BugTraq
Old SAP exploits Nov 12 2006 11:35AM
Nicob (nicob nicob net)

For historical purposes only (everything should compile/run fine). An
TGZ archive is attached to this email, and a mirror is available on my
website : http://nicob.net/mirrors/sap_sploits.tgz

o testing users and passwords with RfcOpenEx (account locking bypass) :

- allow networked attack on SAP passwords
- now deprecated in favor of THC Hydra
- need the RFC SDK to compile
- port : TCP/3300+SYSNR
- exploit : sapchk.c

o customized RFC_SYSTEM_INFO (information disclosure) :

- will leak OS type, SAP version, real IP address, ...
- need the RFC SDK to compile
- port : TCP/3300+SYSNR
- exploit : sap-banner.c

o original Win32 gwrd bug by FX (remote command execution) :

- patched in 4.6D patch 1767 and 6.40 patch 4
- partial control on a CreateProcess() call
- can be used for "cmd /c ..." evil
- port : UDP/3300+SYSNR
- exploit : r3mote_win_UDPexec.pl

o linux port of the gwrd bug (remote command execution) :

- patched in 4.6D patch 1767 and 6.40 patch 4
- partial control on a execve() call
- each argument but the first must be max 8 characters long
- exploitable remotely under some conditions
- port : UDP/3300+SYSNR
- exploit : r3mote_unix_UDPexec.pl and r3mote_unix_wrapper.sh

o two bytes UDP crash in enserver.exe (remote DoS) :

- patched in 6.40 patch 6
- port : UDP/64999
- exploit : SAP_WebAS_UDP_DoS.c
- no, that's not related to the DoS published earlier this month

With many thanks to security (at) sap (dot) com [email concealed], the OaiTeam, FX from Phenoelit and
all the valuable Darklab members.

Nicob
? WEì<ksÚȲûÕü??â$`óÀr?Ø$q­?]`'»e»(!
 XH\IØ°ÙÜß~»gFÒpüÚdÏ©?R8h¦§»§§?3AmäG¬;ñ?i÷tÿ?M?U»¿ü£??׶®ÓÿÆöf溪?ÛÕ
_ }³ZÝØÞ66_tc£jlþú?ËÆòkFfð?çX~ïp·õÿ?^O?T&aPé9^eÌJ×¹IÈààhg§ã[?,ÚÍå?Â)
ª\± t|ü>DCoÿ?NãÚ? ®®&®WÎ=EèO Æf9¦ëÎÀò½(ð]0ÁÂ{?|`Së?å 02m½¸?9µG?Ð?³?7ÍÐÁl:v}'2{.?k'?ë#0-??¶çO
\z lßc0Òc6ñl@è?¶Y9[U]¯?m?Àñy>s^õ§¿ã»²Í^Cþ?ãÕªàÎÀñ¢åÛ¬ Æo¡Ez¯¸:üÆÿ?=á(UF?Ë­þ]7Pz¶Ã@{ç\1è;.óÌӐI'ùUˍLÏ®?C§v`3

