{"cve": [{"lastseen": "2022-03-23T12:10:57", "description": "Stack-based buffer overflow in the LZC decompression implementation (CsObjectInt::CsDecomprLZC function in vpa106cslzc.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316.", "cvss3": {}, "published": "2015-06-02T14:59:00", "type": "cve", "title": "CVE-2015-2282", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2282"], "modified": "2018-10-09T19:56:00", "cpe": ["cpe:/a:sap:maxdb:7.6", "cpe:/a:sap:netweaver_rfc_sdk:-", "cpe:/a:sap:netweaver_abap_application_server:-", "cpe:/a:sap:netweaver_java_application_server:-", "cpe:/a:sap:maxdb:7.5", "cpe:/a:sap:gui:-", "cpe:/a:sap:rfc_library:*"], "id": "CVE-2015-2282", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2282", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:sap:maxdb:7.5:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_java_application_server:-:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_abap_application_server:-:*:*:*:*:*:*:*", "cpe:2.3:a:sap:gui:-:*:*:*:*:*:*:*", "cpe:2.3:a:sap:maxdb:7.6:*:*:*:*:*:*:*", "cpe:2.3:a:sap:rfc_library:*:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_rfc_sdk:-:*:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2018-10-06T22:56:53", "bulletinFamily": "info", "cvelist": ["CVE-2015-2278", "CVE-2015-2282"], "description": "The two primary compression algorithms used by SAP SE products, some of the most popular enterprise and business management software platforms on the market, contain multiple, remotely exploitable security vulnerabilities.\n\nMartin Gallo of Core Security Consulting Services found vulnerabilities in the decompression routines of two compression algorithms deployed across SAP\u2019s line of products. SAP uses proprietary implementations of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm. Gallo was able to trigger these exploits in different scenarios in order to remotely and locally execute arbitrary code and cause denial of service conditions.\n\nGallo reported two vulnerabilities, CVE-2015-2282 and CVE-2015-2278, an out of bounds write and read, which he described on [the Full Disclosure Mailing List](<http://seclists.org/fulldisclosure/2015/May/50>). Gallo released the details of these bugs in coordination with SAP, which has resolved these vulnerabilities, though admins will have to install the patches in order to protect their systems.\n\nVulnerable products include, but are not limited to, the SAP Netweaver Application Server ABAP, SAP Netweaver Application Server Java, SAP Netweaver RFC SDK, SAP RFC SDK, SAP GUI, SAP MaxDB database and SAPCAR archive tool. These are merely the products that Gallo tested. It remains possible that other products and versions are vulnerable as well.\n\nSAP products use LZC and LZH algorithms to compress data in transit and for distributing files. The algorithms are also deployed in numerous open-source platforms.\n\nThe code that handles decompression for LZC is prone to memory corruption via stack-based buffer overflow, which is caused by the out-of-bounds write mentioned above. The LZH algorithm vulnerability is caused by an out-of-bounds read of a buffer used by the decompression routine when performing lookups of non-simple codes.\n\nAn attacker could potentially trigger these vulnerabilities in server-side components of Netweaver by sending specially crafted packets. On the client side, attacker could send a specially crafted .CAR or .SAR archive file intended for decompression or deploy a rogue SAP server in order to convince users to connect to the malicious server via their SAP user interface. Man-in-the-middle attacks are also possible because most of the affected services do not encrypt communications data.\n\nGallo first discovered the bug in January. Core Security and SAP worked together to disclose the bug in a coordinated manner.