Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   SAP Message Server Vendors:   SAP
SAP Message Server Heap Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1018340
SecurityTracker URL:
CVE Reference:   CVE-2007-3624   (Links to External Site)
Updated:  May 6 2008
Original Entry Date:  Jul 6 2007
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in SAP Message Server. A remote user can execute arbitrary code on the target system.

A remote user can send a specially crafted HTTP GET request to trigger a heap overflow and execute arbitrary code on the target system. The code will run with the privileges of the target service.

A value of 498 bytes sent to the '/msgserver/html/group' can trigger the overflow.

The vendor was notified on January 11, 2007.

Mark Litchfield of NGSSoftware Insight Security Research discovered this vulnerability.

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fix.
Vendor URL: (Links to External Site)
Cause:   Boundary error

Message History:   None.

 Source Message Contents

Subject:  SAP Message Server Heap Overflow

Name: SAP Message Server Heap Overflow
Release Date:  5 July 2007
Reference: NGS00485
Discover: Mark Litchfield <>
Vendor: SAP
Vendor Reference: SECRES-292
Systems Affected: All Versions
Risk: Critical
Status: Fixed

Discovered:  4 January 2007
Released: 19 January 2007
Approved: 29 January 2007
Reported: 11 January 2007
Fixed:  2 May 2007

The Message Server is a service used by the different applications servers
to exchange data and internal messages.  It is also used for licence
checking and workload balancing together with the SAP logon utility.

The Message Server can found to be listening on the following default TCP

Message Server - 3600
Message Server HTTP - 8100
Message Server HTTPS - No Default

Note:  All the Message Server available ports share the same PID

Depending on the number of instances that have been installed, the Message
Server can be found to listen on other PORTS.  The PORT allocation follows
the rule of incorporating the instance number to generate the TCP port
allocation (<NN>).  Examples are

Message Server - 36<NN>
Message Server HTTP - 81<NN>
Message Server HTTPS (if installed) - 444<NN>

Technical Details
In this particular attack, we are targeting the Message HTTP Server in an
unauthenticated state.  As can be seen from the example below, we are
sending a GET request to the Message Server listening on (in this case)
TCP Port 8100, passing a Parameter of Group to the URL
/msgserver/html/group with a value of 498 bytes.  Sending such a request
will cause a write access violation to your specified string value.  For
example using a lower case x would be an access violation writing to
location 0x78787878.

GET /msgserver/html/group?group=**498 bytes** HTTP/1.0
Accept: */*
Accept-Language: en-us
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727)
Host: sapserver:8100
Proxy-Connection: Keep-Alive

Whilst this bug allows the remote unauthenticated execution of arbitrary
code (running as SYSTEM on Windows), as can be determined by the
functionality of this service, within a business environment, the
termination of this process can have dire effects to the operation of SAP
and its components.

Fix Information
Please ensure you have the latest version

NGSSoftware Insight Security Research
+44(0)208 401 0070 


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC