Application: SAP NetWeaver **Versions Affected: **SAP KERNEL 7.40 64BIT, disp+work.exe (7400.12.21.30308) **Vendor URL: ** SAP **Bugs:**DoS **Reported:**13.12.2016 **Vendor response:**14.12.2016 **Date of Public Advisory:**14.03.2017 **Reference: **SAP Security Note 2405918 **Author: ** Vahagn Vardanyan (ERPScan)
Class: DoS
Impact: Denial of Service
Remotely Exploitable: yes
Locally Exploitable: yes
CVE: CVE-2017-9845
CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:
AV: Attack Vector (Related exploit range) | Network (N) |
---|---|
AC: Attack Complexity (Required attack complexity) | Low (L) |
PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
UI: User Interaction (Required user participation) | None (N) |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U) |
C: Impact to Confidentiality | None (N) |
I: Impact to Integrity | None (N) |
A: Impact to Availability | High (H) |
When we send the crafted DIAG request to disp+work process port, the server will consume all available resources.
An attacker can use a Denial of Service vulnerability for terminating the process of a vulnerable component. For this time nobody can use this service, this fact negatively influences business processes, system downtime, and business reputation as a result.
SAP KERNEL 7.40 64BIT, disp+work.exe (7400.12.21.30308)
To correct this vulnerability, install SAP Security Note 2405918
The vulnerability occurs in disp+work.exe process in dynpen00 function (dynpen00+0x12e5).
The vulnerable code segment
windbg log
0:000> r rax=0000000000000028 rbx=0000000000000000 rcx=00000001419140b0 rdx=0000000000000d30 rsi=0000000000000020 rdi=0000000011290058 rip=000000013f6981a5 rsp=000000000216b6d0 rbp=0000000000000000 r8=0000000000000000 r9=0000000000000000 r10=00000001428488a0 r11=0000000000000000 r12=0000000000000028 r13=00000001419140b0 r14=0000000000000036 r15=000000000000000c iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 disp_work!dynpen00+0x12e5: 000000013f6981a5 0fb73a movzx edi,word ptr [rdx] ds:0000000000000d30=???
1
2
3
4
5
6
7
8
9
10
11
|
0:000> r
rax=0000000000000028 rbx=0000000000000000 rcx=00000001419140b0
rdx=0000000000000d30 rsi=0000000000000020 rdi=0000000011290058
rip=000000013f6981a5 rsp=000000000216b6d0 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000000 r10=00000001428488a0
r11=0000000000000000 r12=0000000000000028 r13=00000001419140b0
r14=0000000000000036 r15=000000000000000c
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
disp_work!dynpen00+0x12e5:
000000013f6981a5 0fb73a movzx edi,word ptr [rdx] ds:0000000000000d30=???
—|—
windows_event_log
Faulting application name: disp+work.EXE, version: 7400.12.21.30308, time stamp: 0x5165eef0 Faulting module name: disp+work.EXE, version: 7400.12.21.30308, time stamp: 0x5165eef0 Exception code: 0xc0000005 Fault offset: 0x00000000003081a5 Faulting process id: 0x1104 Faulting application start time: 0x01d23e61efe1e574 Faulting application path: C:\usr\sap\POP\DVEBMGS00\exe\disp+work.EXE Faulting module path: C:\usr\sap\POP\DVEBMGS00\exe\disp+work.EXE Report Id: bafec8ed-aa55-11e6-bb20-000c29281a0b
1
2
3
4
5
6
7
8
9
|
Faulting application name: disp+work.EXE, version: 7400.12.21.30308, time stamp: 0x5165eef0
Faulting module name: disp+work.EXE, version: 7400.12.21.30308, time stamp: 0x5165eef0
Exception code: 0xc0000005
Fault offset: 0x00000000003081a5
Faulting process id: 0x1104
Faulting application start time: 0x01d23e61efe1e574
Faulting application path: C:\usr\sap\POP\DVEBMGS00\exe\disp+work.EXE
Faulting module path: C:\usr\sap\POP\DVEBMGS00\exe\disp+work.EXE
Report Id: bafec8ed-aa55-11e6-bb20-000c29281a0b
—|—
netcat SAP_SERVER 3200 < poc.bin