\n", "modified": "2015-05-13T19:30:15", "published": "2015-05-13T15:30:15", "id": "THREATPOST:3A5ADCA0440B71D3D70B48185EB53ECD", "href": "https://threatpost.com/remotely-exploitable-vulnerabilities-in-sap-compression-algorithms/112808/", "type": "threatpost", "title": "Remotely Exploitable Vulnerabilities in SAP Compression Algorithms", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "coresecurity": [{"lastseen": "2022-04-29T01:31:24", "description": "### 1\\. Advisory Information\n\n**Title: **SAP LZC/LZH Compression Multiple Vulnerabilities \n**Advisory ID: **CORE-2015-0009 \n**Advisory URL: **<https://www.coresecurity.com/core-labs/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities> \n**Date published: **2015-05-12 \n**Date of last update: **2015-05-12 \n**Vendors contacted: **SAP \n**Release mode: **Coordinated release\n\n### 2\\. Vulnerability Information\n\n**Class: **Out-of-bounds Write [[CWE-787](<http://cwe.mitre.org/data/definitions/787.html>)], Out-of-bounds Read [[CWE-125](<http://cwe.mitre.org/data/definitions/125.html>)] \n**Impact: **Denial of service \n**Remotely Exploitable: **Yes \n**Locally Exploitable: **Yes \n**CVE Name: **[CVE-2015-2282](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-2282>), [CVE-2015-2278](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-2278>)\n\n### 3\\. Vulnerability Description\n\nSAP products make use of a proprietary implementation of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm [1] . These compression algorithms are used across several SAP products and programs. Vulnerabilities were found in the decompression routines that could be triggered in different scenarios, and could lead to execution of arbitrary code and denial of service conditions.\n\n### 4\\. Vulnerable Packages\n\n * SAP Netweaver Application Server ABAP.\n * SAP Netweaver Application Server Java.\n * SAP Netweaver RFC SDK\n * SAP RFC SDK\n * SAP GUI\n * SAP MaxDB database\n * SAPCAR archive tool\n\nOther products and versions might be affected, but they were not tested.\n\n### 5\\. Vendor Information, Solutions and Workarounds\n\nSAP published the following Security Notes:\n\n * 2124806\n * 2121661\n * 2127995\n * 2125316\n\nThey can be accessed by SAP clients in their Support Portal [14].\n\nDevelopers who used the Open Source versions of MaxDB 7.5 and 7.6 for their tools should contact SAP.\n\n### 6\\. Credits\n\nThis vulnerability was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Joaqu\u00edn Rodr\u00edguez Varela from Core Advisories Team.\n\n### 7\\. Technical Description / Proof of Concept Code\n\nSAP products make use of LZC and LZH algorithms for compressing in-transit data for different services (Diag protocol, RFC protocol, MaxDB protocol) and for distributing files (SAPCAR program). The implementation of this algorithm was also included in Open Source versions of MaxDB 7.5 and 7.6 [2], and used on multiple Open Source security-related programs [3][4][5][6][7][8][9][10].\n\nThe code that handles the decompression of LZC and LZH compressed data is prone to two memory corruption vulnerabilities, as described below.\n\n#### 7.1. LZC decompression stack-based buffer overflow\n\nThe vulnerability [[CVE-2015-2282](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-2282>)] is caused by an out-of-bounds write to a stack buffer used by the decompression routine to write the output characters.\n\nThe following snippet of code shows the vulnerable function [file vpa106cslzc.cpp in the MaxDB source code [11]. This piece of code can be reached by decompressing a specially crafted buffer.\n \n \n [..] int CsObjectInt::CsDecomprLZC (SAP_BYTE * inbuf, SAP_INT inlen, SAP_BYTE * outbuf, SAP_INT outlen, SAP_INT option, SAP_INT * bytes_read, SAP_INT * bytes_written) [..] /* Generate output characters in reverse order ...................*/ while (code >= 256) { *stackp++ = TAB_SUFFIXOF(code); OVERFLOW_CHECK code = TAB_PREFIXOF(code); } [..] \n\nNote that the \"code\" variable contains an attacker controlled value, resulting in a stack overflow if the value is greater than 256 and the value for that code in the prefix table is also greater than 256. It's possible to fill in the stack with arbitrary values by controlling the values stored in the prefix and suffix tables.\n\nIt's also worth mentioning that the above code includes a macro for performing some bounds checks on the stack pointer (\"OVERFLOW_CHECK\"). However, the check implemented by this macro is not sufficient for avoiding this vulnerability and also could lead to fault conditions when decompressing valid buffers. Moreover, vulnerable products and programs were built without this macro enabled (\"CS_STACK_CHECK\" macro not defined at the time of compilation).