======= Summary ======= Name: SAP DB Web Server Stack Overflow Release Date: 5 July 2007 Reference: NGS00486 Discover: Mark Litchfield <mark (at) ngssoftware (dot) com [email concealed]> Vendor: SAP Vendor Reference: SECRES-291 Systems Affected: All Versions Risk: Critical Status: Fixed ======== TimeLine ======== Discovered: 3 January 2007 Released: 19 January 2007 Approved: 29 January 2007 Reported: 11 January 2007 Fixed: 27 March 2007 Published: =========== Description =========== SAP DB is an open source database server sponsored by SAP AG that provides a series of web tools to administer database servers via web browsers. These tools can be integrated into third-party web servers such as IIS, or run on its own web server which by default is installed to TCP Port 9999. When installed as its own web server, the process waHTTP.exe is found to be listening on TCP Port 9999. ================= Technical Details ================= http://target:9999/webdbm?Event=DBM_INTERN_TEST&Action=REFRESH Looking at the 200 response we can determine the function offered by the request: ****************************************** <body topmargin=0 leftmargin=0 marginwidth=0 marginheight=0 background=/WARoot/Images/tatami.gif> <a href="javascript:parent.GotoWebDBMURL(this, 'Event=DBM_INTERN_TEST&Action=REFRESH')">Test</a><table style="font-family:courier new,monospace; font-size:8pt;" border=1 cellspacing=0 cellpadding=1> <tr><td>sapdbwa_GetRequestURI </td><td>/webdbm </td></tr> <tr><td>sapdbwa_GetIfModifiedSince </td><td>NULL </td></tr> <tr><td>sapdbwa_GetQueryString </td><td>Event=DBM_INTERN_TEST&Actio n=REFRESH </td></tr> <tr><td>sapdbwa_GetPathInfo </td><td>NULL </td></tr> <tr><td>sapdbwa_GetMethod </td><td>GET </td></tr> <tr><td>sapdbwa_GetContentType </td><td>NULL </td></tr> <tr><td>sapdbwa_GetContentLength </td><td>NULL </td></tr> <tr><td>sapdbwa_GetPathTranslated </td><td>NULL </td></tr> <tr><td>sapdbwa_GetServerName </td><td>NULL </td></tr> <tr><td>AUTH_TYPE </td><td>NULL </td></tr> <tr><td>CONTENT_LENGTH </td><td>NULL </td></tr> <tr><td>CONTENT_TYPE </td><td>NULL </td></tr> <tr><td>GATEWAY_INTERFACE </td><td>NULL </td></tr> <tr><td>HTTP_ACCEPT </td><td>*/* </td></tr> <tr><td>PATH_INFO </td><td>NULL </td></tr> <tr><td>QUERY_STRING </td><td>NULL </td></tr> <tr><td>REMOTE_ADDR </td><td>NULL </td></tr> <tr><td>REMOTE_HOST </td><td>NULL </td></tr> <tr><td>REMOTE_USER </td><td>NULL </td></tr> <tr><td>REQUEST_METHOD </td><td>NULL </td></tr> <tr><td>SCRIPT_NAME </td><td>NULL </td></tr> <tr><td>SERVER_NAME </td><td>NULL </td></tr> <tr><td>SERVER_PORT </td><td>NULL </td></tr> <tr><td>SERVER_PROTOCOL </td><td>NULL </td></tr> <tr><td>SERVER_SOFTWARE </td><td>NULL </td></tr> <tr><td>HTTP_ACCEPT </td><td>*/* </td></tr> <tr><td>HTTP_ACCEPT_CHARSET </td><td>NULL </td></tr> <tr><td>HTTP_ACCEPT_ENCODING </td><td>NULL </td></tr> <tr><td>HTTP_ACCEPT_LANGUAGE </td><td>NULL </td></tr> <tr><td>HTTP_ACCEPT_RANGES </td><td>NULL </td></tr> <tr><td>HTTP_AGE </td><td>NULL </td></tr> <tr><td>HTTP_ALLOW </td><td>NULL </td></tr> <tr><td>HTTP_AUTHORIZATION </td><td>NULL </td></tr> <tr><td>HTTP_CACHE_CONTROL </td><td>NULL </td></tr> <tr><td>HTTP_CONNECTION </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_ENCODING </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_LANGUAGE </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_LENGTH </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_LOCATION </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_MD5 </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_RANGE </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_TYPE </td><td>NULL </td></tr> <tr><td>HTTP_DATE </td><td>NULL </td></tr> <tr><td>HTTP_ETAG </td><td>NULL </td></tr> <tr><td>HTTP_EXPECT </td><td>NULL </td></tr> <tr><td>HTTP_EXPIRES </td><td>NULL </td></tr> <tr><td>HTTP_FROM </td><td>NULL </td></tr> <tr><td>HTTP_HOST </td><td>localhost </td></tr> <tr><td>HTTP_IF_MATCH </td><td>NULL </td></tr> <tr><td>HTTP_IF_MODIFIED_SINCE </td><td>NULL </td></tr> <tr><td>HTTP_IF_NONE_MATCH </td><td>NULL </td></tr> <tr><td>HTTP_IF_RANGE </td><td>NULL </td></tr> <tr><td>HTTP_IF_UNMODIFIED_SINCE </td><td>NULL </td></tr> <tr><td>HTTP_LAST_MODIFIED </td><td>NULL </td></tr> <tr><td>HTTP_LOCATION </td><td>NULL </td></tr> <tr><td>HTTP_MAX_FORWARDS </td><td>NULL </td></tr> <tr><td>HTTP_PRAGMA </td><td>NULL </td></tr> <tr><td>HTTP_PROXY_AUTHENTICATE </td><td>NULL </td></tr> <tr><td>HTTP_PROXY_AUTHORIZATION </td><td>NULL </td></tr> <tr><td>HTTP_RANGE </td><td>NULL </td></tr> <tr><td>HTTP_REFERER </td><td>NULL </td></tr> <tr><td>HTTP_RETRY_AFTER </td><td>NULL </td></tr> <tr><td>HTTP_SERVER </td><td>NULL </td></tr> <tr><td>HTTP_TE </td><td>NULL </td></tr> <tr><td>HTTP_TRAILER </td><td>NULL </td></tr> <tr><td>HTTP_TRANSFER_ENCODING </td><td>NULL </td></tr> <tr><td>HTTP_UPGRADE </td><td>NULL </td></tr> <tr><td>HTTP_USER_AGENT </td><td>NULL </td></tr> <tr><td>HTTP_VARY </td><td>NULL </td></tr> <tr><td>HTTP_VIA </td><td>NULL </td></tr> <tr><td>HTTP_WARNING </td><td>NULL </td></tr> <tr><td>HTTP_WWW_AUTHENTICATE </td><td>NULL </td></tr> <tr><td>HTTP_COOKIE </td><td>SID=E63A7F73B20A5021442BAF3C8F70B97A&n bsp;</td></tr> <tr><td>HTTP_SESSION_ID </td><td>NULL </td></tr> <tr><td>Event </td><td>DBM_INTERN_TEST </td></tr> <tr><td>Action </td><td>REFRESH </td></tr> </table> </body> ****************************************************** By making the request again, but ammeding the Cookie Value, or if one is not prersent, simply add it as an HTTP header request, we can cause a stack based overflow within WAHTTP.exe The same Overflow can also be achieved in numerous other fields. If we take the sapdbwa_GetQueryString, we can simply pass an additional parameter by appending & + string =============== Fix Information =============== Please ensure you are running the latest version NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070