SAP Internet Transaction Server

2003-09-01T00:00:00
ID SECURITYVULNS:DOC:5037
Type securityvulns
Reporter Securityvulns
Modified 2003-09-01T00:00:00

Description

To the List,




============================================================ SEC-CONSULT Security REPORT SAP Internet Transcaction Server ======================OOOOOOOOOOOO==========================

Product: ITS ITS, Version 4620.2.0.323011, Build 46B.323011 (win32/IIS 5.0)

Vulnerablities:

  • Path/information disclosure
  • Directory traversal
  • Filename truncation
  • Arbitrary file disclosure
  • Cross site scripting/Cookie Theft

Vuln.-Classes: Check out http://www.owasp.org/asac/ for more detailed information on "Attack Components" Vendor: SAP (http://www.sap.com/) Vendor-Status: vendor contacted (02.08.2003) Vendor-Patchs: SAP advice 598074,595383 and 654038

Object: wgate.dll

Exploitable: Local: --- Remote: YES

============ Introduction ============

Visit "http://www.sap.com" for additional information.

===================== Vulnerability Details =====================

1) DIRECTORY/INFO DISCLOSURE

OBJECT: wgate.dll (win32 CGI-Communication binary)

DESCRIPTION: Insufficient input- and output validation on miscellaneous userinput allows the insertion of non existing values for the following user supplied paramters:

~service ~templatelanguage ~language ~theme ~template

Thus leading to several unwanted error messages which may include sensitive information on operating-system, software version a nd the directory structure of the attacked server.

EXAMPLE: ---*--- Http-Request: http://www.server.name/scripts/wgate/pbw2/!?

with params: ~runtimemode=DM& ~language=en& ~theme=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx& ---*---

REMARKS: It might be possible that "~template" is an undocumented or forgotten variable (NOT confirmed).

2) ARBITRARY FILE DISCLOSURE (Directory Traversal / File Truncation)

OBJECT: wgate.dll (win32 CGI-Communication binary)

DESCRIPTION:

EXAMPLE: ---*--- Http-Request: http://www.server.name/scripts/wgate/pbw2/!?

with params: ~language=en& ~runtimemode=DM& ~templatelanguage=& ~language=en& ~theme=..\..& ~template=services\global.srvc++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++ ---*---

(where "+" stands for spaces "%20" uri encoded).

Above will respond with the global server configuration file "global.srvc" on an ITS default-installation.

Normally the default-template extension (.html ?) gets concatenated to the rest of the template information. Most probably somebody wanted to avoid a possible Bufferoverflow by truncating the input values if they exceed a given length. Thus making it possible to shed the ".html" extension.

For some strange reason now and then the program responds with an error-message instead of giving out the requested file. This might be due to unwanted?/additional? HTTP-Request-Header infos (NOT confirmed).

REMARKS:

The global configuration file "global.srvc" contains username and des-encrypted password ------ ~password des26(2c94f116f4393f3d) ~login Master ------

A good DES-cracker should be able to crack this password-hash either by using wordlistst or by brute-force methods (NOT confirm ed).

3) CROSS SITE SCRIPTING / COOKIE THEFT

OBJECT: wgate.dll (win32 CGI-Communication binary)

DESCRIPTION: Insufficient input- and output validation on miscellaneous userinput-parameters enables insertion of html/client side scripting tags.

EXAMPLE: ---*--- Http-Request: http://www.server.name/scripts/wgate.dll?

with params: ~service=--><img%09src=javascript:alert(1)%3bcrap ---*---

REMARKS: Due to excessive usage of cookies for managing sessions and/or states cookie-theft is very likely. There might be several other location where html/scripting tags can be inserted (NOT confirmed).

=============== GENERAL REMARKS ===============

Above findings derive from an external(black box) security test. we would like to apologize in advance for potential nonconformities and/or known issues.

==================== Recommended Hotfixes ====================

Vendor-Patches: SAP advice 598074,595383 and 654038

EOF Martin Eiszner / @2003m.eiszner@sec-consult.com

======= Contact =======

SEC-CONSULT Austria / EUROPE

0043 699 12177237 m.eiszner@sec-consult.com http://www.sec-consult.com




-- Martin Eiszner / SEC-CONSULT Austria / EUROPE

m.eiszner@sec-consult.com http://www.sec-consult.com http://www.websec.org tel: 0043 699 121772 37