\n\n#### 7.2. LZH decompression out-of-bounds read\n\nThe vulnerability [[CVE-2015-2278](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-2278>)] is caused by an out-of-bounds read of a buffer used by the decompression routine when performing look-ups of non-simple codes.\n\nThe following piece of code shows the vulnerable function [file vpa108csulzh.cpp in the MaxDB source code [12]. This piece of code can be reached by decompressing a specially crafted buffer.\n \n \n [..] int CsObjectInt::BuildHufTree ( unsigned * b, /* code lengths in bits (all assumed <= BMAX) */ unsigned n, /* number of codes (assumed <= N_MAX) */ unsigned s, /* number of simple-valued codes (0..s-1) */ int * d, /* list of base values for non-simple codes */ int * e, /* list of extra bits for non-simple codes */ HUFTREE **t, /* result: starting table */ int * m) /* maximum lookup bits, returns actual */ [..] if (p >= v + n) { r.e = INVALIDCODE; /* out of values--invalid code */ } else if (*p < s) { /* 256 is end-of-block code */ r.e = (unsigned char)(*p < 256 ? LITCODE : EOBCODE); r.v.n = (unsigned short) *p; /* simple code is just the value*/ p++; } else { r.e = (unsigned char) e[*p - s]; /*non-simple,look up in lists*/ r.v.n = (unsigned short) d[*p - s]; p++; } [..] \n\nThe \"e\" and \"d\" arrays are indexed with the value of \"*p - s\" which is an attacker-controlled value. When the code is reached, this results in an out-of-bounds read access.\n\n#### 7.3. Attack scenarios\n\nThe vulnerabilities affect a varied range of products and programs. The attack scenarios differ based on the way each product makes use of the compression libraries. At very least the following scenarios can be identified:\n\n##### 7.3.1. Attacks against server-side components\n\nSAP Netweaver services like Dispatcher or Gateway handle compressed requests coming from the different clients connecting to them. A remote unauthenticated attacker might be able to connect to the aforementioned services and trigger the vulnerabilities by sending specially crafted packets.\n\n##### 7.3.2. Client-side attacks\n\nAn attacker might be able to perform client-side attacks against users of the affected programs that handle compressed data. For instance, an attacker might send a specially crafted .CAR or .SAR archive file aimed at being decompressed using the SAPCAR tool, or mount a rogue SAP server offering Dispatcher and entice users to connect to this malicious server using SAP GUI.\n\n##### 7.3.3. Man-in-the-middle attacks\n\nAs most of the services affected by these issues are not encrypted by default, an attacker might be able to perform a man-in-the-middle attack and trigger the vulnerabilities by injecting malicious packets within the communication.\n\n#### 7.4. Looking in binaries for compression routines\n\nThe LZC and LZH compression algorithm routines are statically compiled in the different binaries of the affected products and programs. It's possible to check if a binary includes these functions by looking at whether the algorithm's constants are used in the program.\n\nThe following Radare [13] command can be used to check if a binary file includes the mentioned constants:\n \n \n $ rafind2 -x fffefcf8f0e0c080 -x 0103070f1f3f7fff <binary_file> \n\nExample output:\n \n \n $ rafind2 -X -x fffefcf8f0e0c080 -x 0103070f1f3f7fff SAPCAR64 SAPCAR64: 000 @ 0x1082c1 offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0x001082c1 0103 070f 1f3f 7fff fffe fcf8 f0e0 c080 .....?.......... 0x001082d1 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x001082e1 0000 0000 0000 0000 0000 0000 0000 0004 ................ 0x001082f1 0000 0004 0000 0010 0000 0000 0000 0006 ................ 0x00108301 0000 0008 0000 0010 0000 0000 0000 .............. \n \n\n### 8\\. Report Timeline\n\n * **2015-01-20: **Core Security sends an initial notification to SAP. Publication date set to Mar 10, 2015 (Patch Tuesday).\n * **2015-01-21: ** SAP confirms reception and requests a draft version of the advisory.\n * **2015-01-21: **Core Security sends the draft version of the advisory to the vendor.\n * **2015-01-21: ** SAP confirms reception of the report and assigns the following security message Number: 55318 2015.\n * **2015-01-22: ** SAP asks if the two vulnerable functions mentioned in the draft are the only ones affected by these vulnerabilities.