conclusion your analysis is correct, now it is a factor of weighing your security wants and needs. Regards, Michael Bockholt Cognos Support Specialist Tel: 1-800-637-7447 email: support@cognos.com ----------------------------- -------------------------------------------------------------------- Darin White d.w@ibm.net --------------------------------------------------------------------