10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.967 High
EPSS
Percentile
99.6%
The remote host is running SAP DB or MaxDB, a SAP-certified open- source database supporting OLTP and OLAP.
According to its version, the Web DBM component of MaxDB on the remote host reportedly contains a buffer overflow that can be triggered by an HTTP request containing a long database name. An unauthenticated remote attacker may be able to exploit this flaw to execute arbitrary code on the affected host subject to the privileges of the ‘wahttp’ process.
Note that on Windows the ‘wahttp’ process runs with ‘SYSTEM’ privileges so a successful attack may result in a complete compromise of the affected system.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(22309);
script_version("1.19");
script_cve_id("CVE-2006-4305");
script_bugtraq_id(19660);
script_name(english:"SAP DB / MaxDB WebDBM Client Database Name Remote Overflow");
script_summary(english:"Gets version of Web DBM");
script_set_attribute(attribute:"synopsis", value:
"The remote web server is prone to a buffer overflow attack." );
script_set_attribute(attribute:"description", value:
"The remote host is running SAP DB or MaxDB, a SAP-certified open-
source database supporting OLTP and OLAP.
According to its version, the Web DBM component of MaxDB on the remote
host reportedly contains a buffer overflow that can be triggered by an
HTTP request containing a long database name. An unauthenticated
remote attacker may be able to exploit this flaw to execute arbitrary
code on the affected host subject to the privileges of the 'wahttp'
process.
Note that on Windows the 'wahttp' process runs with 'SYSTEM'
privileges so a successful attack may result in a complete compromise
of the affected system." );
script_set_attribute(attribute:"see_also", value:"http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2006-009.txt" );
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/444601/30/0/threaded" );
script_set_attribute(attribute:"solution", value:
"Upgrade to Web DBM version 7.6.00.31 or later as that is reported to
fix the issue." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"metasploit_name", value:'MaxDB WebDBM Database Parameter Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2006/09/06");
script_set_attribute(attribute:"patch_publication_date", value: "2006/08/29");
script_set_attribute(attribute:"vuln_publication_date", value: "2006/08/29");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl", "os_fingerprint.nasl");
script_require_ports("Services/www", 9999);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
# Exit unless we're being paranoid or the target is running Windows
# to avoid false-positives with, say, the Debian MaxDB package.
os = get_kb_item("Host/OS");
if (report_paranoia < 2 && os && "Windows" >!< os) exit(0);
port = get_http_port(default:9999);
# Make sure the banner indicates it's Web DBM.
banner = get_http_banner(port:port);
if (!banner || "Server: SAP-Internet-SapDb-Server" >!< banner) exit(0);
# Get the version number.
r = http_send_recv3(method:"GET", item:"/webdbm?Page=VERSION", port:port);
if (isnull(r)) exit(0);
res = r[2];
ver = NULL;
build = NULL;
pat = '<td class="(dbmSTbvCellStd|dbmSTbvCellLast|table[0-9]).*>( )*([0-9][
0-9.-]+) *( )*</';
matches = egrep(pattern:pat, string:res);
if (matches)
{
foreach match (split(matches))
{
match = chomp(match);
m = eregmatch(pattern:pat, string:match);
if (!isnull(m))
{
if ("table" >< m[1] && m[3] !~ "^[0-9]{3}-") ver = chomp(m[3]);
if ("CellStd" >< m[1]) ver = chomp(m[3]);
if ("CellLast" >< m[1] || ("table" >< m[1] && m[3] =~ "^[0-9]{3}-"))
{
build = m[3];
if (build =~ "^([0-9][0-9][0-9])-.*")
{
build = ereg_replace(pattern:"^([0-9][0-9][0-9])-.*", replace:"\1", string:build);
build = int(build);
}
}
}
}
}
if (isnull(ver)) exit(0);
if (!isnull(build)) ver += "." + build;
# There's a problem if the version is under 7.6.00.31.
iver = split(ver, sep:'.', keep:FALSE);
if (
int(iver[0]) < 7 ||
(
int(iver[0]) == 7 &&
(
int(iver[1]) < 6 ||
(int(iver[1]) == 6 && int(iver[2]) == 0 && !isnull(iver[3]) && int(iver[3]) < 31)
)
)
)
{
report = string(
"According to its banner, MaxDB / SAP DB version ", ver, " is installed\n",
"on the remote host.\n"
);
security_hole(port:port, extra: report);
}