\n * **2015-01-22: **Core Security informs the vendor that researchers were only able to trigger the vulnerabilities in the functions mentioned in the draft advisory. In case they find other instances where the vulnerabilities can be triggered, Core requests to be informed.\n * **2015-01-30: **Core Security asks the vendor if they were able to verify the vulnerabilities in order to coordinate a proper release date.\n * **2015-02-02: ** SAP states that they verified and confirmed the vulnerabilities, are working on a solution, and will provide an update once the solution plan is finished.\n * **2015-02-04: ** SAP states that they will be able to provide a fix by May's Patch Tuesday, 2015, and not March as requested. They also request to know how the advisory is going to be published and if we have any plans to include them in any upcoming presentations.\n * **2015-02-10: ** SAP requests confirmation of their previous email in order to coordinate the advisory for the May 12th, 2015.\n * **2015-02-18: **Core Security informs SAP that the date is confirmed and that researchers might present something after the publication of the advisory.\n * **2015-02-19: ** SAP states that it is thankful for Core's commitment to go for a coordinated release. They say they will keep us updated.\n * **2015-05-07: **Core Security reminds SAP that the date for the proposed fix to be released is the following week, therefore we would like to resume communications in order to publish our findings in a coordinated manner.\n * **2015-05-07: ** SAP informs that they are on track to release the security notes as part of their May patch day (May 12th, 2015).\n * **2015-05-11: **Core Security asks SAP for the specific time they are planning to publish their security note and requests a tentative link so it can be included in Core's advisory. Additionally, Core sends a tentative fix for the source code that it is planning to add in its advisory for SAP to review, and a list of vulnerable tools that used the vulnerable code so SAP can contact and inform the owners of the fix.\n * **2015-05-12: ** SAP states that they published 4 security notes regarding the issues we reported. They requested for us to wait 3 months to publish our findings and to send them the advisory before is published.\n * **2015-05-12: **Core Security requests that SAP fixes the external ID (Core's ID) they used and offer Core's publication link. Additionally, Core explained that is their policy to release their findings the same day the vendor does. Core also reminded SAP that they were still waiting for a reply to their previous email.\n * **2015-05-12: ** Advisory CORE-2015-0009 published.\n\n### 9\\. References\n\n[1] <http://en.wikipedia.org/wiki/LZ77_and_LZ78>. \n[2] <ftp://ftp.sap.com/pub/maxdb/current/7.6.00/>. \n[3] <http://conus.info/utils/SAP_pkt_decompr.txt>. \n[4] <https://github.com/sensepost/SAPProx>. \n[5] <https://github.com/sensepost/SapCap>. \n[6] <https://github.com/CoreSecurity/pysap>. \n[7] <https://github.com/CoreSecurity/SAP-Dissection-plug-in-for-Wireshark>. \n[8] <https://github.com/daberlin/sap-reposrc-decompressor>. \n[9] <https://labs.mwrinfosecurity.com/tools/sap-decom/>. \n[10] <http://www.oxid.it/cain.html>. \n[11] <http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa106cslzc_8cpp-source.html>. \n[12] <http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa108csulzh_8cpp-source.html>. \n[13] <http://radare.org/y/>. \n[14] <https://service.sap.com/securitynotes>.\n\n### 10\\. About CoreLabs\n\nCoreLabs, the research center of Core Security, A HelpSystems Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at <https://www.coresecurity.com/core-labs>. \n\n### 11\\. About Core Security, A HelpSystems Company\n\nCore Security, a HelpSystems Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at [www.coresecurity.com](<https://www.coresecurity.com>).\n\nCore Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [email protected]. \n\n### 12\\. Disclaimer\n\nThe contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>\n\n## 13\\. PGP/GPG Keys\n\nThis advisory has been signed with the GPG key of Core Security advisories team.