[ERPSCAN-12-024] SAP Netweaver CCMS – XML Entity Expansion DOS

DSECRG Advisories

Application: SAP NetWeaver
Vendor URL: http://sap.com
Bugs: DOS
Risk: High
Exploits: YES
Reported: 13.05.2011
Vendor response: 15.05.2011
Patched: 13.11.2011
Date of Public Advisory: 13.03.2012
Reference: SAP Security Note 1594475
Author: Alexey Tyurin (ERPScan)

SAP Netweaver – XML Entity Expansion
It is possible to make memory corruption via XML request with specified DTD. The XML Entity expansion attack, exploits a capability in XML DTDs that allows the creation of custom macros, called entities, that can be used throughout a document. By recursively defining a set of custom entities at the top of a document, an attacker can overwhelm parsers that attempt to completely resolve the entities by forcing them to iterate almost indefinitely on these recursive definitions. The malicious XML message is used to force recursive entity expansion that completely uses up available server resources.
In common case disp+work.exe (for windows version) will be restarted. If here will be regular XML requests than it’s DoS.

Business Risk
A remote attacker or insider can send a malicious packet to SAP NetWeaver server through internet or inside a company and conduct a denial of service attack by memory corruption. This will stop server and all business processes running on it. It can lead to monetary and reputation loss. Attacker needs to have legal user credentials with any rights for conducting this attack. He can also use default credentials with known passwords.