Dear List, Imperva(tm)'s Applidcation Defense Center has recently discovered a vulnerability in Business Objects' Crystal Reports Web Delivery Modules. This vulnerability may lead to arbitrary file access and denial of service. Following are the advisory's details. ======================================================================== === Title ===== Arbitrary File Access and Denial of Service Vulnerabilities in the Business Objects' Crystal Report Web Delivery Modules Background ========== Crystal Reports and Crystal Enterprise are a leading reporting and data presentation solution from Business Objects(r) (who acquired Business Decisions earlier this year). Both contain components for web delivery of reports, using various common web technologies (ASP, ASP.NET, jsp etc.). Those web presentation components render the requested report into HTML documents delivered to the end user through a web server. Images, especially charts and graphs, included in the report are rendered as temporary PNG files linked to from the HTML document. The temporary PNG files are delivered through a dedicated module upon request from a client (e.g. a web browser) and then deleted. Scope ===== Imperva(tm)'s Application Defense Center has conducted research on the widely used Crystal Reports product and have determined that the modules which deliver image files through the web are vulnerable in a way that can be exploited for arbitrary file access and denial of service. The Findings ============ While using Crystal Report in a web environment, there are modules for delivering image files (charts, graphs, dynamically chosen pictures, etc.). There is one such module for each prominent web delivery technology (ASP, ASP.NET and jsp). These modules deliver an image file by its name and then remove it from hard disk. An attacker is able to use this module to access arbitrary files on the server and remove them. Details ======= 1. Arbitrary File Access and Removal ------------------------------------ The web reporting engine of the Crystal Reports package renders a report as an HTML document that contains hyperlinks to images. The images are not accessed directly from the client but rather delivered through a dedicated module (crystalimagehandler.aspx, crystalimagehandler.asp or crystalimagehandler.jsp). This module accepts a single parameter called dynamicimage that specifies the name of a temporary image file created by the rendering engine. The file is delivered to the client and then, by default, removed from the disk. A common request would be similar to the following: http://foo.bar/crystalreportviewers/crystalimagehandler.aspx?dynamicimag e=2a7173aa-a2e4-4f96-b9e1-11332c696bbd.png Which will send the file named 2a7173aa-a2e4-4f96-b9e1-11332c696bbd.png to the requesting client, and delete it. The module is susceptible to directory traversal and would deliver any file on the disk that is specified by the parameter dynamiciamge. Hence, if the image files are created in c:\winnt\temp then the following request: http://foo.bar/crystalreportviewers/crystalimagehandler.aspx?dynamicimag e=..\win.ini delivers the file win.ini and the following request: http://foo.bar/crystalreportviewers/crystalimagehandler.aspx?dynamicimag e=..\..\boot.ini delivers the file boot.ini from the disk's root directory. In addition to delivering the request file which may contain confidential information the module removes the file from the disk. This of course may lead to a denial of service. For example, if win.ini is request through this module it will be removed from the disk and the attacked server will not be able to reboot. 2. Disk Space Exhaustion ------------------------ The Crystal Reports web delivery module relies on the image delivery module to both deliver the image file and cleanup the disk space it occupies. Hence, calling the report generation modules repeatedly without retrieving the related images (e.g. by using a Perl script) causes the report engine to take up more and more space in the image file folder. Not only is disk space consumed quickly but response time for other users become substantially longer as the number of files in the folder increase. Eventually disk space will become exhausted. Exploit ======= The exploit is carried out by simply sending a request URL to the crystal reports server that looks like this: http://foo.bar/crystalreportviewers/crystalimagehandler.aspx?dynamicimag e=..\..\..\..\..\mydocuments\private\passwords.txt Version Tested ============== Crystal Reports version 9 Crystal Enterprise version 9 Crystal Reports version 10 Crystal Enterprise version 10 Vendor's Response ================= Business Objects were notified of the vulnerability on April 26th 2004, and acknowledged the vulnerability on May 4th. They published a security bulletin and a patch for the problem on June 8th. Business Objects' security bulletin is avialable at http://support.businessobjects.com/fix/hot/critical/bulletins/security_b ulletin_june04.asp The patch for the vulnerability is available at http://support.businessobjects.com/fix/hot/critical/default.asp Credit ====== The vulnerabilirty was discovered on April 20th, 2004, by Moran Surf and Amichai Shulman, as part of Imperva's Application Defense Center research activities. --- Imperva Application Defense Center http://www.imperva.com/adc/