SAP NetWeaver SOAP RFC – Denial of Service / Integer overflow

Type erpscan
Reporter ERPScan
Modified 2010-09-12T00:00:00


Application: SAP NetWeaver Kernel
Versions Affected: ernel 4.6 – 7.2
Vendor URL:
Bugs:XML Attribute Blow-up attack
Exploits: YES
Reported: 09.12.2010
Vendor response: 10.12.2010
Date of Public Advisory: 20.07.2011
Author: Alexey Sintsov

It is possible to make integer overflow condition via SOAP-RFC request. In common case disp+work.exe (for windows version) will be restarted. If here will be regular SOAP requests then it will be Denial of Service. Code execution is not possible.

Business Risk
A remote attacker or insider can send a malicious packet to SAP NetWeaver server through internet or inside a company and conduct a denial of service attack by memory corruption. This will stop server and all business processes running on it. It can lead to monetary and reputation loss. Attacker needs to have legal user credentials with any rights for conducting this attack. He can also use default credentials with known passwords.