Today, I noticed some suspicious activity on one of our web servers here at
work. I quickly discovered that we were being scanned for vulnerabilities,
from what looks like a security company!
Now, the way I see it, there's a few possible explanations to this.
- They’re doing a scan and they’re going to give us a sales pitch for
security consulting. (they’d have to be idiots to do this, but who knows)
- They’ve been hacked, and this assault is coming from one of their servers.
(they’d be idiot-filled, idiot-covered idiots if this were true)
- Or someone is spoofing their IP address. Anyone know of a way to determine
if this is the case?
Well, anyhow, the scary thing about this is that one of the
exploits they’re trying to use is this one:
Business
Objects Crystal Reports vulnerability advisory
2. Disk Space Exhaustion
The Crystal Reports web delivery module relies on the image delivery
module to both deliver the image file and cleanup the disk space it occupies.
Hence, calling the report generation modules repeatedly without retrieving the
related images (e.g. by using a Perl script) causes the report engine to take up
more and more space in the image file folder. Not only that disk space is
consumed quickly but response time for other users become substantially longer
as the number of files in the folder increase. Eventually disk space will become
exhausted.
Exploit
The exploit is carried out by simply sending a
request URL to the crystal reports server looking like
this:
http://foo,bar/crystalreportviewers/crystalimagehandler.aspx?dynamicimage=..\..\..\..\..\my
documents\private\passwords.txt
I’d suggest that you patch your server, if you’re suffering from
even a mild case of Crystal Reports, but then I read this:
So, my suggestion to you my friend is run - far far away from Crystal.
-Brendan