[ERPSCAN-18-005] HANA server memory disclosure

Application: SAP NetWeaver
Versions Affected: SAP HANA 1.0, 2.0 all versions
Vendor URL: SAP
Bugs: Information Disclosure
Reported: 05.10.2017
Vendor response: 06.10.2017
Date of Public Advisory: 13.02.2018
Reference: SAP Security Note 2572940
Author: Mathieu Geli (ERPScan)

VULNERABILITY INFORMATION

Class: Information Disclosure
Risk: Medium
Impact: Attacker could read content of arbitrary files on the remote server and expose sensitive data confidentiality
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS v3 Base Score: 5.3 / 10
CVSS Base v3 Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity None (N)
A: Impact to AvailabilityNone (N)

DESCRIPTION

An attacker can send a legitimate authentication packet to the HANA server on its SQL interface that helps get some portion of the server process memory in the answer.

BUSINESS RISK

An attacker can use an Information Disclosure vulnerability for revealing additional information (system data, debugging information, etc.) which will help to learn about a system and plan other attacks.

VULNERABLE PACKAGES

SAP HANA 1.0, 2.0 all versions

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2572940

TECHNICAL DESCRIPTION

hdbindexserver is leaking 10 bytes of its memory when answering to the first packets of authentication (SCRAMSHA256 exchange and then next packet with error message).

Packet looks like this (payload of the TCP layer), leaked bytes are noted like ‘XX’:

POC hana_hdb_leak.py sniffs the network for TCP packets and source port 30015 and prints out those specific bytes. You need to have scapy installed as a requirement.

In parallel you need to try a lot of authentication on the remote HDB server.

Proof of Concept

sudo python hana_hdb_leak.py
and do a lot of authentication requests to some HANA server on port 30015 from the same host where hana_hdb_leak.py has been launched. You see printed in the terminal the printable bytes of the disclosed memory answered by the server. Here is a screenshot of a result: