Internet Communication Manager Denial Of Service Attack

2007-07-05T00:00:00
ID SECURITYVULNS:DOC:17420
Type securityvulns
Reporter Securityvulns
Modified 2007-07-05T00:00:00

Description

======= Summary ======= Name: Internet Communication Manager Denial Of Service Attack Release Date: 5 July 2007 Reference: NGS00484 Discover: Mark Litchfield <mark@ngssoftware.com> Vendor: SAP Vendor Reference: SECRES-287 Systems Affected: Confirmed on Windows (unconfirmed on *NIX) Risk: High Status: Fixed

======== TimeLine ======== Discovered: 3 January 2007 Released: 19 January 2007 Approved: 29 January 2007 Reported: 11 January 2007 Fixed: 2 May 2007 Published:

=========== Description =========== Internet Communication Manager ensures communication between the SAP Web Application Server with the WWW using the HTTP, HTTPS and SMTP protocols. ICM is part of the SAP Web Application Server and is implemented as an independent process (ICMAN.exe) and is started and monitored by the dispatcher.

The Internet Communication Manager also offers the ICM Server Cache as part of its functionality, using the ICM server cache increases performance considerably. The ICM server cache (also known as the Internet Server Cache saves HTTP(S) objects before they are sent back to the requesting client. The next time an object is requested, the application gets the contents directly from the cache before sending it to the client.

However, it is possible to configure the Web dispatcher to act as a web cache. For more information visit - http://help.sap.com/saphelp_nw04s/helpdata/en/9f/89e2edfde645fca1636fa8468d2e74/content.htm.

A method by which to determine if the Internet Communication Manager is acting as the web cache, we can make the following request:

http://target/foo.gif?sap-isc-key=ngs

An error will be returned:

500 Internal Server Error


Error: -15 Version: 7010 Component: HTTP_CACHE Date/Time: xxxxxxxxxxxxxxxx Module: http_cache.c Line: 2640 Server: Target_JP1_01 Error Tag: {-} Detail: Object not found (key='ngs')

================= Technical Details ================= By passing a URI of 264 bytes the ICMAN.exe process terminates. This includes the length of the requested file, the file extension, the ?, the paramter 'sap-isc-key=' and the value.

This is an very effective Denial of Service attack within a SAP environment.

=============== Fix Information =============== Please ensure you have the latest version

NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070