Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] SAP Internet Graphics Service Buffer Overflow Vulnerability

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] SAP Internet Graphics Service Buffer Overflow Vulnerability
Date: 24 Jan 2007 19:14:55 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  SAP Internet Graphics Service Buffer Overflow Vulnerability
------------------------------------------------------------------------


SUMMARY

"The IGS provides a server architecture where data from an SAP System or 
other sources can be used to generate graphical or non-graphical output."

A specially crafted HTTP request can trigger a remote buffer overflow in 
SAP IGS service.

DETAILS

Affected Applications:
 * SAP IGS version 6.40 Patchlevel revision 15 and prior
 * SAP IGS version 7.00 Patchlevel revision 3 and prior

The ADM:GETLOGFILE command receives a portwatcher as a parameter. If the 
specified portwatcher is not found, an error message is returned to the 
client.

The vulnerability specifically exists in the processing of this error 
message. The message is build by the use of the _snprintf() function, 
which helps to prevent the occurrence of buffer overflows by limiting the 
number of bytes written to the destination buffer:

----------------------------------------------
8B5424 14               MOV EDX,DWORD PTR SS:[ESP+14]    ; Portwatcher 
string (controlled)
52                            PUSH EDX
68 B49C5700           PUSH igsmux.00579CB4             ; ASCII "Could not 
find portwatcher %s"
8D8424 B0000000   LEA EAX,DWORD PTR SS:[ESP+B0]    ; Destination buffer
68 00040000           PUSH 400                         ; Output 1024 bytes 
max
50                            PUSH EAX
E8 DA881100           CALL <JMP.&MSVCR71._snprintf>
----------------------------------------------

Therefore, if a parameter of more than 998 bytes is received, only the 
first 1024 bytes of the resulting string (after concatenation) would be 
stored in the destination buffer and no overflow would occur.

To present this error message to the client, an HTTP response is crafted. 
Its content is prepared in a buffer stored in the heap. After some 
procedures, the error message string is copied to this buffer:

----------------------------------------------
8B4D 0C                MOV ECX,DWORD PTR SS:[EBP+C]   ; _snprintf() result 
value
8B75 08                MOV ESI,DWORD PTR SS:[EBP+8]   ; Error message 
string
8DB8 A0000000    LEA EDI,DWORD PTR DS:[EAX+A0]  ; Destination buffer
8BC1                     MOV EAX,ECX
C1E9 02                SHR ECX,2
F3:A5                    REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
----------------------------------------------

The _snprintf() function returns the total amount of bytes written, so 
above code would not seem to be unreasonable. The problem is that, if the 
source buffer is larger than the maximum number of characters to store 
(count), a particular behavior takes place:

If the number of bytes required to store the data exceeds count, then 
count bytes of data are stored in buffer and a negative value is returned? 
[MSDN]

Therefore, if the string is larger than 1024 bytes, after the first 
instruction of the presented code  ECX would contain a negative number 
treated as unsigned, resulting in a very big number. Then, when the memory 
copy operation takes place, heap space reserved would be overflowed.

This will overwrite heap block structures, which would eventually be used 
and result in the execution of the famous set of instructions:

--------------------------------------------------
8901           MOV DWORD PTR DS:[ECX],EAX
8948 04      MOV DWORD PTR DS:[EAX+4],ECX
--------------------------------------------------

As both ECX and EAX can be controlled, an arbitrary DWORD overwrite is 
possible, leading to the possibility of executing arbitrary code.

Under UNIX systems, successful exploitation of this vulnerability may 
allow an attacker to execute remote code with the privileges of the SAP 
System Administrator account (<SID>adm), allowing him to take full control 
of the SAP system installation.

Under Microsoft Windows systems, successful exploitation of this 
vulnerability may allow an attacker to execute remote code with the 
privileges of the LocalSystem account, allowing him to take full control 
of the entire system.

Patch Availability:
SAP has released patches to address this vulnerability. Affected customers 
should apply the patches immediately. More information can be found on SAP 
Note 968423.

Disclosure Timeline:
 * 2006-06-02 - Initial Vendor Contact.
 * 2006-06-09 - Vendor Confirmed Vulnerability.
 * 2006-07-03 - Vendor Releases Update for version 6.40.
 * 2006-07-13 - Vendor Releases Update for version 7.00.
 * 2006-08-10 - Pre-Advisory Public Disclosure.
 * 2007-01-18 - Advisory Public Disclosure.


ADDITIONAL INFORMATION

The information has been provided by CYBSEC.
The original article can be found at:  
<http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Remote_Buffer_Overflow.pdf>
 
http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Remote_Buffer_Overflow.pdf



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] SAP Internet Graphics Service Buffer Overflow Vulnerability, SecuriTeam <=
Previous by Date:  [EXPL] Intel Centrino ipw2200BG Wireless Driver Buffer Overflow (Exploit), SecuriTeam
Next by Date:  [NT] Computer Associates BrightStor ARCserve Backup Code Execution Vulnerability (6502), SecuriTeam
Previous by Thread:  [EXPL] Intel Centrino ipw2200BG Wireless Driver Buffer Overflow (Exploit), SecuriTeam
Next by Thread:  [NT] Computer Associates BrightStor ARCserve Backup Code Execution Vulnerability (6502), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]