ID ERPSCAN-11-024 Type erpscan Reporter ERPScan Modified 2010-01-04T00:00:00
Description
None
{"type": "erpscan", "published": "2010-01-04T00:00:00", "href": "https://erpscan.com/advisories/erpscan-11-024-sap-netwaver-performanceprovierroot-xss/", "objectVersion": "1.2", "bulletinFamily": "info", "cvelist": [], "cvss": {"vector": "NONE", "score": 0.0}, "hash": "b9a542ca7c487bcb543120e283eeeecaf0ed5c911ff2c0e64210c3672247c5ec", "enchantments": {"score": {"vector": "NONE", "value": 5.0}, "vulnersScore": 5.0}, "lastseen": "2017-04-02T11:20:37", "viewCount": 4, "id": "ERPSCAN-11-024", "history": [{"lastseen": "2017-01-08T12:24:40", "edition": 1, "bulletin": {"type": "erpscan", "published": "2011-06-20T20:28:49", "href": "https://erpscan.com/advisories/erpscan-11-024-sap-netwaver-performanceprovierroot-xss/", "objectVersion": "1.2", "bulletinFamily": "info", "id": "ERPSCAN-11-024", "cvss": {"vector": "NONE", "score": 0.0}, "hash": "30f02c863f9f13596e5989cebeed24d9743a983cd138e46a5a13ffe2d55bb097", "lastseen": "2017-01-08T12:24:40", "viewCount": 2, "cvelist": [], "history": [], "references": [], "edition": 1, "hashmap": [{"key": "href", "hash": "96789c2d2d64b4464326643fcddffefa"}, {"key": "published", "hash": "6088d62a83ffbbf9b003fef60dedefab"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "modified", "hash": "a33ce55e955b82e4e58957ddc456c328"}, {"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "3884ed26948986c90eac232d72c64dda"}, {"key": "type", "hash": "7aa987ad7e8c4c07b62c1208b7cdb9ec"}, {"key": "reporter", "hash": "3947727f374f901847df03b135f014cf"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "75b99cad142fda8990255c2a680bdc9c"}], "reporter": "ERPScan", "modified": "2015-08-13T20:27:43", "title": "SAP NetWeaver performanceProvierRoot - XSS", "description": "**Application:** SAP NetWeaver \n**Versions Affected:** SAP NetWeaver \n**Vendor URL:** [http://www.sap.com ](<http://www.sap.com>) \n**Bugs:** Information disclose \n**Exploits:** YES \n**Reported:** 01.04.2010 \n**Vendor response:** 08.04.2010 \n**Date of Public Advisory:** 17.06.2011 \n**CVSS: 5.0 \n** **Author:**Dmitriy Chastuhin\n\n**Description** \nSAP NetWeaver performanceProviderRoot application has linked XSS vulnerability.\n\n**Business Risk** \nAn attacker can use XSS vulnerability by sending a link on malicious script to an unaware user via an e-mail, messaging or social networks. The end user browser has no way to know that the script should not be trusted, and will execute the script. The malicious script can get an access to any cookies, session tokens, or other sensitive information retained by your browser and used with SAP web applications like Portal, CRM, SRM and others. This script can even rewrite the content of an HTML page. Thus, an attacker can gain access to user session and gain control on business-critical information which can be accessed by victim.\n"}, "differentElements": ["published", "modified"]}, {"lastseen": "2017-02-25T09:02:36", "edition": 2, "bulletin": {"type": "erpscan", "published": "2010-01-04T00:00:00", "href": "https://erpscan.com/advisories/erpscan-11-024-sap-netwaver-performanceprovierroot-xss/", "objectVersion": "1.2", "bulletinFamily": "info", "id": "ERPSCAN-11-024", "cvss": {"vector": "NONE", "score": 0.0}, "hash": "18325c7ab58a1bd2583f28e243bfa3acb893013be41408cd045edbb063f04dc4", "lastseen": "2017-02-25T09:02:36", "viewCount": 2, "cvelist": [], "history": [], "references": [], "edition": 2, "hashmap": [{"key": "href", "hash": "96789c2d2d64b4464326643fcddffefa"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "5acb2f7d3fd125a3a0811b6d9b8bd755"}, {"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "modified", "hash": "5acb2f7d3fd125a3a0811b6d9b8bd755"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "3884ed26948986c90eac232d72c64dda"}, {"key": "type", "hash": "7aa987ad7e8c4c07b62c1208b7cdb9ec"}, {"key": "reporter", "hash": "3947727f374f901847df03b135f014cf"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "75b99cad142fda8990255c2a680bdc9c"}], "reporter": "ERPScan", "modified": "2010-01-04T00:00:00", "title": "SAP NetWeaver performanceProvierRoot - XSS", "description": "**Application:** SAP NetWeaver \n**Versions Affected:** SAP NetWeaver \n**Vendor URL:** [http://www.sap.com ](<http://www.sap.com>) \n**Bugs:** Information disclose \n**Exploits:** YES \n**Reported:** 01.04.2010 \n**Vendor response:** 08.04.2010 \n**Date of Public Advisory:** 17.06.2011 \n**CVSS: 5.0 \n** **Author:**Dmitriy Chastuhin\n\n**Description** \nSAP NetWeaver performanceProviderRoot application has linked XSS vulnerability.\n\n**Business Risk** \nAn attacker can use XSS vulnerability by sending a link on malicious script to an unaware user via an e-mail, messaging or social networks. The end user browser has no way to know that the script should not be trusted, and will execute the script. The malicious script can get an access to any cookies, session tokens, or other sensitive information retained by your browser and used with SAP web applications like Portal, CRM, SRM and others. This script can even rewrite the content of an HTML page. Thus, an attacker can gain access to user session and gain control on business-critical information which can be accessed by victim.\n"}, "differentElements": ["description"]}], "references": [], "edition": 3, "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "08e9de24ab150d083240557cec091d53"}, {"key": "href", "hash": "96789c2d2d64b4464326643fcddffefa"}, {"key": "modified", "hash": "5acb2f7d3fd125a3a0811b6d9b8bd755"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "5acb2f7d3fd125a3a0811b6d9b8bd755"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "3947727f374f901847df03b135f014cf"}, {"key": "title", "hash": "3884ed26948986c90eac232d72c64dda"}, {"key": "type", "hash": "7aa987ad7e8c4c07b62c1208b7cdb9ec"}], "reporter": "ERPScan", "modified": "2010-01-04T00:00:00", "title": "SAP NetWeaver performanceProvierRoot - XSS", "description": "None\n"}
{"cve": [{"lastseen": "2018-12-11T12:20:07", "references": ["http://www.securityfocus.com/bid/97757", "http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html", "https://erpscan.io/advisories/erpscan-17-024-dos-oracle-e-business-suite-anonymouslogin/", "http://www.securitytracker.com/id/1038299"], "description": "Vulnerability in the Oracle iReceivables component of Oracle E-Business Suite (subcomponent: Self Registration). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily \"exploitable\" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iReceivables. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle iReceivables. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).", "edition": 6, "reporter": "NVD", "published": "2017-04-24T15:59:04", "title": "CVE-2017-3555", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2017-3555"], "scanner": [], "modified": "2018-12-10T14:29:22", "cpe": ["cpe:/a:oracle:ireceivables:12.2.5", "cpe:/a:oracle:ireceivables:12.2.6", "cpe:/a:oracle:ireceivables:12.2.4", "cpe:/a:oracle:ireceivables:12.1.1", "cpe:/a:oracle:ireceivables:12.2.3", "cpe:/a:oracle:ireceivables:12.1.3", "cpe:/a:oracle:ireceivables:12.1.2"], "id": "CVE-2017-3555", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3555", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-12-11T12:19:22", "references": ["https://erpscan.io/advisories/erpscan-16-024-sap-sql-anywhere-mobilink-synchronization-server-buffer-overflow/", "http://www.securityfocus.com/bid/91197"], "description": "Buffer overflow in the MobiLink Synchronization Server component in SAP SQL Anywhere 17 and possibly earlier allows remote authenticated users to cause a denial of service (resource consumption and process crash) by sending a crafted packet several times, aka SAP Security Note 2308778.", "edition": 2, "reporter": "NVD", "published": "2017-04-10T11:59:00", "title": "CVE-2016-10310", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2016-10310"], "scanner": [], "modified": "2018-12-10T14:29:14", "cpe": ["cpe:/a:sap:sql_anywhere:17.0"], "id": "CVE-2016-10310", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10310", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-12-11T12:18:06", "references": ["https://service.sap.com/sap/support/notes/1864518", "http://scn.sap.com/docs/DOC-8218", "http://www.securityfocus.com/bid/64314", "https://erpscan.io/advisories/erpscan-13-024-sap-emr-unwired-multiple-sql-injections/", "https://exchange.xforce.ibmcloud.com/vulnerabilities/89723"], "description": "Multiple SQL injection vulnerabilities in SAP EMR Unwired allow remote attackers to execute arbitrary SQL commands via unspecified vectors.", "edition": 4, "reporter": "NVD", "published": "2013-12-13T15:08:41", "title": "CVE-2013-7096", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2013-7096"], "scanner": [], "modified": "2018-12-10T14:29:03", "cpe": ["cpe:/a:sap:emr_unwired:-:-:~--~-~iphone_os~~"], "id": "CVE-2013-7096", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7096", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-04T10:01:23", "osvdbidlist": [], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "SAP HANA 1.00.095 - hdbindexserver Memory Corruption. CVE-2015-7986. Webapps exploits for multiple platform", "reporter": "ERPScan", "published": "2016-01-28T00:00:00", "type": "exploitdb", "title": "SAP HANA 1.00.095 - hdbindexserver Memory Corruption", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7986"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2016-01-28T00:00:00", "id": "EDB-ID:39382", "href": "https://www.exploit-db.com/exploits/39382/", "sourceData": "[ERPSCAN-15-024] SAP HANA hdbindexserver - Memory corruption\r\n\r\nApplication: SAP HANA\r\nVersions Affected: SAP HANA 1.00.095\r\nVendor URL: http://SAP.com\r\nBugs: Memory corruption, RCE\r\nReported: 17.07.2015\r\nVendor response: 18.07.2015\r\nDate of Public Advisory: 13.10.2015\r\nReference: SAP Security Note 2197428\r\nAuthor: Mathieu Geli (ERPScan)\r\n\r\n\r\nDescription\r\n\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: SAP HANA 1.00.095\r\nAdvisory ID: [ERPSCAN-15-024]\r\nRisk: Hight\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-024-sap-hana-hdbindexserver-memory-corruption/\r\nDate published: 13.10.2015\r\nVendors contacted: SAP\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: Memory corruption, RCE\r\nImpact: full system compromise\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-7986\r\nCVSS Information\r\nCVSS Base Score: 9.3 / 10\r\nCVSS Base Vector:\r\nAV : Access Vector (Related exploit range)\r\n Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality\r\n Complete (C)\r\nI : Impact to Integrity\r\n Complete (C)\r\nA : Impact to Availability\r\n Complete (C)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nA buffer overflow vulnerability exists in SAP HANA interface. If an\r\nattacker has a network access to the SQL interface or the SAP HANA\r\nExtended Application Services interface of an SAP HANA system, the\r\nvulnerability enables the attacker to inject code into the working\r\nmemory that is subsequently executed by the application. It can also\r\nbe used to cause a general fault in the product causing the product to\r\nterminate.\r\n\r\nProof of concept\r\n\r\nThis authentication request should be replayed 10 times.\r\n\r\ncurl -v -XPOST http://hana:8000/sap/hana/xs/formLogin/login.xscfunc -H\r\n'Content-type: application/x-www-form-urlencoded; charset=UTF-8' -H\r\n'X-csrf-token: unsafe' -d\r\n'xs-username=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'\r\n\r\n\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nSAP HANA 1.00.095.00\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nTo correct this vulnerability, install SAP Security Note 2197428\r\n\r\n\r\n6. AUTHOR\r\n\r\nMathieu Geli (ERPScan)\r\n\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nAn anonymous attacker can use a special HTTP request to corrupt SAP\r\nHANA index server memory.\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nSend: 17.07.2015\r\nReported: 17.07.2015\r\nVendor response: 18.07.2015\r\nDate of Public Advisory: 13.10.2015\r\n\r\n\r\n9. REFERENCES\r\n\r\nhttp://erpscan.com/advisories/erpscan-15-024-sap-hana-hdbindexserver-memory-corruption/\r\n\r\n\r\n10. ABOUT ERPScan Research\r\n\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is the most respected and credible Business Application\r\nSecurity provider. Founded in 2010, the company operates globally and\r\nenables large Oil and Gas, Financial and Retail organizations to\r\nsecure their mission-critical processes. Named as an \u2018Emerging Vendor\u2019\r\nin Security by CRN, listed among \u201cTOP 100 SAP Solution providers\u201d and\r\ndistinguished by 30+ other awards, ERPScan is the leading SAP SE\r\npartner in discovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to assist in improving the\r\nsecurity of their latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security, and provide solutions to evaluate and secure SAP\r\nand Oracle ERP systems and business-critical applications from both,\r\ncyber-attacks as well as internal fraud. Usually our clients are large\r\nenterprises, Fortune 2000 companies and managed service providers\r\nwhose requirements are to actively monitor and manage security of vast\r\nSAP landscapes on a global scale.\r\nWe \u2018follow the sun\u2019 and function in two hubs, located in the Palo Alto\r\nand Amsterdam to provide threat intelligence services, agile support\r\nand operate local offices and partner network spanning 20+ countries\r\naround the globe.\r\n\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/39382/"}], "packetstorm": [{"lastseen": "2016-12-05T22:11:43", "references": [], "edition": 1, "description": "", "reporter": "Mathieu Geli", "published": "2016-01-27T00:00:00", "type": "packetstorm", "title": "SAP HANA hdbindexserver Memory Corruption", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7986"], "modified": "2016-01-27T00:00:00", "href": "https://packetstormsecurity.com/files/135416/SAP-HANA-hdbindexserver-Memory-Corruption.html", "id": "PACKETSTORM:135416", "sourceData": "`[ERPSCAN-15-024] SAP HANA hdbindexserver - Memory corruption \n \n \nApplication: SAP HANA \nVersions Affected: SAP HANA 1.00.095 \nVendor URL: http://SAP.com \nBugs: Memory corruption, RCE \nReported: 17.07.2015 \nVendor response: 18.07.2015 \nDate of Public Advisory: 13.10.2015 \nReference: SAP Security Note 2197428 \nAuthor: Mathieu Geli (ERPScan) \n \n \n \nDescription \n \n \n1. ADVISORY INFORMATION \n \nTitle: SAP HANA 1.00.095 \nAdvisory ID: [ERPSCAN-15-024] \nRisk: Hight \nAdvisory URL: http://erpscan.com/advisories/erpscan-15-024-sap-hana-hdbindexserver-memory-corruption/ \nDate published: 13.10.2015 \nVendors contacted: SAP \n \n2. VULNERABILITY INFORMATION \n \nClass: Memory corruption, RCE \nImpact: full system compromise \nRemotely Exploitable: Yes \nLocally Exploitable: No \nCVE Name: CVE-2015-7986 \nCVSS Information \nCVSS Base Score: 9.3 / 10 \nCVSS Base Vector: \nAV : Access Vector (Related exploit range) \nNetwork (N) \nAC : Access Complexity (Required attack complexity) Medium (M) \nAu : Authentication (Level of authentication needed to exploit) None (N) \nC : Impact to Confidentiality \nComplete (C) \nI : Impact to Integrity \nComplete (C) \nA : Impact to Availability \nComplete (C) \n \n \n \n \n \n \n3. VULNERABILITY DESCRIPTION \n \nA buffer overflow vulnerability exists in SAP HANA interface. If an \nattacker has a network access to the SQL interface or the SAP HANA \nExtended Application Services interface of an SAP HANA system, the \nvulnerability enables the attacker to inject code into the working \nmemory that is subsequently executed by the application. It can also \nbe used to cause a general fault in the product causing the product to \nterminate. \n \nProof of concept \n \nThis authentication request should be replayed 10 times. \n \ncurl -v -XPOST http://hana:8000/sap/hana/xs/formLogin/login.xscfunc -H \n'Content-type: application/x-www-form-urlencoded; charset=UTF-8' -H \n'X-csrf-token: unsafe' -d \n'xs-username=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' \n \n \n \n4. VULNERABLE PACKAGES \n \nSAP HANA 1.00.095.00 \nOther versions are probably affected too, but they were not checked. \n \n \n5. SOLUTIONS AND WORKAROUNDS \n \nTo correct this vulnerability, install SAP Security Note 2197428 \n \n \n6. AUTHOR \n \nMathieu Geli (ERPScan) \n \n \n7. TECHNICAL DESCRIPTION \n \nAn anonymous attacker can use a special HTTP request to corrupt SAP \nHANA index server memory. \n \n \n \n \n8. REPORT TIMELINE \n \nSend: 17.07.2015 \nReported: 17.07.2015 \nVendor response: 18.07.2015 \nDate of Public Advisory: 13.10.2015 \n \n \n9. REFERENCES \n \nhttp://erpscan.com/advisories/erpscan-15-024-sap-hana-hdbindexserver-memory-corruption/ \n \n10. ABOUT