Home / vulnerabilitiesPDF  

SAP ERPScan XXE Injection / XSS / Missing Authorization

Posted on 23 May 2015
Source : packetstormsecurity.org Link

 

SAP <http://www.sap.com/>has released the monthly critical patch update
for May 2015. This patch update closes a lot of vulnerabilities in SAP
products, some of them belong in the SAP HANA security area. This month,
three critical vulnerabilities found by ERPScan researchers Dmitry
Chastukhin and Vahagn Vardanyan were closed.

*Issues that were patched with the help of ERPScan*

The detailed list of corrected vulnerabilities that were found byERPScan
<http://www.erpscan.com/>researchers is below.

* A Buffer Overflow vulnerability in SAP Afaria Server (CVSS Base
Score:7.8). Update is available in SAP Security Note2153690
<https://service.sap.com/sap/support/notes/2153690>. An attacker can
use Buffer Overflow to inject specially crafted code into working
memory. The code will be executed by the vulnerable application
under the same privileges that the application has. This can lead to
the attacker taking complete control over the application, denial of
service, command execution, and other attacks. In case of command
execution, the attacker can obtain critical technical and
business-related information stored in the vulnerable SAP system or
escalate their privileges. As for denial of service, it can
terminate the process of a vulnerable component. Nobody will be able
to use this service, which has a negative impact on business
processes, system downtime, and business reputation.

* A Missing Authorization Check vulnerability in SAP Afaria (CVSS Base
Score:7.1). Update is available in SAP Security Note2155690
<https://service.sap.com/sap/support/notes/2155690>. An attacker can
use Missing Authorization Checks to access a service without any
authorization procedures and use the service functionality that has
restricted access. This can lead to information disclosure,
privilege escalation, and other attacks.

* An XML eXternal Entity vulnerability in SAP System Landscape
Directory (CVSS Base Score:4.9). Update is available in SAP Security
Note2090851 <https://service.sap.com/sap/support/notes/2090851>. An
attacker can use XML eXternal Entities to send specially crafted
unauthorized XML requests, which will be processed by the XML
parser. The attacker will get unauthorized access to the OS file system.

*The most critical issues found by other researchers*

Some of our readers and clients asked us to categorize the most critical
SAP vulnerabilities to patch them first. Companies providing SAP
Security Audit, SAP Security Assessment, or SAP Penetration Testing
services can include these vulnerabilities in their checklists. The most
critical vulnerabilities of this update can be patched by the following
SAP Security Notes:

* 2152278 <https://service.sap.com/sap/support/notes/2152278>: SAP ASE
Database Platform has an SQL Injection vulnerability (CVSS Base
Score:8.5). An attacker can use SQL Injection with the help of
specially crafted SQL queries. They can read and modify sensitive
information from a database, execute administration operations on a
database, destroy data or make it unavailable. In some cases, the
attacker can access system data or execute OS commands. It is
recommended to install this SAP Security Note to prevent risks.

* 2121661 <https://service.sap.com/sap/support/notes/2121661>: SAP
ABAP & Java Server has a Running Process Remote Termination
vulnerability (CVSS Base Score:8.3). An attacker can use this
vulnerability to terminate the process of a vulnerable component.
Nobody will be able to use this service, which has a negative impact
on business processes, system downtime, and business reputation. It
is recommended to install this SAP Security Note to prevent risks.

* 2127995 <https://service.sap.com/sap/support/notes/2127995>: SAP
Content Server has a Running Process Remote Termination
vulnerability (CVSS Base Score:8.3). An attacker can use this
vulnerability to terminate SAP Content Server. Nobody will be able
to use this service, which has a negative impact on business
processes, system downtime, and business reputation. It is
recommended to install this SAP Security Note to prevent risks.

* 2153892 <https://service.sap.com/sap/support/notes/2153892>: SAP
HANA Web-based Development Workbench has an SQL Injection
vulnerability (CVSS Base Score:6.0). An attacker can use SQL
Injections with the help of specially crafted SQL queries. They can
read and modify sensitive information from a database, execute
administration operations in a database, destroy data or make it
unavailable. In some cases, the attacker can access system data or
execute OS commands. It is recommended to install this SAP Security
Note to prevent risks.

*Remote code execution in SAP applications*

Information security researchers have found many vulnerabilities in
LZC/LZH algorithm, using which attackers can execute remote code on
client and server hosts.

Many server and client SAP applications use the vulnerable compression
algorithm LZC/LZH:

* SAP NetWeaver Application Server ABAP
* SAP NetWeaver Application Server Java
* SAP NetWeaver RFC SDK
* SAP RFC SDK
* SAP GUI
* SAP MaxDB database
* SAPCAR archive tool

They are also used in the following protocols:

* Diag
* RFC
* MaxDB

Let’s look at the found vulnerabilities in detail.

*1. Stack-based overflow vulnerability CVE-2015-2282 in compression
algorithm LZC*

Vulnerable application code:

|/[..]/
int CsObjectInt::CsDecomprLZC (SAP_BYTE * inbuf,
SAP_INT inlen,
SAP_BYTE * outbuf,
SAP_INT outlen,
SAP_INT option,
SAP_INT * bytes_read,
SAP_INT * bytes_written)
[..]
/* Generate output characters in reverse order ...................*/
while (code >= 256)
{
*stackp++ = TAB_SUFFIXOF(code);
overflow
code = TAB_PREFIXOF(code);
}
[..]|

Note that the variable "code" contains an attacker-controlled value,
which results in a stack overflow if the value is greater than 256 and
the value of the code in the prefix table is also greater than 256. It's
possible to fill the stack with arbitrary values by controlling the
values stored in the prefix and suffix tables.

*2. Vulnerability CVE-2015-2278 in compression algorithm LZH*

Using this vulnerability, an attacker can read data stored outside the
buffer using special package data.

Vulnerable code:

|/[..]/
int CsObjectInt::BuildHufTree (
unsigned * b, /* code lengths in bits (all assumed <= BMAX) */
unsigned n, /* number of codes (assumed <= N_MAX) */
unsigned s, /* number of simple-valued codes (0..s-1) */
int * d, /* list of base values for non-simple codes */
int * e, /* list of extra bits for non-simple codes */
HUFTREE **t, /* result: starting table */
int * m) /* maximum lookup bits, returns actual */
[..]
if (p >= v + n)
{
r.e = INVALIDCODE; /* out of values--invalid code */
}
else if (*p < s)
{ /* 256 is end-of-block code */
r.e = (unsigned char)(*p < 256 ? LITCODE : EOBCODE);
r.v.n = (unsigned short) *p; /* simple code is just the value*/
p++;
}
else
{
r.e = (unsigned char) e[*p - s]; /*non-simple,look up in lists*/
r.v.n = (unsigned short) d[*p - s];
p++;
}
[..]|

As you can see, arrays 'e' and 'd' are indexed by the values of "* p -
s". As the value of variables 'p' and 's' are under the attacker’s
control, they also control the values of arrays 'e' and 'd'.

*Attack scenarios*

As the vulnerability affects a large number of SAP products, there are
multiple attack vectors depending on how the vulnerable code is used in
an SAP program.

Examples of vectors:

* Attack on a server component: SAP NetWeaver services Gateway and
Dispatcher process compressed data. An attacker can forge requests,
create a special attack package, and exploit a Remote Code Execution
vulnerability on the server.

* Attack on a client component: the attacker can create a special .CAR
or .SAR package, send it to a client, and when they try to unarchive
it, the attacker’s commands will be executed on the client's host.

* MitM attack. As most of the services affected by these issues are
not encrypted by default, an attacker might be able to perform a
man-in-the-middle attack and trigger the vulnerabilities by
injecting malicious packets within the communication.

*Remediation*

SAP customers can implement security notes 2124806, 2121661, 2127995,
2125316 at the company's support portal.

SAP has traditionally issued acknowledgments to the security researchers
on theirwebsite <http://scn.sap.com/docs/DOC-8218>.

--

Darya Maenkova

PR manager

<https://www.linkedin.com/company/2217474?trk=ppro_cprof>
<https://twitter.com/erpscan>

<http://erpscan.com/>

------------------------------------------------------------------------

e-mail: d.maenkova@erpscan.com <mailto:d.maenkova@erpscan.com>

address: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301

phone: 650.798.5255

erpscan.com <http://erpscan.com>

 

TOP