[ERPSCAN-16-029] SAP NetWeaver AS JAVA – deserialization of untrusted user value
Application: SAP NetWeaver AS JAVA
Versions Affected: SAP NetWeaver 7.5
Vendor URL: SAP
Bugs: Denial of Service
Vendor response: 23.04.2016
Date of Public Advisory: 12.07.2016
Reference: SAP Security Note 2315788
Author: Mathieu Geli (ERPScan)
Class: Denial of Service
Remotely Exploitable: Yes
Locally Exploitable: No
CVSS Base Score v3: 4.9 / 10
CVSS Base Vector:
|AV: Attack Vector (Related exploit range)||Network (N)|
|AC: Attack Complexity (Required attack complexity)||Low (L)|
|PR: Privileges Required (Level of privileges needed to exploit)||High (H)|
|UI: User Interaction (Required user participation)||None (N)|
|S: Scope (Change in scope due to impact caused to components beyond the vulnerable component)||Unchanged (U)|
|C: Impact to Confidentiality||None (N)|
|I: Impact to Integrity||None (N)|
|A: Impact to Availability||High (H)|
An attacker can use special HTTP request in order to force a server to deserialize evil objects, which results in denial of service.
An attacker can use a Denial-of-service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively influences on business processes, system downtime and, as a result, business reputation.
SAP EP-RUNTIME component.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2315788.
Proof of Concept
Evil object in ‘serial.cc3’ as an attachment in this bug entry. It was generated with ysoserial framework, if the commons.collections jar was in the CLASSPATH we will have direct RCE.
Now, we can only send DoS payloads that will trigger OutOfMemory exception on 7.5. Payload for that as attachment named ‘serial.mem’.
curl -v -XPOST --user 'user:password' http://172.16.30.29:50000/com.sap.portal.fpn.enterpriseservicesweb.mod/<br/>/TrustManagementServlet --data-binary @serial.cc3
This request will trigger a series of exceptions in server’s log.
The DoS payload will render the server unstable for some minutes with following exception:
server process shutting down with exit code  memory allocation error [OutOfMemoryError] java.lang.OutOfMemoryError: Requested array size exceeds VM limit (failed to allocate 8589934576 bytes) (array length 2147483639)