ID ERPSCAN-11-024 Type erpscan Reporter ERPScan Modified 2010-01-04T00:00:00
Description
None
{"type": "erpscan", "published": "2010-01-04T00:00:00", "href": "https://erpscan.com/advisories/erpscan-11-024-sap-netwaver-performanceprovierroot-xss/", "objectVersion": "1.2", "bulletinFamily": "info", "cvelist": [], "cvss": {"vector": "NONE", "score": 0.0}, "hash": "b9a542ca7c487bcb543120e283eeeecaf0ed5c911ff2c0e64210c3672247c5ec", "enchantments": {"score": {"value": 2.9, "vector": "NONE", "modified": "2017-04-02T11:20:37"}, "dependencies": {"references": [{"type": "nessus", "idList": ["ORACLE_E-BUSINESS_CPU_APR_2017.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:39382"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:135416"]}, {"type": "erpscan", "idList": ["ERPSCAN-16-024", "ERPSCAN-13-024"]}], "modified": "2017-04-02T11:20:37"}, "vulnersScore": 2.9}, "lastseen": "2017-04-02T11:20:37", "viewCount": 4, "id": "ERPSCAN-11-024", "history": [{"lastseen": "2017-01-08T12:24:40", "edition": 1, "bulletin": {"type": "erpscan", "published": "2011-06-20T20:28:49", "href": "https://erpscan.com/advisories/erpscan-11-024-sap-netwaver-performanceprovierroot-xss/", "objectVersion": "1.2", "bulletinFamily": "info", "id": "ERPSCAN-11-024", "cvss": {"vector": "NONE", "score": 0.0}, "hash": "30f02c863f9f13596e5989cebeed24d9743a983cd138e46a5a13ffe2d55bb097", "lastseen": "2017-01-08T12:24:40", "viewCount": 2, "cvelist": [], "history": [], "references": [], "edition": 1, "hashmap": [{"key": "href", "hash": "96789c2d2d64b4464326643fcddffefa"}, {"key": "published", "hash": "6088d62a83ffbbf9b003fef60dedefab"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "modified", "hash": "a33ce55e955b82e4e58957ddc456c328"}, {"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "3884ed26948986c90eac232d72c64dda"}, {"key": "type", "hash": "7aa987ad7e8c4c07b62c1208b7cdb9ec"}, {"key": "reporter", "hash": "3947727f374f901847df03b135f014cf"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "75b99cad142fda8990255c2a680bdc9c"}], "reporter": "ERPScan", "modified": "2015-08-13T20:27:43", "title": "SAP NetWeaver performanceProvierRoot - XSS", "description": "**Application:** SAP NetWeaver \n**Versions Affected:** SAP NetWeaver \n**Vendor URL:** [http://www.sap.com ](<http://www.sap.com>) \n**Bugs:** Information disclose \n**Exploits:** YES \n**Reported:** 01.04.2010 \n**Vendor response:** 08.04.2010 \n**Date of Public Advisory:** 17.06.2011 \n**CVSS: 5.0 \n** **Author:**Dmitriy Chastuhin\n\n**Description** \nSAP NetWeaver performanceProviderRoot application has linked XSS vulnerability.\n\n**Business Risk** \nAn attacker can use XSS vulnerability by sending a link on malicious script to an unaware user via an e-mail, messaging or social networks. The end user browser has no way to know that the script should not be trusted, and will execute the script. The malicious script can get an access to any cookies, session tokens, or other sensitive information retained by your browser and used with SAP web applications like Portal, CRM, SRM and others. This script can even rewrite the content of an HTML page. Thus, an attacker can gain access to user session and gain control on business-critical information which can be accessed by victim.\n"}, "differentElements": ["published", "modified"]}, {"lastseen": "2017-02-25T09:02:36", "edition": 2, "bulletin": {"type": "erpscan", "published": "2010-01-04T00:00:00", "href": "https://erpscan.com/advisories/erpscan-11-024-sap-netwaver-performanceprovierroot-xss/", "objectVersion": "1.2", "bulletinFamily": "info", "id": "ERPSCAN-11-024", "cvss": {"vector": "NONE", "score": 0.0}, "hash": "18325c7ab58a1bd2583f28e243bfa3acb893013be41408cd045edbb063f04dc4", "lastseen": "2017-02-25T09:02:36", "viewCount": 2, "cvelist": [], "history": [], "references": [], "edition": 2, "hashmap": [{"key": "href", "hash": "96789c2d2d64b4464326643fcddffefa"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "5acb2f7d3fd125a3a0811b6d9b8bd755"}, {"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "modified", "hash": "5acb2f7d3fd125a3a0811b6d9b8bd755"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "3884ed26948986c90eac232d72c64dda"}, {"key": "type", "hash": "7aa987ad7e8c4c07b62c1208b7cdb9ec"}, {"key": "reporter", "hash": "3947727f374f901847df03b135f014cf"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "75b99cad142fda8990255c2a680bdc9c"}], "reporter": "ERPScan", "modified": "2010-01-04T00:00:00", "title": "SAP NetWeaver performanceProvierRoot - XSS", "description": "**Application:** SAP NetWeaver \n**Versions Affected:** SAP NetWeaver \n**Vendor URL:** [http://www.sap.com ](<http://www.sap.com>) \n**Bugs:** Information disclose \n**Exploits:** YES \n**Reported:** 01.04.2010 \n**Vendor response:** 08.04.2010 \n**Date of Public Advisory:** 17.06.2011 \n**CVSS: 5.0 \n** **Author:**Dmitriy Chastuhin\n\n**Description** \nSAP NetWeaver performanceProviderRoot application has linked XSS vulnerability.\n\n**Business Risk** \nAn attacker can use XSS vulnerability by sending a link on malicious script to an unaware user via an e-mail, messaging or social networks. The end user browser has no way to know that the script should not be trusted, and will execute the script. The malicious script can get an access to any cookies, session tokens, or other sensitive information retained by your browser and used with SAP web applications like Portal, CRM, SRM and others. This script can even rewrite the content of an HTML page. Thus, an attacker can gain access to user session and gain control on business-critical information which can be accessed by victim.\n"}, "differentElements": ["description"]}], "references": [], "edition": 3, "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "08e9de24ab150d083240557cec091d53"}, {"key": "href", "hash": "96789c2d2d64b4464326643fcddffefa"}, {"key": "modified", "hash": "5acb2f7d3fd125a3a0811b6d9b8bd755"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "5acb2f7d3fd125a3a0811b6d9b8bd755"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "3947727f374f901847df03b135f014cf"}, {"key": "title", "hash": "3884ed26948986c90eac232d72c64dda"}, {"key": "type", "hash": "7aa987ad7e8c4c07b62c1208b7cdb9ec"}], "reporter": "ERPScan", "modified": "2010-01-04T00:00:00", "title": "SAP NetWeaver performanceProvierRoot - XSS", "description": "None\n"}
{"nessus": [{"lastseen": "2019-02-21T01:30:07", "bulletinFamily": "scanner", "description": "The version of Oracle E-Business installed on the remote host is missing the April 2017 Oracle Critical Patch Update (CPU). It is, therefore, affected by the following vulnerabilities :\n\n - An unspecified flaw exists in the Oracle Marketing component within the User Interface subcomponent that allows an unauthenticated, remote attacker to impact confidentiality and integrity. This vulnerability only affects versions 12.1.1 through 12.1.3 and versions 12.2.3 through 12.2.6. (CVE-2017-3337)\n\n - An unspecified flaw exists in the Oracle Advanced Outbound Telephony component within the Interaction History subcomponent that allows an unauthenticated, remote attacker to impact confidentiality and integrity.\n This vulnerability only affects versions 12.2.3 through 12.2.6. (CVE-2017-3393)\n\n - An unspecified flaw exists in the Oracle One-to-One Fulfillment component within the Audience Workbench subcomponent that allows an unauthenticated, remote attacker to impact confidentiality and integrity. This vulnerability only affects versions 12.1.1 through 12.1.3. (CVE-2017-3432)\n\n - An unspecified flaw exists in the Oracle User Management component within the User Name/Password Management subcomponent that allows an unauthenticated, remote attacker to impact confidentiality and integrity. This vulnerability only affects version 12.1.3 and versions 12.2.3 through 12.2.6. (CVE-2017-3515)\n\n - An unspecified flaw exists in the Oracle Applications Framework component within the Popup windows lists subcomponent that allows an unauthenticated, remote attacker to impact confidentiality and integrity. This vulnerability only affects version 12.1.3 and versions 12.2.3 through 12.2.6. (CVE-2017-3528)\n\n - An unspecified flaw exists in the Oracle Scripting component within the Scripting Administration subcomponent that allows an unauthenticated, remote attacker to impact confidentiality and integrity. This vulnerability only affects versions 12.1.1 through 12.1.3 and versions 12.2.3 through 12.2.6.