'SAP Internet Transaction Server'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    SAP Internet Transaction Server
From:       Martin Eiszner <martin () websec ! org>
Date:       2003-08-30 10:32:42
[Download RAW message or body]


To the List,


*******************************************************************************************
                
*******************************************************************************************
                
*******************************************************************************************



============================================================
SEC-CONSULT Security REPORT SAP Internet Transcaction Server
======================OOOOOOOOOOOO==========================

Product:        ITS ITS, Version 4620.2.0.323011, Build 46B.323011 (win32/IIS 5.0)

Vulnerablities:

- Path/information disclosure
- Directory traversal
- Filename truncation
- Arbitrary file disclosure
- Cross site scripting/Cookie Theft

Vuln.-Classes:  Check out http://www.owasp.org/asac/ for more detailed information on \
                "Attack Components"
Vendor:         SAP (http://www.sap.com/)
Vendor-Status:  vendor contacted (02.08.2003)
Vendor-Patchs:  SAP advice 598074,595383 and 654038

Object: wgate.dll

Exploitable:
Local:          ---
Remote:         YES

============
Introduction
============

Visit "http://www.sap.com" for additional information.


=====================
Vulnerability Details
=====================


1) DIRECTORY/INFO DISCLOSURE
============================

OBJECT:
wgate.dll (win32 CGI-Communication binary)

DESCRIPTION:
Insufficient input- and output validation on miscellaneous userinput allows the \
insertion of non existing values for the following user supplied paramters:

##################
~service
~templatelanguage
~language
~theme
~template
##################

Thus leading to several unwanted error messages which may include sensitive \
information on operating-system, software version a nd the directory structure of the \
attacked server.

EXAMPLE:
---*---
Http-Request:
http://www.server.name/scripts/wgate/pbw2/!?

with params:
~runtimemode=DM&
~language=en&
~theme=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&
---*---

REMARKS:
It might be possible that "~template" is an undocumented or forgotten variable (NOT \
confirmed).



2) ARBITRARY FILE DISCLOSURE (Directory Traversal / File Truncation)
====================================================================

OBJECT:
wgate.dll (win32 CGI-Communication binary)

DESCRIPTION:

EXAMPLE:
---*---
Http-Request:
http://www.server.name/scripts/wgate/pbw2/!?

with params:
~language=en&
~runtimemode=DM&
~templatelanguage=&
~language=en&
~theme=..\..&
~template=services\global.srvc++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 ++
---*---

(where "+" stands for spaces "%20" uri encoded).

Above will respond with the global server configuration file "global.srvc" on an ITS \
default-installation.

Normally the default-template extension (.html ?) gets concatenated to the rest of \
the template information. Most probably somebody wanted to avoid a possible \
Bufferoverflow by truncating the input values if they exceed a given length. Thus \
making it possible to shed the ".html" extension.

For some strange reason now and then the program responds with an error-message \
instead of giving out the requested file. This might be due to unwanted?/additional? \
HTTP-Request-Header infos (NOT confirmed).

REMARKS:

The global configuration file "global.srvc" contains username and des-encrypted \
                password
---*---
~password       des26(2c94f116f4393f3d)
~login          Master
---*---

A good DES-cracker should be able to crack this password-hash either by using \
wordlistst or by brute-force methods (NOT confirm ed).


3) CROSS SITE SCRIPTING / COOKIE THEFT
======================================

OBJECT:
wgate.dll (win32 CGI-Communication binary)

DESCRIPTION:
Insufficient input- and output validation on miscellaneous userinput-parameters \
enables insertion of html/client side scripting  tags.

EXAMPLE:
---*---
Http-Request:
http://www.server.name/scripts/wgate.dll?

with params:
~service=--><img%09src=javascript:alert(1)%3bcrap
---*---

REMARKS:
Due to excessive usage of cookies for managing sessions and/or states cookie-theft is \
very likely. There might be several other location where html/scripting tags can be \
inserted (NOT confirmed).


===============
GENERAL REMARKS
===============

Above findings derive from an external(black box) security test.
we would like to apologize in advance for potential nonconformities and/or known \
issues.


====================
Recommended Hotfixes
====================

Vendor-Patches: SAP advice 598074,595383 and 654038


EOF Martin Eiszner / @2003m.eiszner@sec-consult.com


=======
Contact
=======

SEC-CONSULT
Austria / EUROPE

0043 699 12177237
m.eiszner@sec-consult.com
http://www.sec-consult.com


*******************************************************************************************
                
*******************************************************************************************
                
*******************************************************************************************



-- 
Martin Eiszner / SEC-CONSULT
Austria / EUROPE

m.eiszner@sec-consult.com
http://www.sec-consult.com
http://www.websec.org
tel: 0043 699 121772 37


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic