SecuriTeam - SAP Message Server Heap Overflow

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

The Message Server is "a service used by the different applications servers to exchange data and internal messages. It is also used for license checking and workload balancing together with the SAP logon utility". A vulnerability in the SAP Message Server allows remote attackers to cause the service to crash by overflowing a heap buffer.

Credit:
The information has been provided by Mark Litchfield.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

The Message Server can found to be listening on the following default TCP Ports:
Message Server - 3600
Message Server HTTP - 8100
Message Server HTTPS - No Default

Note: All the Message Server available ports share the same PID

Depending on the number of instances that have been installed, the Message Server can be found to listen on other PORTS. The PORT allocation follows the rule of incorporating the instance number to generate the TCP port allocation (<NN>). Examples are

Message Server - 36<NN>
Message Server HTTP - 81<NN>
Message Server HTTPS (if installed) - 444<NN>

Technical Details:
In this particular attack, we are targeting the Message HTTP Server in an unauthenticated state. As can be seen from the example below, we are sending a GET request to the Message Server listening on (in this case) TCP Port 8100, passing a Parameter of Group to the URL /msgserver/html/group with a value of 498 bytes. Sending such a request will cause a write access violation to your specified string value. For example using a lower case x would be an access violation writing to location 0x78787878.

GET /msgserver/html/group?group=**498 bytes** HTTP/1.0
Accept: */*
Accept-Language: en-us
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727)
Host: sapserver:8100
Proxy-Connection: Keep-Alive

Whilst this bug allows the remote unauthenticated execution of arbitrary code (running as SYSTEM on Windows), as can be determined by the functionality of this service, within a business environment, the termination of this process can have dire effects to the operation of SAP and its components.

	SugarCRM Online Document Cross-Site Scripting (XSS) Vulnerability
	Skype URI Processing Arbitrary XML File Deletion Vulnerability
	Skype Protocol Handler Datapath Argument Injection Credential Disclosure Vulnerability
	LedgerSMB Multiple Vulnerabilities
	Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
	Piwik Cookie Unserialize Vulnerability
	Invision Power Board SQL PHP File Inclusion and SQL Injection
	U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability
	DevIL DICOM Buffer Overflow Vulnerability
	Marvell Driver Multiple Information Element Overflows
	HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution
	HP Color LaserJet Printers Unauthorized Access to Data and DoS
	KDE KDELibs Remote Array Overrun with Arbitrary Code Execution
	Gimp BMP Image Parsing Integer Overflow Vulnerability
	Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation