Ubizen Security Intelligence Lab Security Advisory SIL/03/001

----------------------------------------

Product: WebIntelligence(r)
Tested version: 2.7.1
Advisory date: Jan 09, 2003
Vulnerability type: session hijacking leading to remote unauthorized
access
Severity: High

----------------------------------------

1) Brief description

The WebIntelligence application is a web interface towards the Business
Objects application server. It uses HTTPS and cookies to keep track of
user sessions. These session cookies are vulnerable. An attacker can
guess session cookies and use this information to hijack sessions of
other users, thereby gaining unauthorized access to the WebIntelligence
tool. Next, the attacker can take any action the original user is able
to take, except changing the account password.

There also exists a win32 client application that uses the same
protocols and the same cookie mechanism to connect to the Business
Objects server.

Both web interface and client are vulnerable to session hijacking.

2) Affected versions

WebIntelligence 2.x products

3) Details

"WebIntelligence is the one tool that allows users to access, analyze,
and share strategic data over intranets and extranets for both
traditional relational databases and online analytical processing (OLAP)
servers."
            ( http://www.businessobjects.com/products/webi/ )

The WebIntelligence server assigns a cookie to each session for purpose
of session tracking. Whenever a user connects using his/her browser,
he/she receives such a session ID cookie. If the user then authenticates
successfully, the WebIntelligence server marks this session at server
side as 'authenticated'.

During the same session, the user's browser keeps sending this cookie
back to the server. This helps the server to keep track of the user's
session. As long as the session is marked 'authenticated' the server
will not prompt the user for his/her password anymore.

So, if an attacker succeeds in stealing or guessing a user's session ID
cookie, the attacker may gain access to this user's WebIntelligence
session.  It has been found that WebIntelligence uses cookies that can
be guessed by an attacker.

As a result, the attacker can view any screen, including mail box, and
perform any action the user can. The attacker can not set a new password
for the hijacked account as this would require knowledge of the current
password.

4) Extension

The Business Objects full client is a Windows application that can be
downloaded through the WebIntelligence interface. Although it does not
run in a browser, it does use the same HTTPS protocols for connecting to
the WebIntelligence server and the same session ID cookies are used.
Therefore, ZABO is also vulnerable to this attack.

The client only product (BusinessObjects) is not at risk.

5) Solution

Business Objects ( http://www.businessobjects.com ) has a hotfix for
this issue (Bug ID 1063161) and it is expected that this fix will be
incorporated in Service Pack 7, expected in the early part of Q2.

Business Objects advises their customers to deploy the appropriate CSP
on all their servers machines. The appropriate CSPs for SP3, SP4, SP5
and SP6 can be downloaded from:
http://techsupport.businessobjects.com/app/SecBulletin_120402.asp .

6) Timeline (only relevant steps)

November 2002: Ubizen contacted and provided details to Business Objects

December 2002: Received bug ID and preliminary fix info from Business
Objects
January 2003: Business Objects released security bulletin and fixes to
its customers

7) Credits

This vulnerability was discovered by Stijn Durant of Ubizen (
http://www.ubizen.com ).

8) Disclaimer

All information, advice and statements are provided "AS IS", without any
warranty of any kind, express or implied, including but not limited to,
warranties of accuracy, timeliness, non-infringement or fitness for a
particular purpose. Ubizen assumes no liability for any loss or damage
whatsoever (direct, indirect, consequential or otherwise). The use of
and/or reliance on any of the information, advice or statements provided
will be at the sole risk of the using/relying party.

Copyright (c) 2003 by Ubizen N.V. All rights reserved. Ubizen, SIL and
Security Intelligence Lab are trademarks or registered trademarks of
Ubizen N.V. All other trademarks or registered trademarks are the
property of their respective owners.