ÔËájópµ,\Q¡à}? 7ÐÀéCDÃm^ï
tí[е 4çaè??ÂÝ&äVÇ~ÕµZÍØVù¤Æ&`ÿ;aauÈ­hçSÝÐÊâK?y?\¼Í­<?#Å Á md\©çW°?fò?çV¤ph0?ü¯P?9Á°û»zòOyëOÔÙ;©}?H?
#ù×­ÆÿbjN?Â[BìÔsQÄl?² gέé?®#u©eµ®áJ<?"XÆ"_(Z"6EcÑñK8éA _r?×h«ÂwÓ{×ñ?[W7½#¤??nó¼KÒÁõÿ­+;$F¨ó;P\ÒÎÎA«yRzí±ëüqàG~ýµ6±ÇZñ?± aÛAý
µ@J÷Ǥh¯5?_+?
ø\?-Óóü,BB¤ ï?y
¾ªl?^??Èï»?p?7$ÖqàxQÂw¬Ór:?ë?,Ó×Ü¿íùÅ(ñÿ:0ÇÊáð?¥qkü×eüßD½Q£ø_ÛÜúÿ
Ä?ñ?b8¤0ÿÑ ?·!ùn?Ñnà´}×C0pB?É¥ ?ÓV?IöÁ?Jg;?¯ËuÚ{uí¯¿ÊFùj ö·2ÆÙ?í_{®
ÍÃä<¢-?(ßc?I
ÓJG?<¸Fs-äÞ6ëZ¹R.?9ô?h¿?¢?,À¸ ÇØÜò1U£À±?mØ-r'ö»æI]3^VËÆÖ¯åªn?
?#é ô¨\DÌútc³ÞdÛo¾9}W×êáRÈ^J[VQX@^?¼?!iZæ?Hy?÷ ì"ú)?ùÞFrᾝ$;|
p Lo?S'A??Ópéeþ?6ËÕ
üT7ÊÕÍÍÜÓ?h|øKyiÇѨB?Wh
¾?®sÉà?\æ
²dåiàM?!ÓÈ£%¯?
#gÊdpB?ôl?Jæ¡Z9( Ge ÓÓ?a@?¾?kec»éÝþu3Û÷?õA~÷¥bqF>¦
@]sâYÜ!´g?z?Á?¤:#£@Eq,Æ?p6v,n<ÌòÐMÈx?N?Bs`\)PÅ?
®m(?= Þ}zÔ9©[?R#¼í4Ûë1ÌÞQëãÁ~?b"Åõ¸®j1ë(?E/¸H¸r%XZÿ H®?¥£U2-Xf?]ÆÆ`Tu?£ºGb*Í%v}7êBÒÛ??ð-ÚÕ9ÂM=?bÂw§&hL§Sþ?§%pw?qµ¡_{5<
ÿZ Ïý?Äñ?^R&×?÷ÝÊÿ[ãÿv5?ÿÕڏÿºñ3þÿëNõ?åܸXÈm+vg,þ<0C46YLF 9¶`¹?tÐbƁoq7ßÄÂ7
0a??!ä?Ì»rߣaÚ²?<ý?3 ??vLb;%I4?¼>­ê?2?(|a@aÁ8`Ô?¿wåø?Н?
£oqú:$ÄC齏SB<§­??
Ynî³m Tü²;û-t}?É]?½?aât,$?/p¿??¢ñN¥2
m¯<r¬Àý~TÆ?T\§`T©0¯4 +¶ë?(+=3d?#?¢-?áXÝeB¸Ó&÷
÷¤nÇÂðƺ=Fýa*XC¾¬ îPÎ?O7 üTñS?{bª·èñG6lêwùÄÀÆ]>1põ.?¸v?O ¼!>úËo}8pãnP7_ªÈb±Ñ6?° Ì\Q÷ï3f ?7r»Hv???Ðñ, o8hÚÎÓ®»¶?Ofxí?@urbl¾àýÍkåt/¡ ¸Õ??ç,Ó¶ÂÏ}?ÿÐ}L#K=äË~ëûDÿ·n?ÿÆVu{3?ÿµêöÆÿjµjü?ÿ?â
)<Y<?b5ca=rvÖ¢ý?Z?Õ{*s*[û?0°*?W úíÖ;^ß/[O
X¥*?¬¼²§¡?õåÎ?¸Ö*ÔV®¤Z?¹2¼@ÓËUg¡Ôu?¡W2CÑ{?rú,ÊöÑÑI½2Är¹Â¦?_¡}Y
BðÉ4=hí?î7ë«4¦?NΝج¢à:<x#;1äVT*Ë(¬JP:\E`PmJ>Ý÷¼J.2?m̢ܡÈ=?äàU
