Advisory Name : Multiple vulnerabilities in SAP Web Application Server Release Date : 2 November 2006 Application : SAP Web AS 6.40 < patch 136 and 7.00 < patch 66 Platform : All platforms (except the third vulnerability) Impacts : Remote file disclosure, remote DoS, local privilege escalation Author : Nicob <nicob at nicob.net> Vendor Status : Updated code is available to customers Vulnerabilities Description : ============================= The following vulnerabilities were found in the monitoring functionality of the SAP Web Application Server : 1) A remote file disclosure vulnerability allows reading any file to which the user that the SAP Web Application Server is running as had access. Under Windows, the service runs by default under the SAPServiceJ2E account. This account is member of the local administrator group. 2) A remote denial of service allows crashing the enserver.exe process. 3) A local privilege escalation vulnerability allows any local user to use the file disclosure vulnerability to access an user-controlled process via a named pipe and impersonate as user SAPServiceJ2E. The exploitation is possible only on Windows 2000 pre-SP4, Windows XP pre-SP2 and Windows NT. Technical Details : =================== Technical details will be released three months after publication of this pre-advisory. This was agreed upon with SAP to allow their clients to upgrade affected software prior to the technical knowledge been publicly available. Mitigations : ============= Vulnerability #1 : Restrict network access to TCP port 3200+SYSNR Vulnerability #2 : Restrict network access to TCP port 3200+SYSNR Vulnerability #3 : Disable local access to the server Solutions : =========== Apply patch 136 for version 6.40 or patch 66 for version 7.00 Note : the mentioned patch level refers to the enqueue server More details can be found in SAP notes 948457 and 959877