SAP Internet Graphics Server Lets Remote Users Remove Files
|
|
SecurityTracker Alert ID: 1017342
|
|
SecurityTracker URL: http://securitytracker.com/id?1017342
|
|
CVE Reference: CVE-2006-6345
(Links to External Site)
|
Updated: May 22 2008
|
Original Entry Date: Dec 6 2006
|
Impact: Denial of service via network, Modification of system information, Modification of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 6.40 Patchlevel 16 and prior, 7.00 Patchlevel 6 and prior
|
Description: A vulnerability was reported in SAP Internet Graphics Server. A remote user can remove files on the target system.
The software does not properly validate user-supplied input. A remote user can supply a specially crafted HTTP request to remove
files on target system.
On UNIX-based systems, files having write permissions for the SAP System Administrator account (<SID>adm)
can be removed.
On Windows-based systems, arbitrary files can be removed.
Technical details will be released at a later date.
The
vendor was notified on November 3, 2006.
Mariano Nunez Di Croce of CYBSEC reported this vulnerability.
The original advisory
is available at:
http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Remote_Arbitrary_File_Removal.pdf
|
Impact: A remote user can remove files on the target system.
|
Solution: The vendor has issued patches.
|
Vendor URL: www.sap.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), OS/400, UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (Any)
|
Reported By: Mariano_Nunez_Di_Croce <mnunez@cybsec.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 05 Dec 2006 15:32:43 -0300
From: =?ISO-8859-1?Q?Mariano_Nu=F1ez_Di_Croce?= <mnunez@cybsec.com>
Subject: CYBSEC - Security Pre-Advisory: SAP Internet Graphics Service (IGS)
|
(The following pre-advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Remote_Arbitrary_File_Removal.pdf )
CYBSEC S.A.
www.cybsec.com
Pre-Advisory Name: SAP Internet Graphics Service (IGS) Remote Arbitrary File Removal
==================
Vulnerability Class: Path Traversal
====================
Release Date: 12/05/2006
=============
Affected Applications:
======================
* SAP IGS 6.40 Patchlevel <= 16
* SAP IGS 7.00 Patchlevel <= 6
Affected Platforms:
===================
* AIX 64 bits
* HP-UX on IA64 64bit
* HP-UX on PA-RISC 64bit
* Linux on IA32 32bit
* Linux on IA64 64bit
* Linux on Power 64bit
* Linux on x86_64 64bit
* Linux on zSeries 64bit
* OS/400 V5R2M0
* Solaris on SPARC 64bit
* TRU64 64bit
* Windows Server on IA32 32bit
* Windows Server on IA64 64bit
* Windows Server on x64 64bit
Local / Remote: Remote
===============
Severity: High
=========
Author: Mariano Nuņez Di Croce
=======
Vendor Status:
==============
* Confirmed, update released.
Reference to Vulnerability Disclosure Policy:
=============================================
http://www.cybsec.com/vulnerability_policy.pdf
Product Overview:
==================
"The IGS provides a server architecture where data from an SAP System or other sources can be us
ed to generate graphical or non-graphical
output."
It is important to note that IGS is installed and activated by default with the Web Application Serve
r (versions >= 6.30)
Vulnerability Description:
==========================
A specially crafted HTTP request can remove any file located in SAP IGS file-system.
Technical Details:
==================
Technical details will be released three months after publication of this pre-advisory. This was agre
ed upon with SAP to allow their
customers to
upgrade affected software prior to technical knowledge been publicly available.
Impact:
=======
Under UNIX systems, successful exploitation of this vulnerability may allow an attacker to remotely r
emove files existing on the SAP
IGS file-system.
These files must have write permission for SAP System Administrator account (<SID>adm).
Under Microsoft Windows systems, successful exploitation of this vulnerability may allow an attacker
to remove any files existing
on the SAP IGS
file-system.
Solutions:
==========
SAP has released patches to address this vulnerability. Affected customers should apply the patches i
mmediately.
Vendor Response:
================
* 11/03/2006: Initial Vendor Contact.
* 11/06/2006: Vendor Confirmed Vulnerability.
* 11/29/2006: Vendor Releases Update for version 6.40.
* 11/29/2006: Vendor Releases Update for version 7.00.
* 12/05/2006: Pre-Advisory Public Disclosure.
Special Thanks:
===============
Thanks goes to Carlos Diaz and Victor Montero.
Contact Information:
====================
For more information regarding the vulnerability feel free to contact the author at mnunez {at} cybse
c.com. Please bear in mind that
technical details
will be disclosed to the general public three
months after the release of this pre-advisory.
For more information regarding CYBSEC: www.cybsec.com
(c) 2006 - CYBSEC S.A. Security Systems
|
|
