Today, I noticed some suspicious activity on one of our web servers here at work.   I quickly discovered that we were being scanned for vulnerabilities, from what looks like a security company!

Now, the way I see it, there's a few possible explanations to this.

1. They’re doing a scan and they’re going to give us a sales pitch for security consulting. (they’d have to be idiots to do this, but who knows)
2. They’ve been hacked, and this assault is coming from one of their servers. (they’d be idiot-filled, idiot-covered idiots if this were true)
3. Or someone is spoofing their IP address. Anyone know of a way to determine if this is the case?

Well, anyhow, the scary thing about this is that one of the exploits they’re trying to use is this one:

Business Objects Crystal Reports vulnerability advisory

2. Disk Space Exhaustion

The Crystal Reports web delivery module relies on the image delivery module to both deliver the image file and cleanup the disk space it occupies. Hence, calling the report generation modules repeatedly without retrieving the related images (e.g. by using a Perl script) causes the report engine to take up more and more space in the image file folder. Not only that disk space is consumed quickly but response time for other users become substantially longer as the number of files in the folder increase. Eventually disk space will become exhausted.

Exploit

The exploit is carried out by simply sending a request URL to the crystal reports server looking like this:

http://foo,bar/crystalreportviewers/crystalimagehandler.aspx?dynamicimage=..\..\..\..\..\my documents\private\passwords.txt

I’d suggest that you patch your server, if you’re suffering from even a mild case of Crystal Reports, but then I read this:

So, my suggestion to you my friend is run - far far away from Crystal.

-Brendan