Date: Mon, 28 Jun 1999 07:29:37 -0400
From: Darin White <d.w@IBM.NET>
To: BUGTRAQ@netspace.org
Subject: Cognos PowerPlay Web Edition security

WEB SECURITY ADVISORY

-------------
Release Date:  1999-06-25
Application:   Cognos PowerPlay Web Edition
Severity:      Unauthenticated web users can sniff cube data
Author:        Darin White
Operating Sys: Microsoft NT Server
--------------

I. Description

Due to design problems as well as some potential web server
misconfiguration PowerPlay Web Edition may serve up data cubes
in a non-secure manner.  Execution of the PowerPlay CGI
pulls cube data into files in an unprotected temporary
directory.  Those files are then fed back to frames in the
browser.  In some cases it is trivial for an unauthenticated
user to tap into those data files before they are purged.
Cognos has been contacted but does not regard this as a
serious exposure (see appendix B below).

The issues are:
(a) dynamic directory listing
(b) weak temporary filename algorithm
(c) ad hoc parameters to the CGI


II. Details

Identifying PowerPlay sites is quickly accomplished using AltaVista
http://www.altavista.com/cgi-bin/query?
pg=q&kl=XX&q=%2Blink%3Appdscgi.exe&search=Search
(join last two lines) which hits all pages containing a link to the
PowerPlay CGI ppdscgi.exe on NT.

Normal authentication for protected cubes occurs when a user selects
a link like:
<A href="/cgi-bin/ppdscgi.exe?XT=EXAMPLE&LA=en&LO=en">Example</a>
At this point the user is prompted for a userid and password.
Beyond this check there seems to be no verification that data
is being fed out to the browser that requested it and was
authorized.

(a) dynamic directory listing
Netscape Enterprise Server 3.5.1 appears to be serving up dynamic
directory listings by default.  A known PowerPlay site can be hit
with a request for http://www.example.com/ppwb/Temp/ which will
return something like:

/ppwb/Temp/ -

   6/25/99  9:17 AM        17904 1ad6t.htm
   6/25/99  9:17 AM        37828 1ad6x.htm

Here we see two temporary files created by one initial cube request.
The suffix 't' in the first filename denotes the PowerPlay toolbar
and 'x' denotes the data content.  These files are fed back to the
browser to populate two frames.  Clicking on the content filename
will allow any user to browse the current cube view with no
authentication challenge even if the cube has been password-protected.
Once into the cube the user may continue to drill for further data.

(b) weak temporary filename algorithm
Sites that have disabled directory listing may still be vulnerable.
Many sites using PowerPlay offer a mix of protected and unprotected
cubes.  Some sites also offer an anonymous user account (let's say
"guest" for example). The PowerPlay CGI uses a common temporary
directory for serving all cubes back to the browser.  Using the
guest account or viewing an unprotected cube a user may right-click
the content area and select View Frame Info which will display
the temporary filename.  By repeatedly reloading the initial cube
view and viewing frame info a list of temporary filenames may be
generated in order to analyze the filename algorithm.  e.g.
http://www.example.com/ppwb/Temp/1eeex.htm
http://www.example.com/ppwb/Temp/1f77x.htm
http://www.example.com/ppwb/Temp/1fcfx.htm
http://www.example.com/ppwb/Temp/1ff6x.htm
http://www.example.com/ppwb/Temp/2014x.htm

Analysis of the filename progression shows:
* the last char is 'x' for the data and 't' for the toolbar
* first n-1 chars are hexadecimal chars only
* the hexadecimal "numbers" comprising the filename are ascending only
* the first char is never 0.  e.g. fffx.htm => 1000x.htm
* simple hexadecimal subtraction on the first n-1 chars of consecutive
filenames shows a very predictable pattern (see appendix A)

A user may orient themselves in the namespace (the set of all possible
filenames) by using a guest account or unprotected cube.  Once oriented
a set of candidate filenames may be generated and requested from
/ppwb/Temp on the server.  Of course this approach assumes valid
users are hitting the cubes at the same time.  Once a successful
hit has been made on a temporary file the user may drill further
into the data as described in (a) above.

Alternatively a brute force attack on a server could be attempted
by just submitting requests for all possible filenames.  Of course if
you could establish some idea of how long the site has been operational
you might start with 4-char filenames.  A very new site with low traffic
(if the owner displays a page counter) might be best approached with
3-char names.  This type of attack would present a beat-the-clock
situation as the ~65000 requests (for 4-char) scanned for an existing
file before it was purged from the Temp directory.