Ù?_¾Î6!Áù6´õA¶Í?fc?iҐ"Ò*5¥fïPSîÊwlØ?<ìî5ðÏ?ÆÞïÝ·§­½??£ T?äÅ?¯y?póä?¥>p¶?]sÖå?óÐ~»×9Àü??UØ!sÇyñ?Ð l·Ùnµ»­·GÝæ?j??ûG?ÌåyáI£U?¼¬ÑÝrÜýs­êþzæ.fh»q÷ûFkk·øbøqYÒ?Õ«z
ÑÔ+é=n´?'ͶèeSòä(ü³Zõâ& g´ è¤ñFaø?U¨B Øæ9 ÞÉç­^kt<ÆÆ´Ýq )¶N?9Xz}ÇMo&ý> Ϊ?[ÅÜÊ?À?£?SùÞ?¿chu{?>?ܾH1Ùö0Kè
òã?3C¯n\?`Cë5w9Eø\¤}:e¸ë`ÖÛíûÌ.g §}X[IÏ\ßØ Ãk{ù8×ôô,²·Î3?eò@³ê
Î6¸+«méZ??º??3£vAD´Sï«yo??9{y$d×ç@?§³?i¶4)£>äI§áT Ô Ra 2 ?&?À?ß~åãÐÝ?îwåÄrxh?®+ìK?@ ûî?$&VF?|?Wjà®ÚÇIIJØ?ø¡ï}«?Qyx.Gq¿ð??O¨,D?d|´ø£¤âÃìé?×??? ¨üpÀ?Bå3vPDuÄù/æ÷³?8KãÖ?é?êå¬ ÁyE?ÿ¯¯sÕ?u?ìÇ¢óÇ/¤=WgÎ??ØސY?+±??R))ɐ×VD"Ù'SBty2?µNÆ1Ö"¼¨¿àë
"×X º [¿$.'£¹óÊ?è¯àó£ébn
×CÇB?zh)?¡¨8°AÑÒ?Fûg
˽o° ËXîͳLfXãY^xµ"¤?ÝÌ
ÙÂôäbÇcÒU-eæ\¬øg=|¼vØZ?éíª¸?ð?Kâ?±?üÕ íÅîò ­#ĺQDZ??¥îH?çð¨+´çgäÈý¬ª?R%?®JLc?¤?úN×cÍÅ?¤{
oÖ×?x¡jrgÌ,Çt?£¢Ä?Ì?Ni\?ÚÌ«Q?õÍ?mFfÊ ·£Ïu}>¿Êã
?câ^?®?úÎ>_¶ îrèÂ{3/Sª@B èQ&tª (,??ЏƩ®j{?ÍÖI]+Âfhê©zf"c=U"ÒËåÈN;ÍöRTJ ½¢ãF§ói?PmÏ£ÊÄÝ;!;l´Þ-Eµ¦%2)1\þ?/ÚâÍ?àè¸Ù?ȱx¥¥ÎeÔs].uÖó+{ï?{¿×u-v
?¼a?
b\?p*#' Iç$%?\vM?Ù?¼ìîß?Ëþ ³%?:C?Ô{8® ©È®äÃ?HeIÈ^?Ìü*??W¤? á?Ë(ÑhÇ"¸Sl&<Ö??Þ?{ÏÂsÌÚ²nLpùà?Ü?[?B?ä
ñ©sÙÄ
ýó´J*¤ùd?­®=Ý$òÉP?ìÜ{ ï??<+ð?g6?+%Pæ­±WK?ÿÎf ?|m?!?l¶8àæÆTõ?|Q?!#Ñ£ý¾xgëkf­Ï½Î?î?'?âÑÉb?=p¹ì?rO¿(ónÌôy=?íñQû
DÛ]ù?Q]ì2m?Bæó´üËtÓÃ??ì?¡h3¸"?üyÜìî½o´9PÐHøM?÷´ÀÕ;eÍ÷$Z?=*L
UèO¼GZ?¨Þ?EÚ6³?sÅòÒÔ?|aº?;'Í|ÓA+JÖï6òø õ?Ñþ¨+&M??Ó&!¹ôþy¶~/¤?ÓÏÇ
¬<?|ô;¨L???Í?ö?Ç´oS?¿ÿN]ÆNZL¢±²Õ³?§L:¬kY9iþkê¥rÊ`ÉüU??a_l3Ñs9
±Ã¤ýJ?×ܦÕód·
]iïñ­ö"<? Y¬?qm,K+}7÷?ؤ]2ÒÈûlËå¾ä?bòãx ?NOò±iT?+ªË ç9Åu?ö¬T­?ð¬T^n[ËäZñC¥×Ælõ?)¤þÈÐ*Ò£aß$??Ûi?çV¤?&­8ñ
Z?­fJQ+ï?ýf[03?ò?|ÜS!Î=κ`,OX?>UÎÇîü×?*Î,?Ø0:#¾õÛ?:?¯?¶ÏÂH
Ãi\útf´???þG[ìUôæäi°þ?]?@ù?}9.#S¼A