\n (CVE-2017-3549)\n\n - An unspecified flaw exists in the Oracle Customer Interaction History component within the Admin Console subcomponent that allows an unauthenticated, remote attacker to impact confidentiality and integrity. This vulnerability only affects versions 12.1.1 through 12.1.3. (CVE-2017-3550)\n\n - An unspecified flaw exists in the Oracle iReceivables component within the Self Registration subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. This vulnerability only affects versions 12.1.1 through 12.1.3 and versions 12.2.3 through 12.2.6. (CVE-2017-3555)\n\n - An unspecified flaw exists in the Oracle Application Object Library component within the File Management subcomponent that allows an unauthenticated, remote attacker to disclose potentially sensitive information.\n This vulnerability only affects version 12.1.3 and versions 12.2.3 through 12.2.6. (CVE-2017-3556)\n\n - An unspecified flaw exists in the Oracle One-to-One Fulfillment component within the Print Server subcomponent that allows an unauthenticated, remote attacker to impact confidentiality and integrity. This vulnerability only affects version 12.1.3 and versions 12.2.3 through 12.2.6. (CVE-2017-3557)\n\n - An unspecified flaw exists in the Oracle Payables component within the Self Service Manager subcomponent that allows an authenticated, remote attacker to impact confidentiality and integrity. This vulnerability only affects versions 12.1.1 through 12.1.3 and versions 12.2.3 through 12.2.6. (CVE-2017-3592)", "modified": "2018-11-15T00:00:00", "id": "ORACLE_E-BUSINESS_CPU_APR_2017.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99479", "published": "2017-04-19T00:00:00", "title": "Oracle E-Business Multiple Vulnerabilities (April 2017 CPU)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99479);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/11/15 20:50:23\");\n\n script_cve_id(\n \"CVE-2017-3337\",\n \"CVE-2017-3393\",\n \"CVE-2017-3432\",\n \"CVE-2017-3515\",\n \"CVE-2017-3528\",\n \"CVE-2017-3549\",\n \"CVE-2017-3550\",\n \"CVE-2017-3555\",\n \"CVE-2017-3556\",\n \"CVE-2017-3557\",\n \"CVE-2017-3592\"\n );\n script_bugtraq_id(\n 97748,\n 97757,\n 97761,\n 97764,\n 97767,\n 97770,\n 97773,\n 97777,\n 97780,\n 97783,\n 97785\n );\n\n script_name(english:\"Oracle E-Business Multiple Vulnerabilities (April 2017 CPU)\");\n script_summary(english:\"Checks for the April 2017 CPU.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application installed on the remote host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle E-Business installed on the remote host is\nmissing the April 2017 Oracle Critical Patch Update (CPU). It is,\ntherefore, affected by the following vulnerabilities :\n\n - An unspecified flaw exists in the Oracle Marketing\n component within the User Interface subcomponent that\n allows an unauthenticated, remote attacker to impact\n confidentiality and integrity. This vulnerability only\n affects versions 12.1.1 through 12.1.3 and versions\n 12.2.3 through 12.2.6. (CVE-2017-3337)\n\n - An unspecified flaw exists in the Oracle Advanced\n Outbound Telephony component within the Interaction\n History subcomponent that allows an unauthenticated,\n remote attacker to impact confidentiality and integrity.\n This vulnerability only affects versions 12.2.3 through\n 12.2.6. (CVE-2017-3393)\n\n - An unspecified flaw exists in the Oracle One-to-One\n Fulfillment component within the Audience Workbench\n subcomponent that allows an unauthenticated, remote\n attacker to impact confidentiality and integrity. This\n vulnerability only affects versions 12.1.1 through\n 12.1.3. (CVE-2017-3432)\n\n - An unspecified flaw exists in the Oracle User Management\n component within the User Name/Password Management\n subcomponent that allows an unauthenticated, remote\n attacker to impact confidentiality and integrity. This\n vulnerability only affects version 12.1.3 and versions\n 12.2.3 through 12.2.6. (CVE-2017-3515)\n\n - An unspecified flaw exists in the Oracle Applications\n Framework component within the Popup windows lists\n subcomponent that allows an unauthenticated, remote\n attacker to impact confidentiality and integrity. This\n vulnerability only affects version 12.1.3 and versions\n 12.2.3 through 12.2.6. (CVE-2017-3528)\n\n - An unspecified flaw exists in the Oracle Scripting\n component within the Scripting Administration\n subcomponent that allows an unauthenticated, remote\n attacker to impact confidentiality and integrity. This\n vulnerability only affects versions 12.1.1 through\n 12.1.3 and versions 12.2.3 through 12.2.6.\n (CVE-2017-3549)\n\n - An unspecified flaw exists in the Oracle Customer\n Interaction History component within the Admin Console\n subcomponent that allows an unauthenticated, remote\n attacker to impact confidentiality and integrity. This\n vulnerability only affects versions 12.1.1 through\n 12.1.3. (CVE-2017-3550)\n\n - An unspecified flaw exists in the Oracle iReceivables\n component within the Self Registration subcomponent\n that allows an unauthenticated, remote attacker to cause\n a denial of service condition. This vulnerability only\n affects versions 12.1.1 through 12.1.3 and versions\n 12.2.3 through 12.2.6. (CVE-2017-3555)\n\n - An unspecified flaw exists in the Oracle Application\n Object Library component within the File Management\n subcomponent that allows an unauthenticated, remote\n attacker to disclose potentially sensitive information.\n This vulnerability only affects version 12.1.3 and\n versions 12.2.3 through 12.2.6. (CVE-2017-3556)\n\n - An unspecified flaw exists in the Oracle One-to-One\n Fulfillment component within the Print Server\n subcomponent that allows an unauthenticated, remote\n attacker to impact confidentiality and integrity. This\n vulnerability only affects version 12.1.3 and versions\n 12.2.3 through 12.2.6. (CVE-2017-3557)\n\n - An unspecified flaw exists in the Oracle Payables\n component within the Self Service Manager subcomponent\n that allows an authenticated, remote attacker to impact\n confidentiality and integrity. This vulnerability only\n affects versions 12.1.1 through 12.1.3 and versions\n 12.2.3 through 12.2.6. (CVE-2017-3592)\");\n # https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixEBS\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?620f75f9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2017 Oracle\nCritical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\",value:\"2017/04/18\");\n script_set_attribute(attribute:\"patch_publication_date\",value:\"2017/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/19\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"local\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:oracle:e-business_suite\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"oracle_e-business_query_patch_info.nbin\");\n script_require_keys(\"Oracle/E-Business/Version\", \"Oracle/E-Business/patches/installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"Oracle/E-Business/Version\");\npatches = get_kb_item_or_exit(\"Oracle/E-Business/patches/installed\");\n\n# Batch checks\nif (patches) patches = split(patches, sep:',', keep:FALSE);\nelse patches = make_list();\n\np12_1 = '25449171';\np12_2 = '25449173';\n\n# Check if the installed version is an affected version\naffected_versions = make_array(\n '12.1.1', make_list(p12_1),\n '12.1.2', make_list(p12_1),\n '12.1.3', make_list(p12_1),\n\n '12.2.3', make_list(p12_2),\n '12.2.4', make_list(p12_2),\n '12.2.5', make_list(p12_2),\n '12.2.6', make_list(p12_2)\n);\n\npatched = FALSE;\naffectedver = FALSE;\n\nif (affected_versions[version])\n{\n affectedver = TRUE;\n patchids = affected_versions[version];\n foreach required_patch (patchids)\n {\n foreach applied_patch (patches)\n {\n if(required_patch == applied_patch)\n {\n patched = applied_patch;\n break;\n }\n }\n if(patched) break;\n }\n if(!patched) patchreport = join(patchids,sep:\" or \");\n}\n\nif (!patched && affectedver)\n{\n if(report_verbosity > 0)\n {\n report =\n '\\n Installed version : '+version+\n '\\n Fixed version : '+version+' Patch '+patchreport+\n '\\n';\n security_hole(port:0,extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse if (!affectedver) audit(AUDIT_INST_VER_NOT_VULN, 'Oracle E-Business', version);\nelse exit(0, 'The Oracle E-Business server ' + version + ' is not affected because patch ' + patched + ' has been applied.');\n", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-04T10:01:23", "bulletinFamily": "exploit", "description": "SAP HANA 1.00.095 - hdbindexserver Memory Corruption. CVE-2015-7986. Webapps exploits for multiple platform", "modified": "2016-01-28T00:00:00", "published": "2016-01-28T00:00:00", "id": "EDB-ID:39382", "href": "https://www.exploit-db.com/exploits/39382/", "type": "exploitdb", "title": "SAP HANA 1.00.095 - hdbindexserver Memory Corruption", "sourceData": "[ERPSCAN-15-024] SAP HANA hdbindexserver - Memory corruption\r\n\r\nApplication: SAP HANA\r\nVersions Affected: SAP HANA 1.00.095\r\nVendor URL: http://SAP.com\r\nBugs: Memory corruption, RCE\r\nReported: 17.07.2015\r\nVendor response: 18.07.2015\r\nDate of Public Advisory: 13.10.2015\r\nReference: SAP Security Note 2197428\r\nAuthor: Mathieu Geli (ERPScan)\r\n\r\n\r\nDescription\r\n\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: SAP HANA 1.00.095\r\nAdvisory ID: [ERPSCAN-15-024]\r\nRisk: Hight\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-024-sap-hana-hdbindexserver-memory-corruption/\r\nDate published: 13.10.2015\r\nVendors contacted: SAP\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: Memory corruption, RCE\r\nImpact: full system compromise\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-7986\r\nCVSS Information\r\nCVSS Base Score: 9.3 / 10\r\nCVSS Base Vector:\r\nAV : Access Vector (Related exploit range)\r\n Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality\r\n Complete (C)\r\nI : Impact to Integrity\r\n Complete (C)\r\nA : Impact to Availability\r\n Complete (C)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nA buffer overflow vulnerability exists in SAP HANA interface. If an\r\nattacker has a network access to the SQL interface or the SAP HANA\r\nExtended Application Services interface of an SAP HANA system, the\r\nvulnerability enables the attacker to inject code into the working\r\nmemory that is subsequently executed by the application. It can also\r\nbe used to cause a general fault in the product causing the product to\r\nterminate.\r\n\r\nProof of concept\r\n\r\nThis authentication request should be replayed 10 times.\r\n\r\ncurl -v -XPOST http://hana:8000/sap/hana/xs/formLogin/login.xscfunc -H\r\n'Content-type: application/x-www-form-urlencoded; charset=UTF-8' -H\r\n'X-csrf-token: unsafe' -d\r\n'xs-username=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'\r\n\r\n\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nSAP HANA 1.00.095.00\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nTo correct this vulnerability, install SAP Security Note 2197428\r\n\r\n\r\n6. AUTHOR\r\n\r\nMathieu Geli (ERPScan)\r\n\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nAn anonymous attacker can use a special HTTP request to corrupt SAP\r\nHANA index server memory.\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nSend: 17.07.2015\r\nReported: 17.07.2015\r\nVendor response: 18.07.2015\r\nDate of Public Advisory: 13.10.2015\r\n\r\n\r\n9. REFERENCES\r\n\r\nhttp://erpscan.com/advisories/erpscan-15-024-sap-hana-hdbindexserver-memory-corruption/\r\n\r\n\r\n10. ABOUT ERPScan Research\r\n\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is the most respected and credible Business Application\r\nSecurity provider. Founded in 2010, the company operates globally and\r\nenables large Oil and Gas, Financial and Retail organizations to\r\nsecure their mission-critical processes. Named as an \u2018Emerging Vendor\u2019\r\nin