(c) ad hoc parameters to the CGI
A variety of parameters to http://www.example.com/cgi-bin/ppdscgi.exe
provide additional information on the PowerPlay server.
* ?ABOUT= will return the version of PowerPlay.
* ?TOC (or no parameter) presents a table of contents list of all
web-enabled cubes on the server.  Some sites are using static page
links to hit cubes rather than relying on PowerPlay's generated TOC.
They may not be aware that all cubes are available.
* the hidden parm PPWB in the data contents frame details the unaliased
location of the temporary directory.  e.g.
INPUT TYPE="HIDDEN" NAME="PPWB" VALUE="C:/Netscape/SuiteSpot/docs/ppwb">


III. Solution

(a) dynamic directory listing
Turn this feature off on you web server following the directions
provided by the server vendor.  If you are unable to disable this
feature you may create an index.html file in the /ppwb/Temp directory
that will load when a filename has not been specified in the URL.

(b) weak temporary filename algorithm
This is really on Cognos' plate.  Watch your error logfile for
a lot of failed requests for /ppwb/Temp/*.htm to at least detect
an attack.  Removing anonymous cube access may slow an attack.

(c) ad hoc parameters to the CGI
Just be aware of what is available by altering the parameters.
Don't assume your cubes are hidden because there is no direct
link to the table of contents from the web.  Password protect
your cubes.

DW

APPENDIX A

Here's the output of one subtraction run which shows the v6.5
temporary filenames and then the hex delta between adjacent filenames:

Processing  test.dat  ...
2161x.htm
216bx.htm Ax
2188x.htm 1Dx
2192x.htm Ax
219cx.htm Ax
21a6x.htm Ax
21afx.htm 9x
21b9x.htm Ax
21c3x.htm Ax
21cdx.htm Ax
21d7x.htm Ax
21e0x.htm 9x
21eax.htm Ax
21f4x.htm Ax
21fex.htm Ax
2207x.htm 9x
2211x.htm Ax
221bx.htm Ax
2225x.htm Ax
222fx.htm Ax
2238x.htm 9x
2242x.htm Ax
224cx.htm Ax
2256x.htm Ax
2260x.htm Ax
2269x.htm 9x
2273x.htm Ax
227dx.htm Ax
2287x.htm Ax
2291x.htm Ax
229ax.htm 9x

SUMMARY
diff    count
    A :  23
   1D :   1
    9 :   6
out of   31 filenames

Here are some other summaries:

SUMMARY
diff    count
 203B :   1
   DF :   1
   13 :   4
    A :  10
   14 :   3
   27 :   1
    9 :   1
out of   22 filenames

SUMMARY
diff    count
   3E :   1
    A :  19
    9 :   5
out of   26 filenames

Analysis of filenames created under v6.0 of PowerPlay Web Ed. showed:

25bx.htm
25cx.htm 1x
25dx.htm 1x
25ex.htm 1x
25fx.htm 1x
260x.htm 1x
261x.htm 1x
262x.htm 1x
263x.htm 1x
264x.htm 1x
265x.htm 1x
266x.htm 1x
267x.htm 1x
268x.htm 1x
269x.htm 1x
26ax.htm 1x
26bx.htm 1x
26cx.htm 1x

SUMMARY
diff    count
    1 :  17
out of   18 filenames

SUMMARY
diff    count
  37E :   1
    1 : 491
out of  493 filenames

SUMMARY
diff    count
  1E7 :   1
    1 : 295
out of  297 filenames

SUMMARY
diff    count
    1 : 1255
out of 1256 filenames


APPENDIX B

1999-06-10 analysis submitted to Cognos
1999-06-11 submission acknowledged
1999-06-18 response from Cognos (below)
-----------------------------
Hello Darin,

Thank you for the descriptive analysis of your problem. I understand that
you have set up anonymous access and therefore you are aware of the security
risk. I agree that the temp file generation is predictable and would suggest
logging an enhancement through our web site.

In the interim you have to weigh what is acceptable in terms of security
knowing that there are other alternatives such as SSL and LDAP. These other
options will of course offer substantially more protection.

In conclusion your analysis is correct, now it is a factor of weighing your
security wants and needs.

Regards,

Michael Bockholt
Cognos Support Specialist
Tel: 1-800-637-7447
email: support@cognos.com
-----------------------------


--------------------------------------------------------------------
Darin White
d.w@ibm.net
--------------------------------------------------------------------