g¤??ÛPº«Kð?Þx?û"??bgX?æät?-§EwáÄq@-z* @ÈéÄ x??8:&ýþx¡????QY8c~?h³ðJv?N7 »?Ö?Ö6`.K&EÛôî?\æ?s³ Ô?Â. ¦ʏ$/}×#Æ
t?E¾?<#(@¨?Å|anÊ^Ä´[$çìE o]ßäR?Pßõ?h&#Ó?}9¶?£ûås@`?÷?ïÉGôµH?ê­mâr¦z ÿZ~ß?¹Î`Ah^ñ?»KA
Ã
@Ób·¹Äè¸ÿÌxJáH|6"Î$â\?Ö?bd¥G֝Ø?eÏS?³?4Ã?gâX,¦øÊÜï?·ß?k¹£LÚ?\A-'õ
H E­Cî?U¿Û:D'Aû?;w: Ô????ÿ9ÐÿW_(xkxùýÎþéúöù¿¾µ]Û?Ïÿ7k¶Æ6ý<ÿÿ×÷?¡Îq_*_?;ÛäGrz¹¦ýóã??
ï|òú¯?§òa¡z.úó íçAÚÏ?´ù í?yÉ?Þº¡c¢???<ßÈ÷n<¬?OÑÄYÕÊ?$»ìè)éB.¹/PÔø^§x8 Îûö&A@h'éjÂÏw<óFG"ñ£WApý#»å-9eZQ=áúúNÏîaɱٽq4:üýGáèüÙiñ©lÝ?"'4
Ñ:k¥ÅG?ñ?ÞÄáðÍ+&ÞãE?ºÂ)Á«0]já±}2^nòáXÍ?Bë¡S
Ò]Õñe9<"< BV$þÌ?Ï?ÄL?:Ñ?ß?&êð\ûü}dÝ??\h±À§7Ñ0,Ò«YôÞ?òß0-¤èÑÉ u©?>äÔÑMÎ*f
­aÛ\¸7ã®xGP?¾köúÜs#Kè?°?~wJÓ ×?èÑ_Ú²LwFïÀQ?¿o?«wmz|?ÉS¤hè?b<Ã×<ó
tnÊÙ¡ä>L:tª?HæñïûÞ??¿¥(gÊäý?ÿ½?ñéf¡îÅZ~W ?ó? ½E'Äßà(k?8G~¾È?éÊo>gä³JÔ8{n(ðÞz¸ä´/·øÅ6Ìﬡ×xÿJ<¡³'pÈMªo:î$`üdm
%·ò5õ5ËUµXÄ?ÿ>ÚÑHÒÅ?æ;?xÓTl`´±1\²ÏÀI.ÙªX~V2ç?1-ê@±¿Á%ò97}4 L
b{¾p 3æÆãâ?¥{ñ?Mì^ü7v;U?OfÆ3?$³#??Ûèù?Û?á"Ùÿ®_×ÅÑ?*õZ|>OÿÅϺ.$Ãøí
;$?¯û?õzí¢»ïw¾ÃVÀ-Ïÿo굍äýÿ-¬ÿk¨??ëÿqUÖ{ñ'åw ´¡ÌUEç8þ >?â??è§?nú±?ÁÇã×åþ¯L<?oß𠝁gºÙ6JÓæ faE¼î´ØN;Fa¶%ëà§âx í¶ä³o³>t)¸7ÚÇ
Æ Æf?Fs8æÙN?¿?Bo®Q>26?¯ÀÅ¿-?µ)ÿù¬?Ià?ÄfµïvßüyÒìµ÷?í½÷$îQÚ?½í´
ԁ1s?Þu?­ý?FkqÚ?"NÚ@¸ ñ¿K±"¸Â*Fy¥$Ée»?T*ÑkÇu1±¦Ô bN
 W?ö¶¤ÄE¡¥COÉ@ͨն3íû¼}kãåË?«HkÇ®Ñ?h)¤?Dûe?̤ô~dÚ½ê*­+ÿ?v@Æîu?~?$
¢¤_?Ò{ÿaQq'VÎxø%£:Êô&i2âP÷(w6?ÎÐÝÙØÅiÓ>G?wÐÝX6Y¨ÈwÓ&ñ3?u1Y]hwì?
¦~`º~¿¿;6rç?ø1 å» 8x6¡´ÒfcHç?sm¶hûº lb?Äæ°?X¥Yl?xýr®qÙ$%7)?p2R©ÜÂ]vÎ
¸Æw?çæ«x;­Ã[Ææ?~??~À ?~?ÞkÇ?êèw¡6éqòì¢Úùt»z>í3þ:+ßQA?A?ª4¤Ú5]3qí
ã
íõ¢®ç?cßïçÕian?ô/öç@çõÅëZ?(¾ü\ûZqù(ã}ë8/vÉcâ<
e²±¨È2H&?/|?À¿¯¯'³:QY+bªù??¤Çþ¿«ûmÛâïþ+?5H[vì ËCyZl5?!FZ`8¶Ü
