exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

NGS-sapmes-heap.txt

NGS-sapmes-heap.txt
Posted Jul 7, 2007
Authored by Mark Litchfield | Site ngssoftware.com

The SAP Message Server suffers from a heap overflow vulnerability.

tags | exploit, overflow
SHA-256 | f0067ae9b255a470a410cce57416f08c6a0878c3437509ae1415b1141910ec3c

NGS-sapmes-heap.txt

Change Mirror Download
=======
Summary
=======
Name: SAP Message Server Heap Overflow
Release Date: 5 July 2007
Reference: NGS00485
Discover: Mark Litchfield <mark@ngssoftware.com>
Vendor: SAP
Vendor Reference: SECRES-292
Systems Affected: All Versions
Risk: Critical
Status: Fixed

========
TimeLine
========
Discovered: 4 January 2007
Released: 19 January 2007
Approved: 29 January 2007
Reported: 11 January 2007
Fixed: 2 May 2007
Published:

===========
Description
===========
The Message Server is a service used by the different applications servers
to exchange data and internal messages. It is also used for licence
checking and workload balancing together with the SAP logon utility.

The Message Server can found to be listening on the following default TCP
Ports:

Message Server - 3600
Message Server HTTP - 8100
Message Server HTTPS - No Default

Note: All the Message Server available ports share the same PID

Depending on the number of instances that have been installed, the Message
Server can be found to listen on other PORTS. The PORT allocation follows
the rule of incorporating the instance number to generate the TCP port
allocation (<NN>). Examples are

Message Server - 36<NN>
Message Server HTTP - 81<NN>
Message Server HTTPS (if installed) - 444<NN>

=================
Technical Details
=================
In this particular attack, we are targeting the Message HTTP Server in an
unauthenticated state. As can be seen from the example below, we are
sending a GET request to the Message Server listening on (in this case)
TCP Port 8100, passing a Parameter of Group to the URL
/msgserver/html/group with a value of 498 bytes. Sending such a request
will cause a write access violation to your specified string value. For
example using a lower case x would be an access violation writing to
location 0x78787878.

GET /msgserver/html/group?group=**498 bytes** HTTP/1.0
Accept: */*
Accept-Language: en-us
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727)
Host: sapserver:8100
Proxy-Connection: Keep-Alive

Whilst this bug allows the remote unauthenticated execution of arbitrary
code (running as SYSTEM on Windows), as can be determined by the
functionality of this service, within a business environment, the
termination of this process can have dire effects to the operation of SAP
and its components.

===============
Fix Information
===============
Please ensure you have the latest version

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close