[NEWS] SAP DB Web Server Stack Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



SAP DB Web Server Stack Overflow
------------------------------------------------------------------------


SUMMARY

SAP DB is "an open source database server sponsored by SAP AG that
provides a series of web tools to administer database servers via web
browsers. These tools can be integrated into third-party web servers such
as IIS, or run on its own web server which by default is installed to TCP
Port 9999".

When installed as its own web server, the process SAB DB's waHTTP.exe is
found to be listening on TCP Port 9999, this web server has been found to
contain a remotely exploitable stack overflow.

DETAILS

By requesting:
http://target:9999/webdbm?Event=DBM_INTERN_TEST&Action=REFRESH

And looking at the 200 response we can determine the function offered by
the request:

<body topmargin=0 leftmargin=0 marginwidth=0 marginheight=0
background=/WARoot/Images/tatami.gif>
<a href="javascript:parent.GotoWebDBMURL(this,
'Event=DBM_INTERN_TEST&Action=REFRESH')">Test</a><table
style="font-family:courier new,monospace; font-size:8pt;" border=1
cellspacing=0 cellpadding=1>
<tr><td>sapdbwa_GetRequestURI </td><td>/webdbm </td></tr>
<tr><td>sapdbwa_GetIfModifiedSince </td><td>NULL </td></tr>
<tr><td>sapdbwa_GetQueryString
</td><td>Event=DBM_INTERN_TEST&Action=REFRESH </td></tr>
<tr><td>sapdbwa_GetPathInfo </td><td>NULL </td></tr>
<tr><td>sapdbwa_GetMethod </td><td>GET </td></tr>
<tr><td>sapdbwa_GetContentType </td><td>NULL </td></tr>
<tr><td>sapdbwa_GetContentLength </td><td>NULL </td></tr>
<tr><td>sapdbwa_GetPathTranslated </td><td>NULL </td></tr>
<tr><td>sapdbwa_GetServerName </td><td>NULL </td></tr>
<tr><td>AUTH_TYPE </td><td>NULL </td></tr>
<tr><td>CONTENT_LENGTH </td><td>NULL </td></tr>
<tr><td>CONTENT_TYPE </td><td>NULL </td></tr>
<tr><td>GATEWAY_INTERFACE </td><td>NULL </td></tr>
<tr><td>HTTP_ACCEPT </td><td>*/* </td></tr>
<tr><td>PATH_INFO </td><td>NULL </td></tr>
<tr><td>QUERY_STRING </td><td>NULL </td></tr>
<tr><td>REMOTE_ADDR </td><td>NULL </td></tr>
<tr><td>REMOTE_HOST </td><td>NULL </td></tr>
<tr><td>REMOTE_USER </td><td>NULL </td></tr>
<tr><td>REQUEST_METHOD </td><td>NULL </td></tr>
<tr><td>SCRIPT_NAME </td><td>NULL </td></tr>
<tr><td>SERVER_NAME </td><td>NULL </td></tr>
<tr><td>SERVER_PORT </td><td>NULL </td></tr>
<tr><td>SERVER_PROTOCOL </td><td>NULL </td></tr>
<tr><td>SERVER_SOFTWARE </td><td>NULL </td></tr>
<tr><td>HTTP_ACCEPT </td><td>*/* </td></tr>
<tr><td>HTTP_ACCEPT_CHARSET </td><td>NULL </td></tr>
<tr><td>HTTP_ACCEPT_ENCODING </td><td>NULL </td></tr>
<tr><td>HTTP_ACCEPT_LANGUAGE </td><td>NULL </td></tr>
<tr><td>HTTP_ACCEPT_RANGES </td><td>NULL </td></tr>
<tr><td>HTTP_AGE </td><td>NULL </td></tr>
<tr><td>HTTP_ALLOW </td><td>NULL </td></tr>
<tr><td>HTTP_AUTHORIZATION </td><td>NULL </td></tr>
<tr><td>HTTP_CACHE_CONTROL </td><td>NULL </td></tr>
<tr><td>HTTP_CONNECTION </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_ENCODING </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_LANGUAGE </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_LENGTH </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_LOCATION </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_MD5 </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_RANGE </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_TYPE </td><td>NULL </td></tr>
<tr><td>HTTP_DATE </td><td>NULL </td></tr>
<tr><td>HTTP_ETAG </td><td>NULL </td></tr>
<tr><td>HTTP_EXPECT </td><td>NULL </td></tr>
<tr><td>HTTP_EXPIRES </td><td>NULL </td></tr>
<tr><td>HTTP_FROM </td><td>NULL </td></tr>
<tr><td>HTTP_HOST </td><td>localhost </td></tr>
<tr><td>HTTP_IF_MATCH </td><td>NULL </td></tr>
<tr><td>HTTP_IF_MODIFIED_SINCE </td><td>NULL </td></tr>
<tr><td>HTTP_IF_NONE_MATCH </td><td>NULL </td></tr>
<tr><td>HTTP_IF_RANGE </td><td>NULL </td></tr>
<tr><td>HTTP_IF_UNMODIFIED_SINCE </td><td>NULL </td></tr>
<tr><td>HTTP_LAST_MODIFIED </td><td>NULL </td></tr>
<tr><td>HTTP_LOCATION </td><td>NULL </td></tr>
<tr><td>HTTP_MAX_FORWARDS </td><td>NULL </td></tr>
<tr><td>HTTP_PRAGMA </td><td>NULL </td></tr>
<tr><td>HTTP_PROXY_AUTHENTICATE </td><td>NULL </td></tr>
<tr><td>HTTP_PROXY_AUTHORIZATION </td><td>NULL </td></tr>
<tr><td>HTTP_RANGE </td><td>NULL </td></tr>
<tr><td>HTTP_REFERER </td><td>NULL </td></tr>
<tr><td>HTTP_RETRY_AFTER </td><td>NULL </td></tr>
<tr><td>HTTP_SERVER </td><td>NULL </td></tr>
<tr><td>HTTP_TE </td><td>NULL </td></tr>
<tr><td>HTTP_TRAILER </td><td>NULL </td></tr>
<tr><td>HTTP_TRANSFER_ENCODING </td><td>NULL </td></tr>
<tr><td>HTTP_UPGRADE </td><td>NULL </td></tr>
<tr><td>HTTP_USER_AGENT </td><td>NULL </td></tr>
<tr><td>HTTP_VARY </td><td>NULL </td></tr>
<tr><td>HTTP_VIA </td><td>NULL </td></tr>
<tr><td>HTTP_WARNING </td><td>NULL </td></tr>
<tr><td>HTTP_WWW_AUTHENTICATE </td><td>NULL </td></tr>
<tr><td>HTTP_COOKIE </td><td>SID=E63A7F73B20A5021442BAF3C8F70B97A
</td></tr>
<tr><td>HTTP_SESSION_ID </td><td>NULL </td></tr>
<tr><td>Event </td><td>DBM_INTERN_TEST </td></tr>
<tr><td>Action </td><td>REFRESH </td></tr>
</table>
</body>

By making the request again, but not including the Cookie Value, or if one
is not present, simply add it as an HTTP header request, we can cause a
stack based overflow within WAHTTP.exe

The same Overflow can also be achieved in numerous other fields.

If we take the sapdbwa_GetQueryString, we can simply pass an additional
parameter by appending & + string


ADDITIONAL INFORMATION

The information has been provided by <mailto:mark@xxxxxxxxxxxxxxx> Mark
Litchfield.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [NT] Xedus Webserver Directory Traversal and DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Xedus web server is vulnerable to a directory traversal. ... this vulnerability constitutes a denial of ...
    (Securiteam)
  • [NEWS] WebSphere Widespreads JSP Configuration Disclosure
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WebSphere transforms the way businesses manage ... result in the JSP source being served up as plain text by the web server. ... The plug-in has a set of rules used to determine whether a given request ...
    (Securiteam)
  • [NT] Quick n Easy/Baby Web Server ASP Code Disclosure
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Quick 'n Easy/Baby Web Server ASP Code Disclosure ... Quick 'n Easy Web Server version 3.1.1 ... 22/03/2006 - Initial vendor notification ...
    (Securiteam)
  • [NEWS] IP Phones Based on PA168 Chipset Have Weak Session Management
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... IP Phones Based on PA168 Chipset Have Weak Session Management ... admin web console running as superuser. ... is for them to send a well-formed request to the web server. ...
    (Securiteam)
  • [EXPL] Baby Web Server Command Validation (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Server was to design a simple web server with support for ASP." ... By sending an especially crafted request to Baby Web Server, ...
    (Securiteam)