?-ÁRêö·ï~wG}Y^½fÀ^D´?D?î?Ç»£Hòªx?¢O?Ñg!zÐ#¤×¢Ì<¥Q0¨ã~0ðù;jåÛ??:³²Å
YnÑæ/4?õ?Oã\_Ú?³Ê?KtëñUâ]/¹Ãfì}Jv ~4??ü?e´±3Øï-?Ä ?ûv#? êåÕ
69
éÌfÂ?άµ-GæõV<?eþù·~±??à±1£g?UôO?º?ùç:?skm?4xOIµçË«?X¡ÛßS*tÃä
¾Ï´Y[&k ©â??
wû£vøæüZÈ;>GX?Õl};?
x?©03éÎø¨8<t½(1p?XÉÉi2bH<qDQº1X3°2v7ôâìd~èP
Ó?³Eü
ý×vUM\JÙwBXea0Õ±?m£mÏÑ?ñÂõ¤?·þ7Õ?Ì?¢2 o²¥?Üã
9eÓ{ ¦?¹ùéÇÞý·o¹÷óÝͯþd:½»ýx ?4?÷Ò9«ùfýô5Pð,?/?xL£mb²?=¯?Nû ÿ T?CX Ç42?¯*Öw{òj{Cà?ÊðIwµ?¹ßRØJ©µ×ä3
1WлW ¹? ?Ô2·øL=^òÏ
À«?O?Ã-¾ó ??u¿r
4°Gyw?sþá2xÈLR?ѳ¸ehFѯ±ßI?s=3?èi¹ÇOieÆÏËU#Þn¾÷ ÄAï/%¿2æ¨$ÝÝüV?#{=È?±àp'ÂÑÙ1Cô m `R!õ?p.F?o½È¸ÃN?8þÐK?ãø ×¹¬cµ=?o2½ÿî¸EðRôÅ©?àdêç?¾['ÛÑÖ?e´-jç|øäæ5Ýåï"+jþdzHønÊ38
k»å,p7Ë+Ì?QK·ëÚë?fÚa;jã?Û.}?­J?YÈÇs}ÙV?´ëÍ¢/¡HNÜ';:øa?'µ¥?×ü¦V²
?Ñ´\ ë?®#üûF?»}5øc¥I`?%?C¦O¹zÝ1YËîÐ
¬3??´r3Â?+áÛ?U©À¦Ê&bɬá ?rtNå
QUwÊxqívá"µbEÓÔO??*?<#Î[º¼e?Î@Mà9ø?½?|×H7Ø¥Ú?ùÓÂ{à³èù%UèFÝ/`"êã
Ì$?mV??¡?jEºU
ø?ÏPmÌz¢öu*ª$&¼´¼ n ??ߦ?~M[?nM±Ï?ª~JýS½º!ú­£k¨
3 Èü?ÇÁ&kê±Îj?`µ i¹<AÖ/Vo/b³k¡ÈÀu?ªýÖ'Ñ­¶j?1¹I@]íÔ4"ËûQ×(F:®"Í:ï_à åìô¤ûNâ8Z¢{Xz?PÆÝ??ãR)da# t)_J??u(?}-($9fÿ?D~®3ý?uqÕìËî#Ýó"ÑÊlÁùøvz1?Vtó©>»ø¹=?Z?/óm²ÙÿÝ?
?àZ»j;û@t}?ƶOá*
ð1uêûG"?áìñ&æó¦töø|?3{Á¥z¨R5PÇ?õ?5m?
Ëö#iU Ðú6ô3¯lOmY¯­?f?£?bú??£})+hú$N?°?1w?ñÅöyîÖ?2ý«Ñs?¼ás?NZ?\là
+³íe¸®?Û¤ð¡?óðgæ\¡?)??dödÚ?Þ+ÃEh­ $A@?43Ö?C?¦~/~ÞÅ8{ÄÛ¤|e?;Q?{
¥xAC:^X??ÍÔ¥'(q?CË>iXüÿ{oªIMjR??Ô¤&5©IMjR??Ô¤&5©IMjÒËÒß#º5Ðx-----BEG
IN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQBFVwb6uhlqje80vsMRAoFTAKDYshxHgVVGfPXM8jP6lReGvHDMeACfTdkE
MdEqkiZ6MnOQIdcvi3TeVs0=
=kyZL
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus