Today, I noticed some suspicious activity on one of our web servers here at
work. I quickly discovered that we were being scanned for vulnerabilities,
from what looks like a security company!
Now, the way I see it, there's a few possible explanations to this.
- Theyâre doing a scan and theyâre going to give us a sales pitch for
security consulting. (theyâd have to be idiots to do this, but who knows)
- Theyâve been hacked, and this assault is coming from one of their servers.
(theyâd be idiot-filled, idiot-covered idiots if this were true)
- Or someone is spoofing their IP address. Anyone know of a way to determine
if this is the case?
Well, anyhow, the scary thing about this is that one of the
exploits theyâre trying to use is this one:
Business
Objects Crystal Reports vulnerability advisory
2. Disk Space Exhaustion
The Crystal Reports web delivery module relies on the image delivery
module to both deliver the image file and cleanup the disk space it occupies.
Hence, calling the report generation modules repeatedly without retrieving the
related images (e.g. by using a Perl script) causes the report engine to take up
more and more space in the image file folder. Not only that disk space is
consumed quickly but response time for other users become substantially longer
as the number of files in the folder increase. Eventually disk space will become
exhausted.
Exploit
The exploit is carried out by simply sending a
request URL to the crystal reports server looking like
this:
http://foo,bar/crystalreportviewers/crystalimagehandler.aspx?dynamicimage=..\..\..\..\..\my
documents\private\passwords.txt
Iâd suggest that you patch your server, if youâre suffering from
even a mild case of Crystal Reports, but then I read this:
So, my suggestion to you my friend is run - far far away from Crystal.
-Brendan
Read: Disk Space Exhaustion via Crystal Reports Vulnerability
Previous Topic
