Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] SAP WebAS URL Manipulation

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] SAP WebAS URL Manipulation
Date: 17 May 2006 17:29:13 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  SAP WebAS URL Manipulation
------------------------------------------------------------------------


SUMMARY

SAP Web Application Server (SAP Web AS) is the application platform of SAP 
NetWeaver, i.e. it provides the complete infrastructure to develop, deploy 
and run all SAP NetWeaver applications. The major key capability of SAP 
Web AS is the full support for both ABAP and J2EE technologies.

This vulnerability may be exploited to gain authentication information 
such as credential cookies.

DETAILS

SAP Web Application Server was found to be vulnerable to an URL 
manipulation allowing an attacker to prefix the http response ( to a 
request containing a manipulated URL ) with a sequence of bytes of his 
choice. The vulnerability may be exploited to mount various attacks to 
gain knowledge of authentication information valid within the context of 
the WAS website ( like cookies, usernames or passwords ).
Also the vulnerability may aid an attacker in manipulating the way a 
website is cached, served or interpreted - leading to a false sense of 
trust or a partial defacement.

One way the vulnerability can be exploited is by inserting ";%20" into the 
http request URL, followed by the characters to be inserted, replacing all 
characters with special meaning like "/", CR, LF and "=" by one of their 
illegal UTF-8- and URL-encoded representations. This results in an 
incorrectly handled http error. WAS translates each illegal character 
representation into one byte and returns the sequence chosen by the 
attacker, followed by some garbage characters built from the URL, a 
slightly incorrect http response-header plus the original http 
message-body, thus allowing the complete control over the first sequence 
of bytes of the response. If the attacker inserts a http message 
containing a HTML page in it's entity-body, the user's browser will render 
that page and discard the rest of the response.

Cache manipulations might be done by letting WAS return one or multiple 
specially crafted HTTP responses within the bytes inserted. This could 
facilitate phishing or defacement style attacks.

Proof of Concept:
Following proof of concept will return a html page that is defined by the 
request URL.
http://sap-was/x.htm;%20HTTP%c0%af1.0%20200%20OK%c0%8d%c0%8a
Content-Length:%2035%c0%8d%c0%8aContent-Type:text%c0%afhtml%c0%8d%c0%8a%c0%8d%c0%8a%3C
html%3e%3cbody%3ehello%3c%c0%afbody%3e%3c%c0%afhtml%3e%c0%8d%c0%8a%c0%8d%c0%8a
(no breaks)

Solution:
Patches are provided from SAP. See SAP Note 908147 and 915084 for details.

Disclosure Timeline:
 * 11/29/2005: Initial Vendor Contact.
 * 11/30/2005: Technical details for the vulnerabilities sent to vendor.
 * 01/10/2006: patch provided by vendor.
 * 03/01/2006: Coordinate release of pre-advisory without technical 
details
 * 05/16/2006: Coordinate release of advisory with technical details


ADDITIONAL INFORMATION

The information has been provided by  <mailto:arnold.grossmann@gmail.com> 
Arnold Grossmann.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] SAP WebAS URL Manipulation, SecuriTeam <=
Previous by Date:  [TOOL] Zniper - Active TCP Connections Sniffer, SecuriTeam
Next by Date:  [TOOL] Cookie Collect, SecuriTeam
Previous by Thread:  [TOOL] Zniper - Active TCP Connections Sniffer, SecuriTeam
Next by Thread:  [TOOL] Cookie Collect, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]