COMMAND
PowerPlay
SYSTEMS AFFECTED
WinNT running Cognos PowerPlay Web Edition
PROBLEM
Darin White found following. Due to design problems as well as
some potential web server misconfiguration PowerPlay Web Edition
may serve up data cubes in a non-secure manner. Execution of the
PowerPlay CGI pulls cube data into files in an unprotected
temporary directory. Those files are then fed back to frames in
the browser. In some cases it is trivial for an unauthenticated
user to tap into those data files before they are purged. The
issues are:
(a) dynamic directory listing
(b) weak temporary filename algorithm
(c) ad hoc parameters to the CGI
Identifying PowerPlay sites is quickly accomplished using
AltaVista:
http://www.altavista.com/cgi-bin/query?pg=q&kl=XX&q=%2Blink%3Appdscgi.exe&search=Search
which hits all pages containing a link to the PowerPlay CGI
ppdscgi.exe on NT. Normal authentication for protected cubes
occurs when a user selects a link like:
<A href="/cgi-bin/ppdscgi.exe?XT=EXAMPLE&LA=en&LO=en">Example</a>
At this point the user is prompted for a userid and password.
Beyond this check there seems to be no verification that data is
being fed out to the browser that requested it and was authorized.
(a) dynamic directory listing
=============================
Netscape Enterprise Server 3.5.1 appears to be serving up dynamic
directory listings by default. A known PowerPlay site can be hit
with a request for http://www.example.com/ppwb/Temp/ which will
return something like:
/ppwb/Temp/ -
6/25/99 9:17 AM 17904 1ad6t.htm
6/25/99 9:17 AM 37828 1ad6x.htm
Here we see two temporary files created by one initial cube
request. The suffix 't' in the first filename denotes the
PowerPlay toolbar and 'x' denotes the data content. These files
are fed back to the browser to populate two frames. Clicking on
the content filename will allow any user to browse the current
cube view with no authentication challenge even if the cube has
been password-protected. Once into the cube the user may continue
to drill for further data.
(b) weak temporary filename algorithm
=====================================
Sites that have disabled directory listing may still be
vulnerable. Many sites using PowerPlay offer a mix of protected
and unprotected cubes. Some sites also offer an anonymous user
account (let's say "guest" for example). The PowerPlay CGI uses a
common temporary directory for serving all cubes back to the
browser. Using the guest account or viewing an unprotected cube
a user may right-click the content area and select View Frame
Info which will display the temporary filename. By repeatedly
reloading the initial cube view and viewing frame info a list of
temporary filenames may be generated in order to analyze the
filename algorithm. e.g.
http://www.example.com/ppwb/Temp/1eeex.htm
http://www.example.com/ppwb/Temp/1f77x.htm
http://www.example.com/ppwb/Temp/1fcfx.htm
http://www.example.com/ppwb/Temp/1ff6x.htm
http://www.example.com/ppwb/Temp/2014x.htm
Analysis of the filename progression shows:
* the last char is 'x' for the data and 't' for the toolbar
* first n-1 chars are hexadecimal chars only
* the hexadecimal "numbers" comprising the filename are
ascending only
* the first char is never 0. e.g. fffx.htm => 1000x.htm
* simple hexadecimal subtraction on the first n-1 chars of
consecutive filenames shows a very predictable pattern
A user may orient themselves in the namespace (the set of all
possible filenames) by using a guest account or unprotected cube.
Once oriented a set of candidate filenames may be generated and
requested from /ppwb/Temp on the server. Of course this approach
assumes valid users are hitting the cubes at the same time. Once
a successful hit has been made on a temporary file the user may
drill further into the data as described in (a) above.
Alternatively a brute force attack on a server could be attempted
by just submitting requests for all possible filenames. Of
course if you could establish some idea of how long the site has
been operational you might start with 4-char filenames. A very
new site with low traffic (if the owner displays a page counter)
might be best approached with 3-char names. This type of attack
would present a beat-the-clock situation as the ~65000 requests
(for 4-char) scanned for an existing file before it was purged
from the Temp directory.
(c) ad hoc parameters to the CGI
================================
A variety of parameters to
http://www.example.com/cgi-bin/ppdscgi.exe
provide additional information on the PowerPlay server.
* ?ABOUT= will return the version of PowerPlay.
* ?TOC (or no parameter) presents a table of contents list of
all web-enabled cubes on the server.
Some sites are using static page links to hit cubes rather than
relying on PowerPlay's generated TOC. They may not be aware that
all cubes are available.
* the hidden parm PPWB in the data contents frame details the
unaliased location of the temporary directory. e.g.
<INPUT TYPE="HIDDEN" NAME="PPWB" VALUE="C:/Netscape/SuiteSpot/docs/ppwb">
SOLUTION
Cognos has been contacted but does not regard this as a serious
exposure.
(a) dynamic directory listing
Turn this feature off on you web server following the directions
provided by the server vendor. If you are unable to disable this
feature you may create an index.html file in the /ppwb/Temp
directory that will load when a filename has not been specified
in the URL.
(b) weak temporary filename algorithm
This is really on Cognos' plate. Watch your error logfile for
a lot of failed requests for /ppwb/Temp/*.htm to at least detect
an attack. Removing anonymous cube access may slow an attack.
(c) ad hoc parameters to the CGI
Just be aware of what is available by altering the parameters.
Don't assume your cubes are hidden because there is no direct
link to the table of contents from the web. Password protect
your cubes.