SAP DB Web Server Stack Overflow

2007.07.10
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other


Ogólna skala CVSS: 7.5/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

======= Summary ======= Name: SAP DB Web Server Stack Overflow Release Date: 5 July 2007 Reference: NGS00486 Discover: Mark Litchfield <mark (at) ngssoftware (dot) com [email concealed]> Vendor: SAP Vendor Reference: SECRES-291 Systems Affected: All Versions Risk: Critical Status: Fixed ======== TimeLine ======== Discovered: 3 January 2007 Released: 19 January 2007 Approved: 29 January 2007 Reported: 11 January 2007 Fixed: 27 March 2007 Published: =========== Description =========== SAP DB is an open source database server sponsored by SAP AG that provides a series of web tools to administer database servers via web browsers. These tools can be integrated into third-party web servers such as IIS, or run on its own web server which by default is installed to TCP Port 9999. When installed as its own web server, the process waHTTP.exe is found to be listening on TCP Port 9999. ================= Technical Details ================= http://target:9999/webdbm?Event=DBM_INTERN_TEST&Action=REFRESH Looking at the 200 response we can determine the function offered by the request: ****************************************** <body topmargin=0 leftmargin=0 marginwidth=0 marginheight=0 background=/WARoot/Images/tatami.gif> <a href="javascript:parent.GotoWebDBMURL(this, 'Event=DBM_INTERN_TEST&Action=REFRESH')">Test</a><table style="font-family:courier new,monospace; font-size:8pt;" border=1 cellspacing=0 cellpadding=1> <tr><td>sapdbwa_GetRequestURI </td><td>/webdbm </td></tr> <tr><td>sapdbwa_GetIfModifiedSince </td><td>NULL </td></tr> <tr><td>sapdbwa_GetQueryString </td><td>Event=DBM_INTERN_TEST&Actio n=REFRESH </td></tr> <tr><td>sapdbwa_GetPathInfo </td><td>NULL </td></tr> <tr><td>sapdbwa_GetMethod </td><td>GET </td></tr> <tr><td>sapdbwa_GetContentType </td><td>NULL </td></tr> <tr><td>sapdbwa_GetContentLength </td><td>NULL </td></tr> <tr><td>sapdbwa_GetPathTranslated </td><td>NULL </td></tr> <tr><td>sapdbwa_GetServerName </td><td>NULL </td></tr> <tr><td>AUTH_TYPE </td><td>NULL </td></tr> <tr><td>CONTENT_LENGTH </td><td>NULL </td></tr> <tr><td>CONTENT_TYPE </td><td>NULL </td></tr> <tr><td>GATEWAY_INTERFACE </td><td>NULL </td></tr> <tr><td>HTTP_ACCEPT </td><td>*/* </td></tr> <tr><td>PATH_INFO </td><td>NULL </td></tr> <tr><td>QUERY_STRING </td><td>NULL </td></tr> <tr><td>REMOTE_ADDR </td><td>NULL </td></tr> <tr><td>REMOTE_HOST </td><td>NULL </td></tr> <tr><td>REMOTE_USER </td><td>NULL </td></tr> <tr><td>REQUEST_METHOD </td><td>NULL </td></tr> <tr><td>SCRIPT_NAME </td><td>NULL </td></tr> <tr><td>SERVER_NAME </td><td>NULL </td></tr> <tr><td>SERVER_PORT </td><td>NULL </td></tr> <tr><td>SERVER_PROTOCOL </td><td>NULL </td></tr> <tr><td>SERVER_SOFTWARE </td><td>NULL </td></tr> <tr><td>HTTP_ACCEPT </td><td>*/* </td></tr> <tr><td>HTTP_ACCEPT_CHARSET </td><td>NULL </td></tr> <tr><td>HTTP_ACCEPT_ENCODING </td><td>NULL </td></tr> <tr><td>HTTP_ACCEPT_LANGUAGE </td><td>NULL </td></tr> <tr><td>HTTP_ACCEPT_RANGES </td><td>NULL </td></tr> <tr><td>HTTP_AGE </td><td>NULL </td></tr> <tr><td>HTTP_ALLOW </td><td>NULL </td></tr> <tr><td>HTTP_AUTHORIZATION </td><td>NULL </td></tr> <tr><td>HTTP_CACHE_CONTROL </td><td>NULL </td></tr> <tr><td>HTTP_CONNECTION </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_ENCODING </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_LANGUAGE </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_LENGTH </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_LOCATION </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_MD5 </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_RANGE </td><td>NULL </td></tr> <tr><td>HTTP_CONTENT_TYPE </td><td>NULL </td></tr> <tr><td>HTTP_DATE </td><td>NULL </td></tr> <tr><td>HTTP_ETAG </td><td>NULL </td></tr> <tr><td>HTTP_EXPECT </td><td>NULL </td></tr> <tr><td>HTTP_EXPIRES </td><td>NULL </td></tr> <tr><td>HTTP_FROM </td><td>NULL </td></tr> <tr><td>HTTP_HOST </td><td>localhost </td></tr> <tr><td>HTTP_IF_MATCH </td><td>NULL </td></tr> <tr><td>HTTP_IF_MODIFIED_SINCE </td><td>NULL </td></tr> <tr><td>HTTP_IF_NONE_MATCH </td><td>NULL </td></tr> <tr><td>HTTP_IF_RANGE </td><td>NULL </td></tr> <tr><td>HTTP_IF_UNMODIFIED_SINCE </td><td>NULL </td></tr> <tr><td>HTTP_LAST_MODIFIED </td><td>NULL </td></tr> <tr><td>HTTP_LOCATION </td><td>NULL </td></tr> <tr><td>HTTP_MAX_FORWARDS </td><td>NULL </td></tr> <tr><td>HTTP_PRAGMA </td><td>NULL </td></tr> <tr><td>HTTP_PROXY_AUTHENTICATE </td><td>NULL </td></tr> <tr><td>HTTP_PROXY_AUTHORIZATION </td><td>NULL </td></tr> <tr><td>HTTP_RANGE </td><td>NULL </td></tr> <tr><td>HTTP_REFERER </td><td>NULL </td></tr> <tr><td>HTTP_RETRY_AFTER </td><td>NULL </td></tr> <tr><td>HTTP_SERVER </td><td>NULL </td></tr> <tr><td>HTTP_TE </td><td>NULL </td></tr> <tr><td>HTTP_TRAILER </td><td>NULL </td></tr> <tr><td>HTTP_TRANSFER_ENCODING </td><td>NULL </td></tr> <tr><td>HTTP_UPGRADE </td><td>NULL </td></tr> <tr><td>HTTP_USER_AGENT </td><td>NULL </td></tr> <tr><td>HTTP_VARY </td><td>NULL </td></tr> <tr><td>HTTP_VIA </td><td>NULL </td></tr> <tr><td>HTTP_WARNING </td><td>NULL </td></tr> <tr><td>HTTP_WWW_AUTHENTICATE </td><td>NULL </td></tr> <tr><td>HTTP_COOKIE </td><td>SID=E63A7F73B20A5021442BAF3C8F70B97A&n bsp;</td></tr> <tr><td>HTTP_SESSION_ID </td><td>NULL </td></tr> <tr><td>Event </td><td>DBM_INTERN_TEST </td></tr> <tr><td>Action </td><td>REFRESH </td></tr> </table> </body> ****************************************************** By making the request again, but ammeding the Cookie Value, or if one is not prersent, simply add it as an HTTP header request, we can cause a stack based overflow within WAHTTP.exe The same Overflow can also be achieved in numerous other fields. If we take the sapdbwa_GetQueryString, we can simply pass an additional parameter by appending & + string =============== Fix Information =============== Please ensure you are running the latest version NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top