SAP NetWeaver SAPHostControl Command Injection

2012-08-29T00:00:00
ID SAINT:3667B0A244F8D387EABC21E46F9D2047
Type saint
Reporter SAINT Corporation
Modified 2012-08-29T00:00:00

Description

Added: 08/29/2012
BID: 55084
OSVDB: 84821

Background

SAP NetWeaver is a technology platform for building and integrating SAP business applications.

Problem

The NetWeaver management console exposes an authenticated SOAP web service interface. During the authentication phase, user-supplied values within in the SOAP request are passed as parameters to a child process. In NetWeaver 7.02 and prior, the parameters are not properly validated and may allow an attacker to execute arbitrary commands on the server.

Resolution

An update is available through the SAP customer portal. Please see SAP Security Note 1341333 (login required).

References

<http://www.contextis.com/research/blog/sap4/>

Limitations

This exploit has been tested against SAP NetWeaver 7.02 SP06 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut).

Platforms

Windows