[ERPSCAN-11-029] SAP NetWeaver SOAP RFC – Denial of Service / Integer overflow

DSECRG Advisories

Application: SAP NetWeaver Kernel
Versions Affected: ernel 4.6 – 7.2
Vendor URL: http://www.sap.com
Bugs:XML Attribute Blow-up attack
Exploits: YES
Reported: 09.12.2010
Vendor response: 10.12.2010
Date of Public Advisory: 20.07.2011
Author: Alexey Sintsov

It is possible to make integer overflow condition via SOAP-RFC request. In common case disp+work.exe (for windows version) will be restarted. If here will be regular SOAP requests then it will be Denial of Service. Code execution is not possible.

Business Risk
A remote attacker or insider can send a malicious packet to SAP NetWeaver server through internet or inside a company and conduct a denial of service attack by memory corruption. This will stop server and all business processes running on it. It can lead to monetary and reputation loss. Attacker needs to have legal user credentials with any rights for conducting this attack. He can also use default credentials with known passwords.