The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SAP Message Server Heap Overflow
------------------------------------------------------------------------
SUMMARY
The Message Server is "a service used by the different applications
servers to exchange data and internal messages. It is also used for
license checking and workload balancing together with the SAP logon
utility". A vulnerability in the SAP Message Server allows remote
attackers to cause the service to crash by overflowing a heap buffer.
DETAILS
The Message Server can found to be listening on the following default TCP
Ports:
Message Server - 3600
Message Server HTTP - 8100
Message Server HTTPS - No Default
Note: All the Message Server available ports share the same PID
Depending on the number of instances that have been installed, the Message
Server can be found to listen on other PORTS. The PORT allocation follows
the rule of incorporating the instance number to generate the TCP port
allocation (<NN>). Examples are
Message Server - 36<NN>
Message Server HTTP - 81<NN>
Message Server HTTPS (if installed) - 444<NN>
Technical Details:
In this particular attack, we are targeting the Message HTTP Server in an
unauthenticated state. As can be seen from the example below, we are
sending a GET request to the Message Server listening on (in this case)
TCP Port 8100, passing a Parameter of Group to the URL
/msgserver/html/group with a value of 498 bytes. Sending such a request
will cause a write access violation to your specified string value. For
example using a lower case x would be an access violation writing to
location 0x78787878.
GET /msgserver/html/group?group=**498 bytes** HTTP/1.0
Accept: */*
Accept-Language: en-us
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727)
Host: sapserver:8100
Proxy-Connection: Keep-Alive
Whilst this bug allows the remote unauthenticated execution of arbitrary
code (running as SYSTEM on Windows), as can be determined by the
functionality of this service, within a business environment, the
termination of this process can have dire effects to the operation of SAP
and its components.
ADDITIONAL INFORMATION
The information has been provided by <mailto:mark@ngssoftware.com> Mark
Litchfield.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