\n", "cvss3": {}, "published": "2015-05-12T00:00:00", "type": "coresecurity", "title": "SAP LZC LZH Compression Multiple Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2278", "CVE-2015-2282"], "modified": "2015-05-12T00:00:00", "id": "CORE-2015-0009", "href": "https://www.coresecurity.com/core-labs/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:59", "description": "\r\n\r\n1. Advisory Information\r\n\r\nTitle: SAP LZC/LZH Compression Multiple Vulnerabilities\r\nAdvisory ID: CORE-2015-0009\r\nAdvisory URL: http://www.coresecurity.com/advisories/sap-lzc-lzh-compression-multiple-vulnerabilities\r\nDate published: 2015-05-12\r\nDate of last update: 2015-05-12\r\nVendors contacted: SAP\r\nRelease mode: Coordinated release\r\n\r\n2. Vulnerability Information\r\n\r\nClass: Out-of-bounds Write [CWE-787], Out-of-bounds Read [CWE-125]\r\nImpact: Denial of service\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: Yes\r\nCVE Name: CVE-2015-2282, CVE-2015-2278\r\n\r\n\r\n3. Vulnerability Description\r\n\r\nSAP products make use of a proprietary implementation of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm [1] . These compression algorithms are used across several SAP products and programs. Vulnerabilities were found in the decompression routines that could be triggered in different scenarios, and could lead to execution of arbitrary code and denial of service conditions.\r\n\r\n\r\n4. Vulnerable Packages\r\n\r\nSAP Netweaver Application Server ABAP.\r\nSAP Netweaver Application Server Java.\r\nSAP Netweaver RFC SDK\r\nSAP RFC SDK\r\nSAP GUI\r\nSAP MaxDB database\r\nSAPCAR archive tool\r\nOther products and versions might be affected, but they were not tested.\r\n\r\n\r\n5. Vendor Information, Solutions and Workarounds\r\n\r\nSAP published the following Security Notes:\r\n\r\n2124806\r\n2121661\r\n2127995\r\n2125316\r\nThey can be accessed by SAP clients in their Support Portal [15].\r\n\r\nDevelopers who used the Open Source versions of MaxDB 7.5 and 7.6 for their tools should contact SAP.\r\n\r\n\r\n6. Credits\r\n\r\nThis vulnerability was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team.\r\n\r\n\r\n\r\n7. Technical Description / Proof of Concept Code\r\n\r\nSAP products make use of LZC and LZH algorithms for compressing in-transit data for different services (Diag protocol, RFC protocol, MaxDB protocol) and for distributing files (SAPCAR program). The implementation of this algorithm was also included in Open Source versions of MaxDB 7.5 and 7.6 [2], and used on multiple Open Source security-related programs [3][4][5][6][7][8][9][10][11].\r\n\r\nThe code that handles the decompression of LZC and LZH compressed data is prone to two memory corruption vulnerabilities, as described below.\r\n\r\n7.1. LZC decompression stack-based buffer overflow\r\n\r\nThe vulnerability [CVE-2015-2282] is caused by an out-of-bounds write to a stack buffer used by the decompression routine to write the output characters.\r\n\r\nThe following snippet of code shows the vulnerable function [file vpa106cslzc.cpp in the MaxDB source code [12]]. This piece of code can be reached by decompressing a specially crafted buffer.\r\n\r\n \r\n[..]\r\nint CsObjectInt::CsDecomprLZC (SAP_BYTE * inbuf,\r\n SAP_INT inlen,\r\n SAP_BYTE * outbuf,\r\n SAP_INT outlen,\r\n SAP_INT option,\r\n SAP_INT * bytes_read,\r\n SAP_INT * bytes_written)\r\n [..]\r\n /* Generate output characters in reverse order ...................*/\r\n while (code >= 256)\r\n {\r\n *stackp++ = TAB_SUFFIXOF(code);\r\n OVERFLOW_CHECK\r\n code = TAB_PREFIXOF(code);\r\n }\r\n[..]\r\nNote that the "code" variable contains an attacker controlled value, resulting in a stack overflow if the value is greater than 256 and the value for that code in the prefix table is also greater than 256. It's possible to fill in the stack with arbitrary values by controlling the values stored in the prefix and suffix tables.\r\n\r\nIt's also worth mentioning that the above code includes a macro for performing some bounds checks on the stack pointer ("OVERFLOW_CHECK"). However, the check implemented by this macro is not sufficient for avoiding this vulnerability and also could lead to fault conditions when decompressing valid buffers. Moreover, vulnerable products and programs were built without this macro enabled ("CS_STACK_CHECK" macro not defined at the time of compilation).\r\n\r\n7.2. LZH decompression out-of-bounds read\r\n\r\nThe vulnerability [CVE-2015-2278] is caused by an out-of-bounds read of a buffer used by the decompression routine when performing look-ups of non-simple codes.\r\n\r\nThe following piece of code shows the vulnerable function [file vpa108csulzh.cpp in the MaxDB source code [13]]. This piece of code can be reached by decompressing a specially crafted buffer.\r\n\r\n \r\n[..]\r\nint CsObjectInt::BuildHufTree (\r\n unsigned * b, /* code lengths in bits (all assumed <= BMAX) */\r\n unsigned n, /* number of codes (assumed <= N_MAX) */\r\n unsigned s, /* number of simple-valued codes (0..s-1) */\r\n int * d, /* list of base values for non-simple codes */\r\n int * e, /* list of extra bits for non-simple codes */\r\n HUFTREE **t, /* result: starting table */\r\n int * m) /* maximum lookup bits, returns actual */\r\n [..]\r\n if (p >= v + n)\r\n {\r\n r.e = INVALIDCODE; /* out of values--invalid code */\r\n }\r\n else if (*p < s)\r\n { /* 256 is end-of-block code */\r\n r.e = (unsigned char)(*p < 256 ? LITCODE : EOBCODE);\r\n r.v.n = (unsigned short) *p; /* simple code is just the value*/\r\n p++;\r\n }\r\n else\r\n {\r\n r.e = (unsigned char) e[*p - s]; /*non-simple,look up in lists*/\r\n r.v.n = (unsigned short) d[*p - s];\r\n p++;\r\n }\r\n[..]\r\n \r\nThe "e" and "d" arrays are indexed with the value of "*p - s" which is an attacker-controlled value. When the code is reached, this results in an out-of-bounds read access.\r\n\r\n7.3. Attack scenarios\r\n\r\nThe vulnerabilities affect a varied range of products and programs. The attack scenarios differ based on the way each product makes use of the compression libraries. At very least the following scenarios can be identified:\r\n\r\n7.3.1. Attacks against server-side components\r\n\r\nSAP Netweaver services like Dispatcher or Gateway handle compressed requests coming from the different clients connecting to them. A remote unauthenticated attacker might be able to connect to the aforementioned services and trigger the vulnerabilities by sending specially crafted packets.\r\n\r\n7.3.2. Client-side attacks\r\n\r\nAn attacker might be able to perform client-side attacks against users of the affected programs that handle compressed data. For instance, an attacker might send a specially crafted .CAR or .SAR archive file aimed at being decompressed using the SAPCAR tool, or mount a rogue SAP server offering Dispatcher and entice users to connect to this malicious server using SAP GUI.\r\n\r\n7.3.3. Man-in-the-middle attacks\r\n\r\nAs most of the services affected by these issues are not encrypted by default, an attacker might be able to perform a man-in-the-middle attack and trigger the vulnerabilities by injecting malicious packets within the communication.\r\n\r\n7.4. Looking in binaries for compression routines\r\n\r\nThe LZC and LZH compression algorithm routines are statically compiled in the different binaries of the affected products and programs. It's possible to check if a binary includes these functions by looking at whether the algorithm's constants are used in the program.\r\n\r\nThe following Radare [14] command can be used to check if a binary file includes the mentioned constants:\r\n\r\n \r\n$ rafind2 -x fffefcf8f0e0c080 -x 0103070f1f3f7fff <binary_file>\r\n \r\nExample output:\r\n\r\n \r\n$ rafind2 -X -x fffefcf8f0e0c080 -x 0103070f1f3f7fff SAPCAR64 \r\n\r\nSAPCAR64: 000 @ 0x1082c1\r\n offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF\r\n0x001082c1 0103 070f 1f3f 7fff fffe fcf8 f0e0 c080 .....?..........\r\n0x001082d1 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n0x001082e1 0000 0000 0000 0000 0000 0000 0000 0004 ................\r\n0x001082f1 0000 0004 0000 0010 0000 0000 0000 0006 ................\r\n0x00108301 0000 0008 0000 0010 0000 0000 0000 .............. \r\n \r\n\r\n\r\n8. Report Timeline\r\n\r\n2015-01-20: Core Security sends an initial notification to SAP. Publication date set to Mar 10, 2015 (Patch Tuesday).\r\n2015-01-21: SAP confirms reception and requests a draft version of the advisory.\r\n2015-01-21: Core Security sends the draft version of the advisory to the vendor.\r\n2015-01-21: SAP confirms reception of the report and assigns the following security message Number: 55318 2015.\r\n2015-01-22: SAP asks if the two vulnerable functions mentioned in the draft are the only ones affected by these vulnerabilities.