Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

Subscribe me to your mailing list

[ERPSCAN-16-029] SAP NetWeaver AS JAVA – deserialization of untrusted user value

Application: SAP NetWeaver AS JAVA
Versions Affected: SAP NetWeaver 7.5
Vendor URL: SAP
Bugs: Denial of Service
Reported: 22.04.2016
Vendor response: 23.04.2016
Date of Public Advisory: 12.07.2016
Reference: SAP Security Note 2315788
Author: Mathieu Geli (ERPScan)

VULNERABILITY INFORMATION

Class: Denial of Service
Impact: DoS
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS Base Score v3: 4.9 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) High (H)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality None (N)
I: Impact to Integrity None (N)
A: Impact to Availability High (H)

Description

An attacker can use special HTTP request in order to force a server to deserialize evil objects, which results in denial of service.

Business risk

An attacker can use a Denial-of-service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively influences on business processes, system downtime and, as a result, business reputation.

VULNERABLE PACKAGES

SAP EP-RUNTIME component.

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2315788.

TECHNICAL DESCRIPTION

Proof of Concept

Evil object in 'serial.cc3' as an attachment in this bug entry. It was generated with ysoserial framework, if the commons.collections jar was in the CLASSPATH we will have direct RCE.

Now, we can only send DoS payloads that will trigger OutOfMemory exception on 7.5. Payload for that as attachment named 'serial.mem'.

This request will trigger a series of exceptions in server's log.

The DoS payload will render the server unstable for some minutes with following exception:

server process shutting down with exit code [666] memory allocation error [OutOfMemoryError] java.lang.OutOfMemoryError: Requested array size exceeds VM limit (failed to allocate 8589934576 bytes) (array length 2147483639)