SAP DB Web Server Stack Overflow

2007.07.10
Credit: Mark Litchfield
Risk: High
Local: No
Remote: Yes
CVE: CVE-2007-3614
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

======= Summary ======= Name: SAP DB Web Server Stack Overflow Release Date: 5 July 2007 Reference: NGS00486 Discover: Mark Litchfield <mark (at) ngssoftware (dot) com [email concealed]> Vendor: SAP Vendor Reference: SECRES-291 Systems Affected: All Versions Risk: Critical Status: Fixed ======== TimeLine ======== Discovered: 3 January 2007 Released: 19 January 2007 Approved: 29 January 2007 Reported: 11 January 2007 Fixed: 27 March 2007 Published: =========== Description =========== SAP DB is an open source database server sponsored by SAP AG that provides a series of web tools to administer database servers via web browsers. These tools can be integrated into third-party web servers such as IIS, or run on its own web server which by default is installed to TCP Port 9999. When installed as its own web server, the process waHTTP.exe is found to be listening on TCP Port 9999. ================= Technical Details ================= http://target:9999/webdbm?Event=DBM_INTERN_TEST&Action=REFRESH Looking at the 200 response we can determine the function offered by the request: ****************************************** <body topmargin=0 leftmargin=0 marginwidth=0 marginheight=0 background=/WARoot/Images/tatami.gif> <a href="javascript:parent.GotoWebDBMURL(this, 'Event=DBM_INTERN_TEST&Action=REFRESH')">Test</a><table style="font-family:courier new,monospace; font-size:8pt;" border=1 cellspacing=0 cellpadding=1> <tr><td>sapdbwa_GetRequestURI </td><td>/webdbm </td></tr> <tr><td>sapdbwa_GetIfModifiedSince </td><td>NULL </td></tr> <tr><td>sapdbwa_GetQueryString </td><td>Event=DBM_INTERN_TEST&Actio n=REFRESH </td></tr> <tr><td>sapdbwa_GetPathInfo </td><td>NULL </td></tr> <tr><td>sapdbwa_GetMethod </td><td>GET </td></tr> <tr><td>sapdbwa_GetContentType </td><td>NULL </td></tr> <tr><td>sapdbwa_GetContentLength </td><td>NULL </td></tr> <tr><td>sapdbwa_GetPathTranslated </td><td>NULL </td></tr> <tr><td>sapdbwa_GetServerName </td><td>NULL </td></tr> <tr><td>AUTH_TYPE </td><td>NULL </td></tr> <tr><td>CONTENT_LENGTH </td><td>NULL </td></tr> <tr><td>CONTENT_TYPE </td><td>NULL </td></tr> <tr><td>GATEWAY_INTERFACE </td><td>NULL </td></tr> <tr><td>HTTP_ACCEPT </td><td>*/* </td></tr> <tr><td>PATH_INFO </td><td>NULL </td></tr> <tr><td>QUERY_STRING </td><td>NULL </td></tr> <tr><td>REMOTE_ADDR </td><td>NULL </td></tr> <tr><td>REMOTE_HOST </td><td>NULL </td></tr> <tr><td>REMOTE_USER </td><td>NULL </td></tr> <tr><td>REQUEST_METHOD </td><td>NULL </td></tr> <tr><td>SCRIPT_NAME </td><td>NULL </td></tr> <tr><td>SERVER_NAME </td><td>NULL </td></tr> <tr><td>SERVER_PORT </td><td>NULL </td></tr> <tr><td>SERVER_PROTOCOL </td><td>NULL </td></tr> <tr><td>SERVER_SOFTWARE </td><td>NULL </td></tr> <tr><td>HTTP_ACCEPT </td><td>*/* </td></tr> <tr><td>HTTP_ACCEPT_CHARSET </td><td>NULL </td></tr> <tr><td>HTTP_ACCEPT_ENCODING </td><td>NULL </td></tr> <tr><td>HTTP_ACCEPT_LANGUAGE </td><td>NULL </td></tr> <tr><td>HTTP_ACCEPT_RANGES </td><td>NULL </td></tr> <tr><td>HTTP_AGE </td><td>NULL </td></tr> <tr><td>HTTP_ALLOW </td><td>NULL </td></tr> <tr><td>HTTP_AUTHORIZATION </td><td>NULL </td></tr> <tr><td>HTTP_CACHE_CONTROL </td><td>NULL </td></tr> <tr><td>HTTP_CONNECTION </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_ENCODING </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_LANGUAGE </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_LENGTH </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_LOCATION </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_MD5 </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_RANGE </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_TYPE </td><td>NULL </td></tr> <tr><td>HTTP_DATE </td><td>NULL </td></tr> <tr><td>HTTP_ETAG </td><td>NULL </td></tr> <tr><td>HTTP_EXPECT </td><td>NULL </td></tr> <tr><td>HTTP_EXPIRES </td><td>NULL </td></tr> <tr><td>HTTP_FROM </td><td>NULL </td></tr> <tr><td>HTTP_HOST </td><td>localhost </td></tr> <tr><td>HTTP_IF_MATCH </td><td>NULL </td></tr> <tr><td>HTTP_IF_MODIFIED_SINCE </td><td>NULL </td></tr> <tr><td>HTTP_IF_NONE_MATCH </td><td>NULL </td></tr> <tr><td>HTTP_IF_RANGE </td><td>NULL </td></tr> <tr><td>HTTP_IF_UNMODIFIED_SINCE </td><td>NULL </td></tr> <tr><td>HTTP_LAST_MODIFIED </td><td>NULL </td></tr> <tr><td>HTTP_LOCATION </td><td>NULL </td></tr> <tr><td>HTTP_MAX_FORWARDS </td><td>NULL </td></tr> <tr><td>HTTP_PRAGMA </td><td>NULL </td></tr> <tr><td>HTTP_PROXY_AUTHENTICATE </td><td>NULL </td></tr> <tr><td>HTTP_PROXY_AUTHORIZATION </td><td>NULL </td></tr> <tr><td>HTTP_RANGE </td><td>NULL </td></tr> <tr><td>HTTP_REFERER </td><td>NULL </td></tr> <tr><td>HTTP_RETRY_AFTER </td><td>NULL </td></tr> <tr><td>HTTP_SERVER </td><td>NULL </td></tr> <tr><td>HTTP_TE </td><td>NULL </td></tr> <tr><td>HTTP_TRAILER </td><td>NULL </td></tr> <tr><td>HTTP_TRANSFER_ENCODING </td><td>NULL </td></tr> <tr><td>HTTP_UPGRADE </td><td>NULL </td></tr> <tr><td>HTTP_USER_AGENT </td><td>NULL </td></tr> <tr><td>HTTP_VARY </td><td>NULL </td></tr> <tr><td>HTTP_VIA </td><td>NULL </td></tr> <tr><td>HTTP_WARNING </td><td>NULL </td></tr> <tr><td>HTTP_WWW_AUTHENTICATE </td><td>NULL </td></tr> <tr><td>HTTP_COOKIE </td><td>SID=E63A7F73B20A5021442BAF3C8F70B97A&n bsp;</td></tr> <tr><td>HTTP_SESSION_ID </td><td>NULL </td></tr> <tr><td>Event </td><td>DBM_INTERN_TEST </td></tr> <tr><td>Action </td><td>REFRESH </td></tr> </table> </body> ****************************************************** By making the request again, but ammeding the Cookie Value, or if one is not prersent, simply add it as an HTTP header request, we can cause a stack based overflow within WAHTTP.exe The same Overflow can also be achieved in numerous other fields. If we take the sapdbwa_GetQueryString, we can simply pass an additional parameter by appending & + string =============== Fix Information =============== Please ensure you are running the latest version NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top