SAINT CorporationSAINT:C268D699CC46F8563C4B1A77D115D221SAP NetWeaver Dispatcher DiagTraceR3Info Packet Parsing Vulnerability
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.95 High
EPSS
Percentile
99.3%
Added: 06/04/2012
CVE: CVE-2012-2611
OSVDB: 81759
Background
SAP Netweaver is a technology platform for building and integrating SAP business applications.
Problem
SAP Netweaver is vulnerable to a stack buffer overflow when configured with the developer trace level set to 2 or higher. The vulnerability can be triggered by sending specially crafted SAP Diag packets to remote TCP port 32## (where ## is the SAP system number) of a host running the Dispatcher service of SAP Netweaver Application Server. The specific vulnerability is in the DiagTraceR3Info function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869.
Resolution
Contact the vendor for an update.
References
<http://cxsecurity.com/cveshow/CVE-2012-2611/>
Limitations
This exploit has been tested on SAP NetWeaver 7.01 SR1 and SAP NetWeaver 7.02 SP06 on Windows Server 2003 SP2 English (DEP OptOut).
SAP NetWeaver 7.01 SR1 only listens on IPv4.
The NetWeaver developer trace level must be set to 2 or higher for the exploit to succeed. This is done by modifying the instance profile file <install dir>\NSP\SYS\profile\NSP_DVEBMGS00_<instance name> by adding the line “rdisp/TRACE = 2”.
Platforms
Windows
Related
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.95 High
EPSS
Percentile
99.3%