Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

SAP Security Notes May 2015

From: Darya Maenkova <d.maenkova () erpscan com>
Date: Thu, 21 May 2015 17:13:38 +0300
SAP <http://www.sap.com/>has released the monthly critical patch update for May 2015. This patch update closes a lot of vulnerabilities in SAP products, some of them belong in the SAP HANA security area. This month, three critical vulnerabilities found by ERPScan researchers Dmitry Chastukhin and Vahagn Vardanyan were closed. 

*Issues that were patched with the help of ERPScan*
The detailed list of corrected vulnerabilities that were found byERPScan <http://www.erpscan.com/>researchers is below. 

 * A Buffer Overflow vulnerability in SAP Afaria Server (CVSS Base
   Score:7.8). Update is available in SAP Security Note2153690
   <https://service.sap.com/sap/support/notes/2153690>. An attacker can
   use Buffer Overflow to inject specially crafted code into working
   memory. The code will be executed by the vulnerable application
   under the same privileges that the application has. This can lead to
   the attacker taking complete control over the application, denial of
   service, command execution, and other attacks. In case of command
   execution, the attacker can obtain critical technical and
   business-related information stored in the vulnerable SAP system or
   escalate their privileges. As for denial of service, it can
   terminate the process of a vulnerable component. Nobody will be able
   to use this service, which has a negative impact on business
   processes, system downtime, and business reputation.

 * A Missing Authorization Check vulnerability in SAP Afaria (CVSS Base
   Score:7.1). Update is available in SAP Security Note2155690
   <https://service.sap.com/sap/support/notes/2155690>. An attacker can
   use Missing Authorization Checks to access a service without any
   authorization procedures and use the service functionality that has
   restricted access. This can lead to information disclosure,
   privilege escalation, and other attacks.

 * An XML eXternal Entity vulnerability in SAP System Landscape
   Directory (CVSS Base Score:4.9). Update is available in SAP Security
   Note2090851 <https://service.sap.com/sap/support/notes/2090851>. An
   attacker can use XML eXternal Entities to send specially crafted
   unauthorized XML requests, which will be processed by the XML
   parser. The attacker will get unauthorized access to the OS file system.

*The most critical issues found by other researchers*
Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Audit, SAP Security Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes: 

 * 2152278 <https://service.sap.com/sap/support/notes/2152278>: SAP ASE
   Database Platform has an SQL Injection vulnerability (CVSS Base
   Score:8.5). An attacker can use SQL Injection with the help of
   specially crafted SQL queries. They can read and modify sensitive
   information from a database, execute administration operations on a
   database, destroy data or make it unavailable. In some cases, the
   attacker can access system data or execute OS commands. It is
   recommended to install this SAP Security Note to prevent risks.

 * 2121661 <https://service.sap.com/sap/support/notes/2121661>: SAP
   ABAP & Java Server has a Running Process Remote Termination
   vulnerability (CVSS Base Score:8.3). An attacker can use this
   vulnerability to terminate the process of a vulnerable component.
   Nobody will be able to use this service, which has a negative impact
   on business processes, system downtime, and business reputation. It
   is recommended to install this SAP Security Note to prevent risks.

 * 2127995 <https://service.sap.com/sap/support/notes/2127995>: SAP
   Content Server has a Running Process Remote Termination
   vulnerability (CVSS Base Score:8.3). An attacker can use this
   vulnerability to terminate SAP Content Server. Nobody will be able
   to use this service, which has a negative impact on business
   processes, system downtime, and business reputation. It is
   recommended to install this SAP Security Note to prevent risks.

 * 2153892 <https://service.sap.com/sap/support/notes/2153892>: SAP
   HANA Web-based Development Workbench has an SQL Injection
   vulnerability (CVSS Base Score:6.0). An attacker can use SQL
   Injections with the help of specially crafted SQL queries. They can
   read and modify sensitive information from a database, execute
   administration operations in a database, destroy data or make it
   unavailable. In some cases, the attacker can access system data or
   execute OS commands. It is recommended to install this SAP Security
   Note to prevent risks.

*Remote code execution in SAP applications*
Information security researchers have found many vulnerabilities in LZC/LZH algorithm, using which attackers can execute remote code on client and server hosts.
Many server and client SAP applications use the vulnerable compression algorithm LZC/LZH: 

 * SAP NetWeaver Application Server ABAP
 * SAP NetWeaver Application Server Java
 * SAP NetWeaver RFC SDK
 * SAP RFC SDK
 * SAP GUI
 * SAP MaxDB database
 * SAPCAR archive tool

They are also used in the following protocols:

 * Diag
 * RFC
 * MaxDB

Let’s look at the found vulnerabilities in detail.
*1. Stack-based overflow vulnerability CVE-2015-2282 in compression algorithm LZC* 

Vulnerable application code:

|/[..]/
int CsObjectInt::CsDecomprLZC (SAP_BYTE * inbuf,
SAP_INT inlen,
SAP_BYTE * outbuf,
SAP_INT outlen,
SAP_INT option,
SAP_INT * bytes_read,
SAP_INT * bytes_written)
[..]
/* Generate output characters in reverse order ...................*/
while (code >= 256)
{
*stackp++ = TAB_SUFFIXOF(code);
overflow
code = TAB_PREFIXOF(code);
}
[..]|
Note that the variable "code" contains an attacker-controlled value, which results in a stack overflow if the value is greater than 256 and the value of the code in the prefix table is also greater than 256. It's possible to fill the stack with arbitrary values by controlling the values stored in the prefix and suffix tables. 

*2. Vulnerability CVE-2015-2278 in compression algorithm LZH*
Using this vulnerability, an attacker can read data stored outside the buffer using special package data. 

Vulnerable code:

|/[..]/
int CsObjectInt::BuildHufTree (
unsigned * b, /* code lengths in bits (all assumed <= BMAX) */
unsigned n, /* number of codes (assumed <= N_MAX) */
unsigned s, /* number of simple-valued codes (0..s-1) */
int * d, /* list of base values for non-simple codes */
int * e, /* list of extra bits for non-simple codes */
HUFTREE **t, /* result: starting table */
int * m) /* maximum lookup bits, returns actual */
[..]
if (p >= v + n)
{
r.e = INVALIDCODE; /* out of values--invalid code */
}
else if (*p < s)
{ /* 256 is end-of-block code */
r.e = (unsigned char)(*p < 256 ? LITCODE : EOBCODE);
r.v.n = (unsigned short) *p; /* simple code is just the value*/
p++;
}
else
{
r.e = (unsigned char) e[*p - s]; /*non-simple,look up in lists*/
r.v.n = (unsigned short) d[*p - s];
p++;
}
[..]|
As you can see, arrays 'e' and 'd' are indexed by the values of "* p - s". As the value of variables 'p' and 's' are under the attacker’s control, they also control the values of arrays 'e' and 'd'. 

*Attack scenarios*
As the vulnerability affects a large number of SAP products, there are multiple attack vectors depending on how the vulnerable code is used in an SAP program. 

Examples of vectors:

 * Attack on a server component: SAP NetWeaver services Gateway and
   Dispatcher process compressed data. An attacker can forge requests,
   create a special attack package, and exploit a Remote Code Execution
   vulnerability on the server.

 * Attack on a client component: the attacker can create a special .CAR
   or .SAR package, send it to a client, and when they try to unarchive
   it, the attacker’s commands will be executed on the client's host.

 * MitM attack. As most of the services affected by these issues are
   not encrypted by default, an attacker might be able to perform a
   man-in-the-middle attack and trigger the vulnerabilities by
   injecting malicious packets within the communication.

*Remediation*
SAP customers can implement security notes 2124806, 2121661, 2127995, 2125316 at the company's support portal.
SAP has traditionally issued acknowledgments to the security researchers on theirwebsite <http://scn.sap.com/docs/DOC-8218>. 

--

Darya Maenkova

PR manager
<https://www.linkedin.com/company/2217474?trk=ppro_cprof> <https://twitter.com/erpscan> 

<http://erpscan.com/>

------------------------------------------------------------------------

e-mail: d.maenkova () erpscan com <mailto:d.maenkova () erpscan com>

address: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301

phone: 650.798.5255

erpscan.com <http://erpscan.com>


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: