Network Security: Detailed info on [NEWS] SAP DB Web Server Stack Overflow

Subject:	[NEWS] SAP DB Web Server Stack Overflow
Date:	8 Jul 2007 14:11:21 +0200
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  SAP DB Web Server Stack Overflow
------------------------------------------------------------------------


SUMMARY

SAP DB is "an open source database server sponsored by SAP AG that 
provides a series of web tools to administer database servers via web 
browsers. These tools can be integrated into third-party web servers such 
as IIS, or run on its own web server which by default is installed to TCP 
Port 9999".

When installed as its own web server, the process SAB DB's waHTTP.exe is 
found to be listening on TCP Port 9999, this web server has been found to 
contain a remotely exploitable stack overflow.

DETAILS

By requesting:
http://target:9999/webdbm?Event=DBM_INTERN_TEST&Action=REFRESH

And looking at the 200 response we can determine the function offered by 
the request:

<body topmargin=0 leftmargin=0 marginwidth=0 marginheight=0 
background=/WARoot/Images/tatami.gif>
<a href="javascript:parent.GotoWebDBMURL(this, 
'Event=DBM_INTERN_TEST&Action=REFRESH')">Test</a><table 
style="font-family:courier new,monospace; font-size:8pt;" border=1 
cellspacing=0 cellpadding=1>
<tr><td>sapdbwa_GetRequestURI </td><td>/webdbm </td></tr>
<tr><td>sapdbwa_GetIfModifiedSince </td><td>NULL </td></tr>
<tr><td>sapdbwa_GetQueryString 
</td><td>Event=DBM_INTERN_TEST&Action=REFRESH </td></tr>
<tr><td>sapdbwa_GetPathInfo </td><td>NULL </td></tr>
<tr><td>sapdbwa_GetMethod </td><td>GET </td></tr>
<tr><td>sapdbwa_GetContentType </td><td>NULL </td></tr>
<tr><td>sapdbwa_GetContentLength </td><td>NULL </td></tr>
<tr><td>sapdbwa_GetPathTranslated </td><td>NULL </td></tr>
<tr><td>sapdbwa_GetServerName </td><td>NULL </td></tr>
<tr><td>AUTH_TYPE </td><td>NULL </td></tr>
<tr><td>CONTENT_LENGTH </td><td>NULL </td></tr>
<tr><td>CONTENT_TYPE </td><td>NULL </td></tr>
<tr><td>GATEWAY_INTERFACE </td><td>NULL </td></tr>
<tr><td>HTTP_ACCEPT </td><td>*/* </td></tr>
<tr><td>PATH_INFO </td><td>NULL </td></tr>
<tr><td>QUERY_STRING </td><td>NULL </td></tr>
<tr><td>REMOTE_ADDR </td><td>NULL </td></tr>
<tr><td>REMOTE_HOST </td><td>NULL </td></tr>
<tr><td>REMOTE_USER </td><td>NULL </td></tr>
<tr><td>REQUEST_METHOD </td><td>NULL </td></tr>
<tr><td>SCRIPT_NAME </td><td>NULL </td></tr>
<tr><td>SERVER_NAME </td><td>NULL </td></tr>
<tr><td>SERVER_PORT </td><td>NULL </td></tr>
<tr><td>SERVER_PROTOCOL </td><td>NULL </td></tr>
<tr><td>SERVER_SOFTWARE </td><td>NULL </td></tr>
<tr><td>HTTP_ACCEPT </td><td>*/* </td></tr>
<tr><td>HTTP_ACCEPT_CHARSET </td><td>NULL </td></tr>
<tr><td>HTTP_ACCEPT_ENCODING </td><td>NULL </td></tr>
<tr><td>HTTP_ACCEPT_LANGUAGE </td><td>NULL </td></tr>
<tr><td>HTTP_ACCEPT_RANGES </td><td>NULL </td></tr>
<tr><td>HTTP_AGE </td><td>NULL </td></tr>
<tr><td>HTTP_ALLOW </td><td>NULL </td></tr>
<tr><td>HTTP_AUTHORIZATION </td><td>NULL </td></tr>
<tr><td>HTTP_CACHE_CONTROL </td><td>NULL </td></tr>
<tr><td>HTTP_CONNECTION </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_ENCODING </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_LANGUAGE </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_LENGTH </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_LOCATION </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_MD5 </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_RANGE </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_TYPE </td><td>NULL </td></tr>
<tr><td>HTTP_DATE </td><td>NULL </td></tr>
<tr><td>HTTP_ETAG </td><td>NULL </td></tr>
<tr><td>HTTP_EXPECT </td><td>NULL </td></tr>
<tr><td>HTTP_EXPIRES </td><td>NULL </td></tr>
<tr><td>HTTP_FROM </td><td>NULL </td></tr>
<tr><td>HTTP_HOST </td><td>localhost </td></tr>
<tr><td>HTTP_IF_MATCH </td><td>NULL </td></tr>
<tr><td>HTTP_IF_MODIFIED_SINCE </td><td>NULL </td></tr>
<tr><td>HTTP_IF_NONE_MATCH </td><td>NULL </td></tr>
<tr><td>HTTP_IF_RANGE </td><td>NULL </td></tr>
<tr><td>HTTP_IF_UNMODIFIED_SINCE </td><td>NULL </td></tr>
<tr><td>HTTP_LAST_MODIFIED </td><td>NULL </td></tr>
<tr><td>HTTP_LOCATION </td><td>NULL </td></tr>
<tr><td>HTTP_MAX_FORWARDS </td><td>NULL </td></tr>
<tr><td>HTTP_PRAGMA </td><td>NULL </td></tr>
<tr><td>HTTP_PROXY_AUTHENTICATE </td><td>NULL </td></tr>
<tr><td>HTTP_PROXY_AUTHORIZATION </td><td>NULL </td></tr>
<tr><td>HTTP_RANGE </td><td>NULL </td></tr>
<tr><td>HTTP_REFERER </td><td>NULL </td></tr>
<tr><td>HTTP_RETRY_AFTER </td><td>NULL </td></tr>
<tr><td>HTTP_SERVER </td><td>NULL </td></tr>
<tr><td>HTTP_TE </td><td>NULL </td></tr>
<tr><td>HTTP_TRAILER </td><td>NULL </td></tr>
<tr><td>HTTP_TRANSFER_ENCODING </td><td>NULL </td></tr>
<tr><td>HTTP_UPGRADE </td><td>NULL </td></tr>
<tr><td>HTTP_USER_AGENT </td><td>NULL </td></tr>
<tr><td>HTTP_VARY </td><td>NULL </td></tr>
<tr><td>HTTP_VIA </td><td>NULL </td></tr>
<tr><td>HTTP_WARNING </td><td>NULL </td></tr>
<tr><td>HTTP_WWW_AUTHENTICATE </td><td>NULL </td></tr>
<tr><td>HTTP_COOKIE </td><td>SID=E63A7F73B20A5021442BAF3C8F70B97A 
</td></tr>
<tr><td>HTTP_SESSION_ID </td><td>NULL </td></tr>
<tr><td>Event </td><td>DBM_INTERN_TEST </td></tr>
<tr><td>Action </td><td>REFRESH </td></tr>
</table>
</body>

By making the request again, but not including the Cookie Value, or if one 
is not present, simply add it as an HTTP header request, we can cause a 
stack based overflow within WAHTTP.exe

The same Overflow can also be achieved in numerous other fields.

If we take the sapdbwa_GetQueryString, we can simply pass an additional 
parameter by  appending & + string


ADDITIONAL INFORMATION

The information has been provided by  <mailto:mark@ngssoftware.com> Mark 
Litchfield.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
<Prev in Thread]	Current Thread	[Next in Thread>
[NEWS] SAP DB Web Server Stack Overflow, SecuriTeam <=
Previous by Date:	[NT] Internet Communication Manager Denial Of Service Attack, SecuriTeam
Next by Date:	[NEWS] SAP Message Server Heap Overflow, SecuriTeam
Previous by Thread:	[NT] Internet Communication Manager Denial Of Service Attack, SecuriTeam
Next by Thread:	[NEWS] SAP Message Server Heap Overflow, SecuriTeam
Indexes:	[Date] [Thread] [Top] [All Lists]