SAP Internet Graphics Server Buffer Overflow Lets Remote Users Execute Arbitrary Code and Deny Service
|
|
SecurityTracker Alert ID: 1016675
|
|
SecurityTracker URL: http://securitytracker.com/id?1016675
|
|
CVE Reference: CVE-2006-4133
, CVE-2006-4134
(Links to External Site)
|
Updated: Jun 8 2008
|
Original Entry Date: Aug 10 2006
|
Impact: Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 6.40 Patchlevel <= 15, 7.00 Patchlevel <= 3
|
Description: Mariano Nunez Di Croce reported two vulnerabilities in SAP Internet Graphics Server. A remote user can execute arbitrary code on the target system. A remote user can cause denial of service conditions.
A remote user can send a specially crafted HTTP request to trigger a buffer overflow and execute arbitrary code on the target system.
The code will run with the privileges of the target service (SAP System Administrator account privileges on UNIX-based systems,
LocalSystem privileges on Windows-based systems).
A remote user can also send a specially crafted HTTP request to cause the target
service to crash.
The vendor was notified on June 2, 2006.
The original advisories are available at:
http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_
IGS_Remote_Buffer_Overflow.pdf
http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Remote_Denial_of_Service.pdf
|
Impact: A remote user can execute arbitrary code on the target system.
A remote user can cause denial of service conditions.
|
Solution: The vendor has issued a fix. Additional information is available in SAP Note 968423.
|
Vendor URL: www.sap.com/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), OS/400, UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (Any)
|
Reported By: Mariano Nunez Di Croce <mnunez@cybsec.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 10 Aug 2006 15:46:14 -0300
From: =?ISO-8859-1?Q?Mariano_Nu=F1ez_Di_Croce?= <mnunez@cybsec.com>
Subject: CYBSEC - Security Pre-Advisory: SAP Internet Graphics Service (IGS)
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Remote_Denial_of_Service.pdf )
CYBSEC S.A.
www.cybsec.com
Pre-Advisory Name: SAP Internet Graphics Service (IGS) Remote Denial of Service
==================
Vulnerability Class: Design Flaw
====================
Release Date: 08/10/2006
=============
Affected Applications:
======================
* SAP IGS 6.40 Patchlevel <= 15
* SAP IGS 7.00 Patchlevel <= 3
Affected Platforms:
===================
* AIX 64 bits
* HP-UX on IA64 64bit
* HP-UX on PA-RISC 64bit
* Linux on IA64 64bit
* Linux on Power 64bit
* Linux on x86_64 64bit
* Linux on zSeries 64bit
* OS/400 V5R2M0
* Solaris on SPARC 64bit
* TRU64 64bit
Local / Remote: Remote
===============
Severity: Medium
=========
Author: Mariano Nuņez Di Croce
=======
Vendor Status:
==============
* Confirmed, update released.
Reference to Vulnerability Disclosure Policy:
=============================================
http://www.cybsec.com/vulnerability_policy.pdf
Product Overview:
==================
"The IGS provides a server architecture where data from an SAP System or other
sources can be used to generate graphical or non-graphical output."
It is important to note that IGS is installed and activated by default with the Web
Application Server (versions >= 6.30)
Vulnerability Description:
==========================
A specially crafted HTTP request can derive in the finalization of SAP IGS Service.
Technical Details:
==================
Technical details will be released three months after publication of this
pre-advisory. This was agreed upon with SAP to allow their customers to upgrade
affected software prior to technical knowledge
been publicly available.
Impact:
=======
Successful exploitation of this vulnerability allows to remotely shutdown SAP IGS
service.
Solutions:
==========
SAP has released patches to address this vulnerability. Affected customers should
apply the patches immediately.
More information can be found on SAP Note 968423.
Vendor Response:
================
* 06/02/2006: Initial Vendor Contact.
* 06/09/2006: Vendor Confirmed Vulnerability.
* 07/03/2006: Vendor Releases Update for version 6.40.
* 07/13/2006: Vendor Releases Update for version 7.00.
* 08/10/2006: Pre-Advisory Public Disclosure.
Special Thanks:
===============
Thanks goes to Carlos Diaz and Victor Montero.
Contact Information:
====================
For more information regarding the vulnerability feel free to contact the author at
mnunez {at} cybsec.com. Please bear in mind that technical details will be disclosed
to the general public three
months after the release of this pre-advisory.
For more information regarding CYBSEC: www.cybsec.com
(c) 2006 - CYBSEC S.A. Security Systems
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFE2371bbZGNCayCJkRAgqGAJ4utFvl9tUUoknN0KeZDP1gqLoumQCgi+36
1GLyLrPfZ9UNIRC0RUfQofU=
=7Ezk
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Remote_Buffer_Overflow.pdf )
CYBSEC S.A.
www.cybsec.com
Pre-Advisory Name: SAP Internet Graphics Service (IGS) Remote Buffer Overflow
==================
Vulnerability Class: Buffer Overflow
====================
Release Date: 08/10/2006
=============
Affected Applications:
======================
* SAP IGS 6.40 Patchlevel <= 15
* SAP IGS 7.00 Patchlevel <= 3
Affected Platforms:
===================
* AIX 64 bits
* HP-UX on IA64 64bit
* HP-UX on PA-RISC 64bit
* Linux on IA32 32bit
* Linux on IA64 64bit
* Linux on Power 64bit
* Linux on x86_64 64bit
* Linux on zSeries 64bit
* OS/400 V5R2M0
* Solaris on SPARC 64bit
* TRU64 64bit
* Windows Server on IA32 32bit
* Windows Server on IA64 64bit
* Windows Server on x64 64bit
Local / Remote: Remote
===============
Severity: High
=========
Author: Mariano Nuņez Di Croce
=======
Vendor Status:
==============
* Confirmed, update released.
Reference to Vulnerability Disclosure Policy:
=============================================
http://www.cybsec.com/vulnerability_policy.pdf
Product Overview:
==================
"The IGS provides a server architecture where data from an SAP System or other
sources can be used to generate graphical or non-graphical output."
It is important to note that IGS is installed and activated by default with the Web
Application Server (versions >= 6.30)
Vulnerability Description:
==========================
A specially crafted HTTP request can trigger a remote buffer overflow in SAP IGS
service.
Technical Details:
==================
Technical details will be released three months after publication of this
pre-advisory. This was agreed upon with SAP to allow their customers to upgrade
affected software prior to technical knowledge
been publicly available.
Impact:
=======
Under UNIX systems, successful exploitation of this vulnerability may allow an
attacker to execute remote code with the privileges of the SAP System Administrator
account (<SID>adm), allowing him to
take full control of the SAP system installation.
Under Microsoft Windows systems, successful exploitation of this vulnerability may
allow an attacker to execute remote code with the privileges of the LocalSystem
account, allowing him to take full
control of the entire system.
Solutions:
==========
SAP has released patches to address this vulnerability. Affected customers should
apply the patches immediately.
More information can be found on SAP Note 968423.
Vendor Response:
================
* 06/02/2006: Initial Vendor Contact.
* 06/09/2006: Vendor Confirmed Vulnerability.
* 07/03/2006: Vendor Releases Update for version 6.40.
* 07/13/2006: Vendor Releases Update for version 7.00.
* 08/10/2006: Pre-Advisory Public Disclosure.
Special Thanks:
===============
Thanks goes to Carlos Diaz and Victor Montero.
Contact Information:
====================
For more information regarding the vulnerability feel free to contact the author at
mnunez {at} cybsec.com. Please bear in mind that technical details will be disclosed
to the general public three
months after the release of this pre-advisory.
For more information regarding CYBSEC: www.cybsec.com
(c) 2006 - CYBSEC S.A. Security Systems
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFE239DbbZGNCayCJkRAsrHAJ9cdWZDZJJ72M8u1boyC4aQmGTT9wCfTM9Z
9LDRh/Zw3tvSiVdyVWqshYg=
=aC9r
-----END PGP SIGNATURE-----
|
|
