SAP Internet Graphics Service HTTP请求拒绝服务攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193836 漏洞类型 缓冲区溢出
发布时间 2006-08-10 更新时间 2007-07-05
CVE编号 CVE-2006-4133 CNNVD-ID CNNVD-200608-219
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/19470
https://cxsecurity.com/issue/WLB-2006080095
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-219
|漏洞详情
InternetGraphicsServer(IGS)是SAPR/3企业环境的一个组件,可提供图形服务。IGS的Web应用服务器是默认安装的,远程攻击者可以通过发送一个精心构造的HTTP请求导致溢出。成功利用此漏洞,在UNIX环境下,攻击者获取SAP系统管理员权限,在Windows系统下,攻击者可以获取系统权限。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Remote_B
uffer_Overflow.pdf )

CYBSEC S.A.
www.cybsec.com

Pre-Advisory Name: SAP Internet Graphics Service (IGS) Remote Buffer Overflow
==================

Vulnerability Class: Buffer Overflow
====================

Release Date: 08/10/2006
=============

Affected Applications:
======================
* SAP IGS 6.40 Patchlevel <= 15
* SAP IGS 7.00 Patchlevel <= 3

Affected Platforms:
===================
* AIX 64 bits
* HP-UX on IA64 64bit
* HP-UX on PA-RISC 64bit
* Linux on IA32 32bit
* Linux on IA64 64bit
* Linux on Power 64bit
* Linux on x86_64 64bit
* Linux on zSeries 64bit
* OS/400 V5R2M0
* Solaris on SPARC 64bit
* TRU64 64bit
* Windows Server on IA32 32bit
* Windows Server on IA64 64bit
* Windows Server on x64 64bit

Local / Remote: Remote
===============

Severity: High
=========

Author:  Mariano Nu&ntilde;ez Di Croce
=======

Vendor Status:
==============
* Confirmed, update released.

Reference to Vulnerability Disclosure Policy:
=============================================
http://www.cybsec.com/vulnerability_policy.pdf

Product Overview:
==================
"The IGS provides a server architecture where data from an SAP System or other sources can be used to generate graphical or non-graphical output."

It is important to note that IGS is installed and activated by default with the Web Application Server (versions >= 6.30)

Vulnerability Description:
==========================
A specially crafted HTTP request can trigger a remote buffer overflow in SAP IGS service.

Technical Details:
==================
Technical details will be released three months after publication of this pre-advisory. This was agreed upon with SAP to allow their customers to upgrade affected software prior to technical knowledge
been publicly available.

Impact:
=======
Under UNIX systems, successful exploitation of this vulnerability may allow an attacker to execute remote code with the privileges of the SAP System Administrator account (<SID>adm), allowing him to
take full control of the SAP system installation.

Under Microsoft Windows systems, successful exploitation of this vulnerability may allow an attacker to execute remote code with the privileges of the LocalSystem account, allowing him to take full
control of the entire system.

Solutions:
==========
SAP has released patches to address this vulnerability. Affected customers should apply the patches immediately.
More information can be found on SAP Note 968423.

Vendor Response:
================
* 06/02/2006: Initial Vendor Contact.
* 06/09/2006: Vendor Confirmed Vulnerability.
* 07/03/2006: Vendor Releases Update for version 6.40.
* 07/13/2006: Vendor Releases Update for version 7.00.
* 08/10/2006: Pre-Advisory Public Disclosure.

Special Thanks:
===============
Thanks goes to Carlos Diaz and Victor Montero.

Contact Information:
====================
For more information regarding the vulnerability feel free to contact the author at mnunez {at} cybsec.com. Please bear in mind that technical details will be disclosed to the general public three
months after the release of this pre-advisory.

For more information regarding CYBSEC: www.cybsec.com
(c) 2006 - CYBSEC S.A. Security Systems
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFE238ybbZGNCayCJkRAuKFAJ4x9eiykQZS7EvtjXBpZ41ibsKT4ACgqi8g
5Yqr42pvuNEnNohuAqhUfiQ=
=47q+
-----END PGP SIGNATURE-----
|受影响的产品
SAP Internet Graphics Server 6.40 Patch 11 SAP Internet Graphics Server 6.40 SAP Internet Graphics Server 7.00 Patch 3 SAP Internet Graphics Server 6.40 Patch 15
|参考资料

来源:US-CERT
名称:VU#259540
链接:http://www.kb.cert.org/vuls/id/259540
来源:XF
名称:sap-igs-http-bo(28334)
链接:http://xforce.iss.net/xforce/xfdb/28334
来源:BID
名称:19470
链接:http://www.securityfocus.com/bid/19470
来源:BUGTRAQ
名称:20070118CYBSEC-SecurityAdvisory:SAPInternetGraphicsService(IGS)RemoteBufferOverflow
链接:http://www.securityfocus.com/archive/1/archive/1/457286/100/0/threaded
来源:BUGTRAQ
名称:20060810CYBSEC-SecurityPre-Advisory:SAPInternetGraphicsService(IGS)RemoteBufferOverflow
链接:http://www.securityfocus.com/archive/1/archive/1/442840/100/0/threaded
来源:VUPEN
名称:ADV-2006-3267
链接:http://www.frsirt.com/english/advisories/2006/3267
来源:MISC
链接:http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Remote_Buffer_Overflow.pdf
来源:SECTRACK
名称:1017534
链接:http://securitytracker.com/id?1017534
来源:SECTRACK
名称:1016675
链接:http://securitytracker.com/id?1016675
来源:SECUNIA
名称:21448
链接:http://secunia.com/advisories/21448
来源:BUGTRAQ
名称:20070705SAPInternetGraphicsServerXSSandHeapOverflow
链接:http://www.secu