SurfControl Vulnerabilities
Created 10/08/02
CAN 2002-0705
CAN 2002-0706
CAN 2002-0707
CAN 2002-0708
CAN 2002-0709
Impact
Remote attackers could compromise the host on which SurfControl Web
Filter is installed and also modify or remove information from the
database that it uses.
Background
Surfcontrol
Web Filter is designed to allow companies to monitor and regulate
their employees' use of the internet. The Web Reports Server for Windows
systems provides a web interface on TCP port 8888 for report retrieval.
There are multiple vulnerabilities in the Web Reports Server.
The Problem
There are multiple security vulnerabilities in the SurfControl
Web Filter Web Reports Server, available at TCP port 8888:
- Usernames and Passwords Accessible:
(CAN 2002-0705)
The file /surf/scwebusers contains the plain text
usernames and encrypted passwords for each user of the reports
server.
- Weak Encryption:
(CAN 2002-0706)
The encryption is implemented via a simple JavaScript
(/surf/JavaScript/UserManager.js) with a hard-coded
encryption key. Hence it is trivial to decrypt the passwords,
including the administrative password. As a result, an attacker
can access any reports available on the server.
- DoS via Large GET request:
(CAN 2002-0707)
Repeated large GET requests cause the reports service to consume 100%
of the CPU cycles, at which point it no longer services requests for
some extended period of time.
- Triple Dot Directory Traversal:
(CAN 2002-0708)
An attacker can retrieve any file on the server via a directory
traversal attack, e.g.,
http://server:8888/.../.../.../.../.../.../.../winnt/win.ini
- SQL Injection Vulnerability:
(CAN 2002-0709)
Reports are implemented in .dll files. Several of these
do not perform input validation, so an attacker could execute arbitrary SQL
queries against the database:
http://server:8888/SimpleBar.dll/RunReport?<various parameters>
Resolution
The SurfControl Web Reporting Server should be disabled. Reports can be
obtained through the standard SurfControl reports interface or by connecting
to the server via terminal services. To disable the Web Reporting Server:
- On Windows 2000 Servers:
- Open Control Panel (Start\Settings\Control Panel).
- Open the Administrative Tools directory.
- Open Services.
- Select the SurfControl Web Filter Report Server Service, and
select Properties from the Action menu (or right-click and select
Properties).
- Under Service Status in the General tab, if the service is
running, click the Stop button.
- Under the Startup Type drop down menu, change the startup type
to Disabled. Then click OK.
- Close Services, Administrative Tools, and
Control Panel.
- On Windows NT machines:
- Open Control Panel (Start\Settings\Control Panel).
- Open Services.
- Select the SurfControl Web Filter Report Server Service,
and if the service is running, click the Stop button.
- With the SurfControl Web Filter Report Server Service selected,
click the Startup button and change the startup type to
Disabled. Then click OK.
- Close Services and Control Panel.
The Web Reporting Service should also be disabled on all SurfControl
Client installations.
Where can I read more about this?
The Denial of Service vulnerability from large GET requests was posted at
SecurityFocus.
All the vulnerabilities are discussed in the
Security Advisory for SurfControl Web Reporting
and Westpoint
Security Advisory wp-02-0005.