Security by CRN, listed among \u201cTOP 100 SAP Solution providers\u201d and\r\ndistinguished by 30+ other awards, ERPScan is the leading SAP SE\r\npartner in discovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to assist in improving the\r\nsecurity of their latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security, and provide solutions to evaluate and secure SAP\r\nand Oracle ERP systems and business-critical applications from both,\r\ncyber-attacks as well as internal fraud. Usually our clients are large\r\nenterprises, Fortune 2000 companies and managed service providers\r\nwhose requirements are to actively monitor and manage security of vast\r\nSAP landscapes on a global scale.\r\nWe \u2018follow the sun\u2019 and function in two hubs, located in the Palo Alto\r\nand Amsterdam to provide threat intelligence services, agile support\r\nand operate local offices and partner network spanning 20+ countries\r\naround the globe.\r\n\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/39382/"}], "packetstorm": [{"lastseen": "2016-12-05T22:11:43", "bulletinFamily": "exploit", "description": "", "modified": "2016-01-27T00:00:00", "published": "2016-01-27T00:00:00", "href": "https://packetstormsecurity.com/files/135416/SAP-HANA-hdbindexserver-Memory-Corruption.html", "id": "PACKETSTORM:135416", "type": "packetstorm", "title": "SAP HANA hdbindexserver Memory Corruption", "sourceData": "`[ERPSCAN-15-024] SAP HANA hdbindexserver - Memory corruption \n \n \nApplication: SAP HANA \nVersions Affected: SAP HANA 1.00.095 \nVendor URL: http://SAP.com \nBugs: Memory corruption, RCE \nReported: 17.07.2015 \nVendor response: 18.07.2015 \nDate of Public Advisory: 13.10.2015 \nReference: SAP Security Note 2197428 \nAuthor: Mathieu Geli (ERPScan) \n \n \n \nDescription \n \n \n1. ADVISORY INFORMATION \n \nTitle: SAP HANA 1.00.095 \nAdvisory ID: [ERPSCAN-15-024] \nRisk: Hight \nAdvisory URL: http://erpscan.com/advisories/erpscan-15-024-sap-hana-hdbindexserver-memory-corruption/ \nDate published: 13.10.2015 \nVendors contacted: SAP \n \n2. VULNERABILITY INFORMATION \n \nClass: Memory corruption, RCE \nImpact: full system compromise \nRemotely Exploitable: Yes \nLocally Exploitable: No \nCVE Name: CVE-2015-7986 \nCVSS Information \nCVSS Base Score: 9.3 / 10 \nCVSS Base Vector: \nAV : Access Vector (Related exploit range) \nNetwork (N) \nAC : Access Complexity (Required attack complexity) Medium (M) \nAu : Authentication (Level of authentication needed to exploit) None (N) \nC : Impact to Confidentiality \nComplete (C) \nI : Impact to Integrity \nComplete (C) \nA : Impact to Availability \nComplete (C) \n \n \n \n \n \n \n3. VULNERABILITY DESCRIPTION \n \nA buffer overflow vulnerability exists in SAP HANA interface. If an \nattacker has a network access to the SQL interface or the SAP HANA \nExtended Application Services interface of an SAP HANA system, the \nvulnerability enables the attacker to inject code into the working \nmemory that is subsequently executed by the application. It can also \nbe used to cause a general fault in the product causing the product to \nterminate. \n \nProof of concept \n \nThis authentication request should be replayed 10 times. \n \ncurl -v -XPOST http://hana:8000/sap/hana/xs/formLogin/login.xscfunc -H \n'Content-type: application/x-www-form-urlencoded; charset=UTF-8' -H \n'X-csrf-token: unsafe' -d \n'xs-username=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \n \n \n \n4. VULNERABLE PACKAGES \n \nSAP HANA 1.00.095.00 \nOther versions are probably affected too, but they were not checked. \n \n \n5. SOLUTIONS AND WORKAROUNDS \n \nTo correct this vulnerability, install SAP Security Note 2197428 \n \n \n6. AUTHOR \n \nMathieu Geli (ERPScan) \n \n \n7. TECHNICAL DESCRIPTION \n \nAn anonymous attacker can use a special HTTP request to corrupt SAP \nHANA index server memory. \n \n \n \n \n8. REPORT TIMELINE \n \nSend: 17.07.2015 \nReported: 17.07.2015 \nVendor response: 18.07.2015 \nDate of Public Advisory: 13.10.2015 \n \n \n9. REFERENCES \n \nhttp://erpscan.com/advisories/erpscan-15-024-sap-hana-hdbindexserver-memory-corruption/ \n \n10. ABOUT ERPScan Research \n \nThe company\u2019s expertise is based on the research subdivision of \nERPScan, which is engaged in vulnerability research and analysis of \ncritical enterprise applications. It has achieved multiple \nacknowledgments from the largest software vendors like SAP, Oracle, \nMicrosoft, IBM, VMware, HP for discovering more than 400 \nvulnerabilities in their solutions (200 of them just in SAP!). \nERPScan researchers are proud to have exposed new types of \nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be \nnominated for the best server-side vulnerability at BlackHat 2013. \nERPScan experts have been invited to speak, present, and train at 60+ \nprime international security conferences in 25+ countries across the \ncontinents. These include BlackHat, RSA, HITB, and private SAP \ntrainings in several Fortune 2000 companies. \nERPScan researchers lead the project EAS-SEC, which is focused on \nenterprise application security research and awareness. They have \npublished 3 exhaustive annual award-winning surveys about SAP \nsecurity. \nERPScan experts have been interviewed by leading media resources and \nfeatured in specialized info-sec publications worldwide. These include \nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, \nHeise, and Chinabyte, to name a few. \nWe have highly qualified experts in staff with experience in many \ndifferent fields of security, from web applications and \nmobile/embedded to reverse engineering and ICS/SCADA systems, \naccumulating their experience to conduct the best SAP security \nresearch. \n \n \n11. ABOUT ERPScan \nERPScan is the most respected and credible Business Application \nSecurity provider. Founded in 2010, the company operates globally and \nenables large Oil and Gas, Financial and Retail organizations to \nsecure their mission-critical processes. Named as an \u2018Emerging Vendor\u2019 \nin Security by CRN, listed among \u201cTOP 100 SAP Solution providers\u201d and \ndistinguished by 30+ other awards, ERPScan is the leading SAP SE \npartner in discovering and resolving security vulnerabilities. ERPScan \nconsultants work with SAP SE in Walldorf to assist in improving the \nsecurity of their latest solutions. \nERPScan\u2019s primary mission is to close the gap between technical and \nbusiness security, and provide solutions to evaluate and secure SAP \nand Oracle ERP systems and business-critical applications from both, \ncyber-attacks as well as internal fraud. Usually our clients are large \nenterprises, Fortune 2000 companies and managed service providers \nwhose requirements are to actively monitor and manage security of vast \nSAP landscapes on a global scale. \nWe \u2018follow the sun\u2019 and function in two hubs, located in the Palo Alto \nand Amsterdam to provide threat intelligence services, agile support \nand operate local offices and partner network spanning 20+ countries \naround the globe. \n \n \nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 \nPhone: 650.798.5255 \nTwitter: @erpscan \nScoop-it: Business Application Security \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/135416/ERPSCAN-15-024.txt"}], "erpscan": [{"lastseen": "2018-08-31T00:36:05", "bulletinFamily": "info", "description": "None\n", "modified": "2016-01-02T00:00:00", "published": "2016-01-02T00:00:00", "id": "ERPSCAN-16-024", "href": "https://erpscan.com/advisories/erpscan-16-024-sap-sql-anywhere-mobilink-synchronization-server-buffer-overflow/", "title": "SAP SQL Anywhere MobiLink Synchronization Server - buffer overflow vulnerability", "type": "erpscan", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-02T11:20:33", "bulletinFamily": "info", "description": "None\n", "modified": "2013-04-20T00:00:00", "published": "2013-04-20T00:00:00", "href": "https://erpscan.com/advisories/erpscan-13-024-sap-emr-unwired-multiple-sql-injections/", "id": "ERPSCAN-13-024", "type": "erpscan", "title": "SAP EMR Unwired - Unauthorized access", "cvss": {"score": 0.0, "vector": "NONE"}}]}
