[ERPSCAN-12-022] SAP Netweaver – XML Entity Expansion DOS
Application: SAP NetWeaver
Vendor URL: http://sap.com
Vendor response: 10.04.2011
Date of Public Advisory: 13.03.2012
Reference: SAP Security Note 1594475
Author: Alexey Tyurin (ERPScan)
SAP Netweaver – XML Entity Expansion
It is possible to make memory corruption via an XML request with specified DTD. The XML Entity expansion attack exploits a feature in XML DTDs that allows the creation of custom macros called entities that can be used throughout a document. By recursively defining a set of custom entities at the top of a document, an attacker can overwhelm parsers that attempt to completely resolve the entities by forcing them to iterate almost indefinitely on these recursive definitions. The malicious XML message is used to force recursive entity expansion that completely uses up available server resources. In common case disp+work.exe (for Windows version) will be restarted. If here are regular XML requests then it is DoS.
A remote attacker or insider can send a malicious packet to SAP NetWeaver server through internet or inside a company and conduct a denial of service attack by memory corruption. This will stop server and all business processes running on it. It can lead to monetary and reputation loss. Attacker needs to have legal user credentials with any rights for conducting this attack. He can also use default credentials with known passwords.