Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

 Subscribe me to your mailing list

[ERPSCAN-16-030] SAP NetWeaver – buffer overflow vulnerability

Application: SAP NetWeaver
Versions Affected: SAP NetWeaver 7.0-7.5
Vendor URL: SAP
Bugs: buffer overflow
Reported: 09.03.2016
Vendor response: 10.03.2016
Date of Public Advisory: 12.07.2016
Reference: SAP Security Note 2295238
Author: Dmitry Yudin (ERPScan)

VULNERABILITY INFORMATION

Class: Denial of Service
Impact: DoS
Remotely Exploitable: Yes
Locally Exploitable: Yes

CVSS Information

CVSS Base Score v3: 6.5 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality None (N)
I: Impact to Integrity Low (L)
A: Impact to Availability Low (L)

Description

This vulnerability allows an attacker to send a special request to the SAPSTARTSRV process port and conduct stack buffer overflow (recursion) on the SAP server.

Business risk

An attacker can use Buffer overflow vulnerability to inject a specially crafted code into a working memory which will be executed by a vulnerable application. Executed commands will run with the same privileges as a service that executed a command. This can lead to taking complete control of an application, denial of service, command execution, and other attacks. In case of command execution, an attacker can obtain critical technical and business-related information stored in a vulnerable SAP-system or use it for privilege escalation. Speaking about denial of service, terminating a process of a vulnerable component is possible. For this time nobody can use this service, this fact negatively influences on business processes, system downtime and business reputation as result.

VULNERABLE PACKAGES

SAP KERNEL 7.21 32-BIT
SAP KERNEL 7.21 32-BIT UNICODE
SAP KERNEL 7.21 64-BIT
SAP KERNEL 7.21 64-BIT UNICODE
SAP KERNEL 7.21 EXT 32-BIT
SAP KERNEL 7.21 EXT 32-BIT UC
SAP KERNEL 7.21 EXT 64-BIT
SAP KERNEL 7.21 EXT 64-BIT UC
SAP KERNEL 7.22 64-BIT
SAP KERNEL 7.22 64-BIT UNICODE
SAP KERNEL 7.22 EXT 64-BIT
SAP KERNEL 7.22 EXT 64-BIT UC
SAP KERNEL 7.42 64-BIT
SAP KERNEL 7.42 64-BIT UNICODE
SAP KERNEL 7.45 64-BIT
SAP KERNEL 7.45 64-BIT UNICODE

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2295238.

TECHNICAL DESCRIPTION

Proof of Concept