\r\n2015-01-22: Core Security informs the vendor that researchers were only able to trigger the vulnerabilities in the functions mentioned in the draft advisory. In case they find other instances where the vulnerabilities can be triggered, Core requests to be informed.\r\n2015-01-30: Core Security asks the vendor if they were able to verify the vulnerabilities in order to coordinate a proper release date.\r\n2015-02-02: SAP states that they verified and confirmed the vulnerabilities, are working on a solution, and will provide an update once the solution plan is finished.\r\n2015-02-04: SAP states that they will be able to provide a fix by May's Patch Tuesday, 2015, and not March as requested. They also request to know how the advisory is going to be published and if we have any plans to include them in any upcoming presentations.\r\n2015-02-10: SAP requests confirmation of their previous email in order to coordinate the advisory for the May 12th, 2015.\r\n2015-02-18: Core Security informs SAP that the date is confirmed and that researchers might present something after the publication of the advisory.\r\n2015-02-19: SAP states that it is thankful for Core's commitment to go for a coordinated release. They say they will keep us updated.\r\n2015-05-07: Core Security reminds SAP that the date for the proposed fix to be released is the following week, therefore we would like to resume communications in order to publish our findings in a coordinated manner.\r\n2015-05-07: SAP informs that they are on track to release the security notes as part of their May patch day (May 12th, 2015).\r\n2015-05-11: Core Security asks SAP for the specific time they are planning to publish their security note and requests a tentative link so it can be included in Core's advisory. Additionally, Core sends a tentative fix for the source code that it is planning to add in its advisory for SAP to review, and a list of vulnerable tools that used the vulnerable code so SAP can contact and inform the owners of the fix.\r\n2015-05-12: SAP states that they published 4 security notes regarding the issues we reported. They requested for us to wait 3 months to publish our findings and to send them the advisory before is published.\r\n2015-05-12: Core Security requests that SAP fixes the external ID (Core's ID) they used and offer Core's publication link. Additionally, Core explained that is their policy to release their findings the same day the vendor does. Core also reminded SAP that they were still waiting for a reply to their previous email.\r\n2015-05-12: Advisory CORE-2015-0009 published.\r\n\r\n\r\n9. References\r\n\r\n[1] http://en.wikipedia.org/wiki/LZ77_and_LZ78. \r\n[2] ftp://ftp.sap.com/pub/maxdb/current/7.6.00/. \r\n[3] http://conus.info/utils/SAP_pkt_decompr.txt. \r\n[4] https://github.com/sensepost/SAPProx. \r\n[5] https://github.com/sensepost/SapCap. \r\n[6] http://blog.ptsecurity.com/2011/10/sap-diag-decompress-plugin-for.html. \r\n[7] https://github.com/CoreSecurity/pysap. \r\n[8] https://github.com/CoreSecurity/SAP-Dissection-plug-in-for-Wireshark. \r\n[9] https://github.com/daberlin/sap-reposrc-decompressor. \r\n[10] https://labs.mwrinfosecurity.com/tools/sap-decom/. \r\n[11] http://www.oxid.it/cain.html. \r\n[12] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa106cslzc_8cpp-source.html. \r\n[13] http://maxdb-7.5.00.sourcearchive.com/documentation/7.5.00.44-2/vpa108csulzh_8cpp-source.html. \r\n[14] http://radare.org/y/. \r\n[15] https://service.sap.com/securitynotes. \r\n\r\n\r\n10. About CoreLabs\r\n\r\nCoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.\r\n\r\n\r\n11. About Core Security\r\n\r\nCore Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.\r\n\r\n\r\n12. Disclaimer\r\n\r\nThe contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n\r\n13. PGP/GPG Keys\r\n\r\nThis advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2015-05-17T00:00:00", "title": "[CORE-2015-0009] - SAP LZC/LZH Compression Multiple Vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-2278", "CVE-2015-2282"], "modified": "2015-05-17T00:00:00", "id": "SECURITYVULNS:DOC:32126", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32126", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
SAP applications buffer overflow
