Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SAP Internet Graphics Server Buffer Overflow in Processing ADM:GETLOGFILE Command Errors Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1017534
|
|
SecurityTracker URL: http://securitytracker.com/id?1017534
|
|
CVE Reference: CVE-2006-4133
(Links to External Site)
|
Updated: May 19 2008
|
Original Entry Date: Jan 18 2007
|
Impact: Execution of arbitrary code via network, Root access via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 6.40 Patchlevel <= 15, 7.00 Patchlevel <= 3
|
Description: Mariano Nunez Di Croce of CYBSEC reported a vulnerability in SAP Internet Graphics Server. A remote user can execute arbitrary code on the target system.
A remote user can send specially crafted data to trigger a heap overflow and execute arbitrary code on the target system. The code
will run with the privileges of the target service, which is the SAP System Administrator account on UNIX-based systems and the
LocalSystem account on Windows-based systems.
The error response to an ADM:GETLOGFILE command can trigger this vulnerability.
The
vendor was notified on June 2, 2006.
The original advisory is available at:
http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Remote_Buffer_Overflow.p
df
|
Impact: A remote user can execute arbitrary code on the target system with the privileges of the SAP System Administrator account on UNIX-based systems and the LocalSystem account on Windows-based systems.
|
Solution: The vendor has issued a fix for versions 6.40 and 7.00. For information on the fix, see SAP Note 968423.
|
Vendor URL: www.sap.com/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), OS/400, UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (Any)
|
Reported By: CYBSEC Advisories <advisories@cybsec.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 18 Jan 2007 12:27:02 -0300
From: CYBSEC Advisories <advisories@cybsec.com>
Subject: CYBSEC - Security Advisory: SAP Internet Graphics Service (IGS) Remote
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Remote_Buffer_Overflow.pdf )
This advisory contains the full-detailed information regarding the vulnerability
described in "CYBSEC Security Pre-Advisory: SAP Internet Graphics
Service (IGS) Remote Buffer Overflow".
CYBSEC S.A.
www.cybsec.com
Advisory Name: SAP Internet Graphics Service (IGS) Remote Buffer Overflow
==============
Vulnerability Class: Heap Buffer Overflow
====================
Release Date: 2007-01-18
=============
Affected Applications:
======================
* SAP IGS 6.40 Patchlevel <= 15
* SAP IGS 7.00 Patchlevel <= 3
Affected Platforms:
===================
* AIX 64 bits
* HP-UX on IA64 64bit
* HP-UX on PA-RISC 64bit
* Linux on IA32 32bit
* Linux on IA64 64bit
* Linux on Power 64bit
* Linux on x86_64 64bit
* Linux on zSeries 64bit
* OS/400 V5R2M0
* Solaris on SPARC 64bit
* TRU64 64bit
* Windows Server on IA32 32bit
* Windows Server on IA64 64bit
* Windows Server on x64 64bit
Local / Remote: Remote
===============
Severity: High
=========
Author: Mariano Nuņez Di Croce
=======
Vendor Status:
==============
* Confirmed, update released.
Reference to Vulnerability Disclosure Policy:
=============================================
http://www.cybsec.com/vulnerability_policy.pdf
Product Overview:
==================
"The IGS provides a server architecture where data from an SAP System or other
sources can be used to generate graphical or non-graphical output."
It is important to note that IGS is installed and activated by default with the Web
Application Server (versions >= 6.30)
Vulnerability Description:
==========================
A specially crafted HTTP request can trigger a remote buffer overflow in SAP IGS
service.
Technical Details:
==================
The ADM:GETLOGFILE command receives a portwatcher as a parameter. If the specified
portwatcher is not found, an error message is returned to the client.
The vulnerability specifically exists in the processing of this error message.
The message is build by the use of the _snprintf() function, which helps to prevent
the occurrence of buffer overflows by limiting the number of bytes
written to the destination buffer:
- ------------------------------------------------------------------------------------------
8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14] ; Portwatcher string (controlled)
52 PUSH EDX
68 B49C5700 PUSH igsmux.00579CB4 ; ASCII "Could not find portwatcher %s"
8D8424 B0000000 LEA EAX,DWORD PTR SS:[ESP+B0] ; Destination buffer
68 00040000 PUSH 400 ; Output 1024 bytes max
50 PUSH EAX
E8 DA881100 CALL <JMP.&MSVCR71._snprintf>
- ------------------------------------------------------------------------------------------
Therefore, if a parameter of more than 998 bytes is received, only the first 1024
bytes of the resulting string (after concatenation) would be stored
in the destination buffer and no overflow would occur.
To present this error message to the client, an HTTP response is crafted. Its content
is prepared in a buffer stored in the heap. After some
procedures, the error message string is copied to this buffer:
- ------------------------------------------------------------------------------
8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] ; _snprintf() result value
8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] ; Error message string
8DB8 A0000000 LEA EDI,DWORD PTR DS:[EAX+A0] ; Destination buffer
8BC1 MOV EAX,ECX
C1E9 02 SHR ECX,2
F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
- ------------------------------------------------------------------------------
The _snprintf() function returns the total amount of bytes written, so above code
would not seem to be unreasonable. The problem is that, if the
source buffer is larger than the maximum number of characters to store (count), a
particular behavior takes place:
?If the number of bytes required to store the data exceeds count, then count bytes of
data are stored in buffer and a negative value is returned? [MSDN]
Therefore, if the string is larger than 1024 bytes, after the first instruction of
the presented code ECX would contain a negative number treated as
unsigned, resulting in a very big number. Then, when the memory copy operation takes
place, heap space reserved would be overflowed.
This will overwrite heap block structures, which would eventually be used and result
in the execution of the famous set of instructions:
- --------------------------------------------------
8901 MOV DWORD PTR DS:[ECX],EAX
8948 04 MOV DWORD PTR DS:[EAX+4],ECX
- --------------------------------------------------
As both ECX and EAX can be controlled, an arbitrary DWORD overwrite is possible,
leading to the possibility of executing arbitrary code.
Impact:
=======
Under UNIX systems, successful exploitation of this vulnerability may allow an
attacker to execute remote code with the privileges of the SAP System
Administrator account (<SID>adm), allowing him to take full control of the SAP system
installation.
Under Microsoft Windows systems, successful exploitation of this vulnerability may
allow an attacker to execute remote code with the privileges of the
LocalSystem account, allowing him to take full control of the entire system.
Solutions:
==========
SAP has released patches to address this vulnerability. Affected customers should
apply the patches immediately.
More information can be found on SAP Note 968423.
Vendor Response:
================
* 2006-06-02: Initial Vendor Contact.
* 2006-06-09: Vendor Confirmed Vulnerability.
* 2006-07-03: Vendor Releases Update for version 6.40.
* 2006-07-13: Vendor Releases Update for version 7.00.
* 2006-08-10: Pre-Advisory Public Disclosure.
* 2007-01-18: Advisory Public Disclosure.
Special Thanks:
===============
Thanks goes to Carlos Diaz and Victor Montero.
Contact Information:
====================
For more information regarding the vulnerability feel free to contact the author at
mnunez <at> cybsec <dot> com.
For more information regarding CYBSEC: www.cybsec.com
(c) 2007 - CYBSEC S.A. Security Systems
- --
- ----------------------------------------------
CYBSEC S.A. Security Systems
CYBSEC-LABS Security Research Team
Tel/Fax: (54-11) 4371-4444
Web: http://www.cybsec.com
PGP: http://www.cybsec.com/pgp/advisories.txt
- ----------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFr5HGvWPewvmdrSgRAlUQAJ9x4D2uZ6jIWjms4wBN1dMDlbfKGwCfU7by
cIdABeyvEnFWY4aaDAV4dfI=
=Z8aW
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
