Tutorial - SurfControl Vulnerabilities

SurfControl Vulnerabilities

Created 10/08/02
CAN 2002-0705
CAN 2002-0706
CAN 2002-0707
CAN 2002-0708
CAN 2002-0709

Impact

Remote attackers could compromise the host on which SurfControl Web Filter is installed and also modify or remove information from the database that it uses.

Background

Surfcontrol Web Filter is designed to allow companies to monitor and regulate their employees' use of the internet. The Web Reports Server for Windows systems provides a web interface on TCP port 8888 for report retrieval. There are multiple vulnerabilities in the Web Reports Server.

The Problem

There are multiple security vulnerabilities in the SurfControl Web Filter Web Reports Server, available at TCP port 8888:

Usernames and Passwords Accessible: (CAN 2002-0705) The file /surf/scwebusers contains the plain text usernames and encrypted passwords for each user of the reports server.
Weak Encryption: (CAN 2002-0706) The encryption is implemented via a simple JavaScript (/surf/JavaScript/UserManager.js) with a hard-coded encryption key. Hence it is trivial to decrypt the passwords, including the administrative password. As a result, an attacker can access any reports available on the server.
DoS via Large GET request: (CAN 2002-0707) Repeated large GET requests cause the reports service to consume 100% of the CPU cycles, at which point it no longer services requests for some extended period of time.
Triple Dot Directory Traversal: (CAN 2002-0708) An attacker can retrieve any file on the server via a directory traversal attack, e.g.,
http://server:8888/.../.../.../.../.../.../.../winnt/win.ini
SQL Injection Vulnerability: (CAN 2002-0709) Reports are implemented in .dll files. Several of these do not perform input validation, so an attacker could execute arbitrary SQL queries against the database:
http://server:8888/SimpleBar.dll/RunReport?<various parameters>

Resolution

The SurfControl Web Reporting Server should be disabled. Reports can be obtained through the standard SurfControl reports interface or by connecting to the server via terminal services. To disable the Web Reporting Server:

On Windows 2000 Servers:
- Open Control Panel (Start\Settings\Control Panel).
- Open the Administrative Tools directory.
- Open Services.
- Select the SurfControl Web Filter Report Server Service, and select Properties from the Action menu (or right-click and select Properties).
- Under Service Status in the General tab, if the service is running, click the Stop button.
- Under the Startup Type drop down menu, change the startup type to Disabled. Then click OK.
- Close Services, Administrative Tools, and Control Panel.
On Windows NT machines:
- Open Control Panel (Start\Settings\Control Panel).
- Open Services.
- Select the SurfControl Web Filter Report Server Service, and if the service is running, click the Stop button.
- With the SurfControl Web Filter Report Server Service selected, click the Startup button and change the startup type to Disabled. Then click OK.
- Close Services and Control Panel.

The Web Reporting Service should also be disabled on all SurfControl Client installations.

Where can I read more about this?

The Denial of Service vulnerability from large GET requests was posted at SecurityFocus. All the vulnerabilities are discussed in the Security Advisory for SurfControl Web Reporting and Westpoint Security Advisory wp-02-0005.