lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <d16e51450605160908hdd34b57q80cbbed88cf67faa@mail.gmail.com>
Date: Tue, 16 May 2006 18:08:52 +0200
From: "Arnold Grossmann" <arnold.grossmann@...il.com>
To: bugtraq <bugtraq@...urityfocus.com>
Subject: vulnerability details

Release Date: 03/01/2006

Affected Applications: SAP WebAS Kernel up to version 7.00

Affected Platforms: Platform-Independant

Local / Remote: Remote

Severity: Medium to High

Author: A. Grossmann arnold.grossmann (at) gmail.com

Vendor Status: Confirmed


Product Overview ( cited from SAP ):
====================================

SAP Web Application Server

The only Application Platform for the SAP NetWeaver Suite

SAP Web Application Server (SAP Web AS) is the application platform of SAP
NetWeaver, i.e. it provides the complete infrastructure to develop, deploy
and run all SAP NetWeaver applications. The major key capability of SAP Web
AS is the full support for both the proven ABAP technology and the innovative
open source internet-driven technologies Java, Java 2 Enterprise Edition
(J2EE) and Web Services.


Vulnerability Description:
==========================

SAP Web Application Server was found to be vulnerable to an URL manipulation
allowing an attacker to prefix the http response ( to a request containing a
manipulated URL ) with a sequence of bytes of his choice.
The vulnerability may be exploited to mount various attacks to gain knowledge
of authentication information valid within the context of the WAS website
( like cookies, usernames or passwords ). Also the vulnerability may aid an
attacker in manipulating the way a website is cached, served or interpreted -
leading to a false sense of trust or a partial defacement.


Technical Details:
==================

One way the vulnerability can be exploited is by inserting ";%20" into the http
request URL, followed by the characters to be inserted, replacing all
characters with special meaning like "/", CR, LF and "=" by one of their
illegal UTF-8- and URL-encoded representations. This results in an incorrectly
handled http error. WAS translates each illegal character representation into
one byte and returns the sequence chosen by the attacker, followed by some
garbage characters built from the URL, a slightly incorrect http response-header
plus the original http message-body, thus allowing the complete control over the
first sequence of bytes of the response. If the attacker inserts a http message
containing a HTML page in it's entity-body, the user's browser will render that
page and discard the rest of the response.

Cache manipulations might be done by letting WAS return one or multiple
specially crafted HTTP responses within the bytes inserted. This could
facilitate phishing or defacement style attacks.


Exploit (Poc):
==============

Following proof of concept will return a html page that
is defined by the request URL.

http://sap-was/x.htm;%20HTTP%c0%af1.0%20200%20OK%c0%8d%c0%8aContent-Length:%2035%c0%8d%c0%8aContent-Type:text%c0%afhtml%c0%8d%c0%8a%c0%8d%c0%8a%3Chtml%3e%3cbody%3ehello%3c%c0%afbody%3e%3c%c0%afhtml%3e%c0%8d%c0%8a%c0%8d%c0%8a



Solution:
=========

Patches are provided from SAP. See SAP Note 908147 and 915084 for details.


Vendor Response:
================

* 11/29/2005: Initial Vendor Contact.
* 11/30/2005: Technical details for the vulnerabilities sent to vendor.
* 01/10/2006: patch provided by vendor.
* 03/01/2006: Coordinate release of pre-advisory without technical details
* 05/16/2006: Coordinate release of advisory with technical details

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