lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 21 May 2015 17:13:38 +0300
From: Darya Maenkova <d.maenkova@...scan.com>
To: fulldisclosure@...lists.org
Subject: [FD] SAP Security Notes May 2015

SAP <http://www.sap.com/>has released the monthly critical patch update 
for May 2015. This patch update closes a lot of vulnerabilities in SAP 
products, some of them belong in the SAP HANA security area. This month, 
three critical vulnerabilities found by ERPScan researchers Dmitry 
Chastukhin and Vahagn Vardanyan were closed.

*Issues that were patched with the help of ERPScan*

The detailed list of corrected vulnerabilities that were found byERPScan 
<http://www.erpscan.com/>researchers is below.

  * A Buffer Overflow vulnerability in SAP Afaria Server (CVSS Base
    Score:7.8). Update is available in SAP Security Note2153690
    <https://service.sap.com/sap/support/notes/2153690>. An attacker can
    use Buffer Overflow to inject specially crafted code into working
    memory. The code will be executed by the vulnerable application
    under the same privileges that the application has. This can lead to
    the attacker taking complete control over the application, denial of
    service, command execution, and other attacks. In case of command
    execution, the attacker can obtain critical technical and
    business-related information stored in the vulnerable SAP system or
    escalate their privileges. As for denial of service, it can
    terminate the process of a vulnerable component. Nobody will be able
    to use this service, which has a negative impact on business
    processes, system downtime, and business reputation.

  * A Missing Authorization Check vulnerability in SAP Afaria (CVSS Base
    Score:7.1). Update is available in SAP Security Note2155690
    <https://service.sap.com/sap/support/notes/2155690>. An attacker can
    use Missing Authorization Checks to access a service without any
    authorization procedures and use the service functionality that has
    restricted access. This can lead to information disclosure,
    privilege escalation, and other attacks.

  * An XML eXternal Entity vulnerability in SAP System Landscape
    Directory (CVSS Base Score:4.9). Update is available in SAP Security
    Note2090851 <https://service.sap.com/sap/support/notes/2090851>. An
    attacker can use XML eXternal Entities to send specially crafted
    unauthorized XML requests, which will be processed by the XML
    parser. The attacker will get unauthorized access to the OS file system.

*The most critical issues found by other researchers*

Some of our readers and clients asked us to categorize the most critical 
SAP vulnerabilities to patch them first. Companies providing SAP 
Security Audit, SAP Security Assessment, or SAP Penetration Testing 
services can include these vulnerabilities in their checklists. The most 
critical vulnerabilities of this update can be patched by the following 
SAP Security Notes:

  * 2152278 <https://service.sap.com/sap/support/notes/2152278>: SAP ASE
    Database Platform has an SQL Injection vulnerability (CVSS Base
    Score:8.5). An attacker can use SQL Injection with the help of
    specially crafted SQL queries. They can read and modify sensitive
    information from a database, execute administration operations on a
    database, destroy data or make it unavailable. In some cases, the
    attacker can access system data or execute OS commands. It is
    recommended to install this SAP Security Note to prevent risks.

  * 2121661 <https://service.sap.com/sap/support/notes/2121661>: SAP
    ABAP & Java Server has a Running Process Remote Termination
    vulnerability (CVSS Base Score:8.3). An attacker can use this
    vulnerability to terminate the process of a vulnerable component.
    Nobody will be able to use this service, which has a negative impact
    on business processes, system downtime, and business reputation. It
    is recommended to install this SAP Security Note to prevent risks.

  * 2127995 <https://service.sap.com/sap/support/notes/2127995>: SAP
    Content Server has a Running Process Remote Termination
    vulnerability (CVSS Base Score:8.3). An attacker can use this
    vulnerability to terminate SAP Content Server. Nobody will be able
    to use this service, which has a negative impact on business
    processes, system downtime, and business reputation. It is
    recommended to install this SAP Security Note to prevent risks.

  * 2153892 <https://service.sap.com/sap/support/notes/2153892>: SAP
    HANA Web-based Development Workbench has an SQL Injection
    vulnerability (CVSS Base Score:6.0). An attacker can use SQL
    Injections with the help of specially crafted SQL queries. They can
    read and modify sensitive information from a database, execute
    administration operations in a database, destroy data or make it
    unavailable. In some cases, the attacker can access system data or
    execute OS commands. It is recommended to install this SAP Security
    Note to prevent risks.

*Remote code execution in SAP applications*

Information security researchers have found many vulnerabilities in 
LZC/LZH algorithm, using which attackers can execute remote code on 
client and server hosts.

Many server and client SAP applications use the vulnerable compression 
algorithm LZC/LZH:

  * SAP NetWeaver Application Server ABAP
  * SAP NetWeaver Application Server Java
  * SAP NetWeaver RFC SDK
  * SAP RFC SDK
  * SAP GUI
  * SAP MaxDB database
  * SAPCAR archive tool

They are also used in the following protocols:

  * Diag
  * RFC
  * MaxDB

Let’s look at the found vulnerabilities in detail.

*1. Stack-based overflow vulnerability CVE-2015-2282 in compression 
algorithm LZC*

Vulnerable application code:

|/[..]/
int CsObjectInt::CsDecomprLZC (SAP_BYTE * inbuf,
SAP_INT inlen,
SAP_BYTE * outbuf,
SAP_INT outlen,
SAP_INT option,
SAP_INT * bytes_read,
SAP_INT * bytes_written)
[..]
/* Generate output characters in reverse order ...................*/
while (code >= 256)
{
*stackp++ = TAB_SUFFIXOF(code);
overflow
code = TAB_PREFIXOF(code);
}
[..]|


Note that the variable "code" contains an attacker-controlled value, 
which results in a stack overflow if the value is greater than 256 and 
the value of the code in the prefix table is also greater than 256. It's 
possible to fill the stack with arbitrary values by controlling the 
values stored in the prefix and suffix tables.

*2. Vulnerability CVE-2015-2278 in compression algorithm LZH*

Using this vulnerability, an attacker can read data stored outside the 
buffer using special package data.

Vulnerable code:

|/[..]/
int CsObjectInt::BuildHufTree (
unsigned * b, /* code lengths in bits (all assumed <= BMAX) */
unsigned n, /* number of codes (assumed <= N_MAX) */
unsigned s, /* number of simple-valued codes (0..s-1) */
int * d, /* list of base values for non-simple codes */
int * e, /* list of extra bits for non-simple codes */
HUFTREE **t, /* result: starting table */
int * m) /* maximum lookup bits, returns actual */
[..]
if (p >= v + n)
{
r.e = INVALIDCODE; /* out of values--invalid code */
}
else if (*p < s)
{ /* 256 is end-of-block code */
r.e = (unsigned char)(*p < 256 ? LITCODE : EOBCODE);
r.v.n = (unsigned short) *p; /* simple code is just the value*/
p++;
}
else
{
r.e = (unsigned char) e[*p - s]; /*non-simple,look up in lists*/
r.v.n = (unsigned short) d[*p - s];
p++;
}
[..]|


As you can see, arrays 'e' and 'd' are indexed by the values of "* p - 
s". As the value of variables 'p' and 's' are under the attacker’s 
control, they also control the values of arrays 'e' and 'd'.

*Attack scenarios*

As the vulnerability affects a large number of SAP products, there are 
multiple attack vectors depending on how the vulnerable code is used in 
an SAP program.

Examples of vectors:

  * Attack on a server component: SAP NetWeaver services Gateway and
    Dispatcher process compressed data. An attacker can forge requests,
    create a special attack package, and exploit a Remote Code Execution
    vulnerability on the server.

  * Attack on a client component: the attacker can create a special .CAR
    or .SAR package, send it to a client, and when they try to unarchive
    it, the attacker’s commands will be executed on the client's host.

  * MitM attack. As most of the services affected by these issues are
    not encrypted by default, an attacker might be able to perform a
    man-in-the-middle attack and trigger the vulnerabilities by
    injecting malicious packets within the communication.

*Remediation*

SAP customers can implement security notes 2124806, 2121661, 2127995, 
2125316 at the company's support portal.

SAP has traditionally issued acknowledgments to the security researchers 
on theirwebsite <http://scn.sap.com/docs/DOC-8218>.

-- 

Darya Maenkova

PR manager

<https://www.linkedin.com/company/2217474?trk=ppro_cprof> 
<https://twitter.com/erpscan>

<http://erpscan.com/>

------------------------------------------------------------------------

e-mail: d.maenkova@...scan.com <mailto:d.maenkova@...scan.com>

address: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301

phone: 650.798.5255

erpscan.com <http://erpscan.com>


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