ERPScan Research \n \nThe company\u2019s expertise is based on the research subdivision of \nERPScan, which is engaged in vulnerability research and analysis of \ncritical enterprise applications. It has achieved multiple \nacknowledgments from the largest software vendors like SAP, Oracle, \nMicrosoft, IBM, VMware, HP for discovering more than 400 \nvulnerabilities in their solutions (200 of them just in SAP!). \nERPScan researchers are proud to have exposed new types of \nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be \nnominated for the best server-side vulnerability at BlackHat 2013. \nERPScan experts have been invited to speak, present, and train at 60+ \nprime international security conferences in 25+ countries across the \ncontinents. These include BlackHat, RSA, HITB, and private SAP \ntrainings in several Fortune 2000 companies. \nERPScan researchers lead the project EAS-SEC, which is focused on \nenterprise application security research and awareness. They have \npublished 3 exhaustive annual award-winning surveys about SAP \nsecurity. \nERPScan experts have been interviewed by leading media resources and \nfeatured in specialized info-sec publications worldwide. These include \nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, \nHeise, and Chinabyte, to name a few. \nWe have highly qualified experts in staff with experience in many \ndifferent fields of security, from web applications and \nmobile/embedded to reverse engineering and ICS/SCADA systems, \naccumulating their experience to conduct the best SAP security \nresearch. \n \n \n11. ABOUT ERPScan \nERPScan is the most respected and credible Business Application \nSecurity provider. Founded in 2010, the company operates globally and \nenables large Oil and Gas, Financial and Retail organizations to \nsecure their mission-critical processes. Named as an \u2018Emerging Vendor\u2019 \nin Security by CRN, listed among \u201cTOP 100 SAP Solution providers\u201d and \ndistinguished by 30+ other awards, ERPScan is the leading SAP SE \npartner in discovering and resolving security vulnerabilities. ERPScan \nconsultants work with SAP SE in Walldorf to assist in improving the \nsecurity of their latest solutions. \nERPScan\u2019s primary mission is to close the gap between technical and \nbusiness security, and provide solutions to evaluate and secure SAP \nand Oracle ERP systems and business-critical applications from both, \ncyber-attacks as well as internal fraud. Usually our clients are large \nenterprises, Fortune 2000 companies and managed service providers \nwhose requirements are to actively monitor and manage security of vast \nSAP landscapes on a global scale. \nWe \u2018follow the sun\u2019 and function in two hubs, located in the Palo Alto \nand Amsterdam to provide threat intelligence services, agile support \nand operate local offices and partner network spanning 20+ countries \naround the globe. \n \n \nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 \nPhone: 650.798.5255 \nTwitter: @erpscan \nScoop-it: Business Application Security \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/135416/ERPSCAN-15-024.txt"}], "erpscan": [{"lastseen": "2018-08-31T00:36:05", "references": [], "description": "None\n", "edition": 6, "reporter": "ERPScan", "published": "2016-01-02T00:00:00", "title": "SAP SQL Anywhere MobiLink Synchronization Server - buffer overflow vulnerability", "type": "erpscan", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2016-10310"], "modified": "2016-01-02T00:00:00", "id": "ERPSCAN-16-024", "href": "https://erpscan.com/advisories/erpscan-16-024-sap-sql-anywhere-mobilink-synchronization-server-buffer-overflow/", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-02T11:20:33", "references": [], "edition": 3, "description": "None\n", "reporter": "ERPScan", "published": "2013-04-20T00:00:00", "type": "erpscan", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "SAP EMR Unwired - Unauthorized access", "bulletinFamily": "info", "cvelist": [], "modified": "2013-04-20T00:00:00", "href": "https://erpscan.com/advisories/erpscan-13-024-sap-emr-unwired-multiple-sql-injections/", "id": "ERPSCAN-13-024", "cvss": {"score": 0.0, "vector": "NONE"}}]}
