[ERPSCAN-17-015] SAP NetWeaver disp+work anonymous denial of service

Application: SAP NetWeaver
Versions Affected: SAP KERNEL 7.40 64BIT, disp+work.exe (7400.12.21.30308)
Vendor URL: SAP
Bugs: DoS
Reported: 13.12.2016
Vendor response: 14.12.2016
Date of Public Advisory: 14.03.2017
Reference: SAP Security Note 2405918
Author: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: DoS
Impact: Denial of Service
Remotely Exploitable: yes
Locally Exploitable: yes
CVE: CVE-2017-9845

CVSS Information

CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality None (N)
I: Impact to Integrity None (N)
A: Impact to Availability High (H)

Description

When we send the crafted DIAG request to disp+work process port, the server will consume all available resources.

Business risk

An attacker can use a Denial of Service vulnerability for terminating the process of a vulnerable component. For this time nobody can use this service, this fact negatively influences business processes, system downtime, and business reputation as a result.

VULNERABLE PACKAGES

SAP KERNEL 7.40 64BIT, disp+work.exe (7400.12.21.30308)

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2405918

TECHNICAL DESCRIPTION

The vulnerability occurs in disp+work.exe process in dynpen00 function (dynpen00+0x12e5).

The vulnerable code segment The vulnerable code segment

windbg log

windows_event_log

Proof of Concept

netcat SAP_SERVER 3200 < poc.bin