======= Summary ======= Name: SAP DB Web Server Stack Overflow Release Date: 5 July 2007 Reference: NGS00486 Discover: Mark Litchfield Vendor: SAP Vendor Reference: SECRES-291 Systems Affected: All Versions Risk: Critical Status: Fixed ======== TimeLine ======== Discovered: 3 January 2007 Released: 19 January 2007 Approved: 29 January 2007 Reported: 11 January 2007 Fixed: 27 March 2007 Published: =========== Description =========== SAP DB is an open source database server sponsored by SAP AG that provides a series of web tools to administer database servers via web browsers. These tools can be integrated into third-party web servers such as IIS, or run on its own web server which by default is installed to TCP Port 9999. When installed as its own web server, the process waHTTP.exe is found to be listening on TCP Port 9999. ================= Technical Details ================= http://target:9999/webdbm?Event=DBM_INTERN_TEST&Action=REFRESH Looking at the 200 response we can determine the function offered by the request: ****************************************** Test
sapdbwa_GetRequestURI /webdbm 
sapdbwa_GetIfModifiedSince NULL 
sapdbwa_GetQueryString Event=DBM_INTERN_TEST&Action=REFRESH 
sapdbwa_GetPathInfo NULL 
sapdbwa_GetMethod GET 
sapdbwa_GetContentType NULL 
sapdbwa_GetContentLength NULL 
sapdbwa_GetPathTranslated NULL 
sapdbwa_GetServerName NULL 
AUTH_TYPE NULL 
CONTENT_LENGTH NULL 
CONTENT_TYPE NULL 
GATEWAY_INTERFACE NULL 
HTTP_ACCEPT */* 
PATH_INFO NULL 
QUERY_STRING NULL 
REMOTE_ADDR NULL 
REMOTE_HOST NULL 
REMOTE_USER NULL 
REQUEST_METHOD NULL 
SCRIPT_NAME NULL 
SERVER_NAME NULL 
SERVER_PORT NULL 
SERVER_PROTOCOL NULL 
SERVER_SOFTWARE NULL 
HTTP_ACCEPT */* 
HTTP_ACCEPT_CHARSET NULL 
HTTP_ACCEPT_ENCODING NULL 
HTTP_ACCEPT_LANGUAGE NULL 
HTTP_ACCEPT_RANGES NULL 
HTTP_AGE NULL 
HTTP_ALLOW NULL 
HTTP_AUTHORIZATION NULL 
HTTP_CACHE_CONTROL NULL 
HTTP_CONNECTION NULL 
HTTP_CONTENT_ENCODING NULL 
HTTP_CONTENT_LANGUAGE NULL 
HTTP_CONTENT_LENGTH NULL 
HTTP_CONTENT_LOCATION NULL 
HTTP_CONTENT_MD5 NULL 
HTTP_CONTENT_RANGE NULL 
HTTP_CONTENT_TYPE NULL 
HTTP_DATE NULL 
HTTP_ETAG NULL 
HTTP_EXPECT NULL 
HTTP_EXPIRES NULL 
HTTP_FROM NULL 
HTTP_HOST localhost 
HTTP_IF_MATCH NULL 
HTTP_IF_MODIFIED_SINCE NULL 
HTTP_IF_NONE_MATCH NULL 
HTTP_IF_RANGE NULL 
HTTP_IF_UNMODIFIED_SINCE NULL 
HTTP_LAST_MODIFIED NULL 
HTTP_LOCATION NULL 
HTTP_MAX_FORWARDS NULL 
HTTP_PRAGMA NULL 
HTTP_PROXY_AUTHENTICATE NULL 
HTTP_PROXY_AUTHORIZATION NULL 
HTTP_RANGE NULL 
HTTP_REFERER NULL 
HTTP_RETRY_AFTER NULL 
HTTP_SERVER NULL 
HTTP_TE NULL 
HTTP_TRAILER NULL 
HTTP_TRANSFER_ENCODING NULL 
HTTP_UPGRADE NULL 
HTTP_USER_AGENT NULL 
HTTP_VARY NULL 
HTTP_VIA NULL 
HTTP_WARNING NULL 
HTTP_WWW_AUTHENTICATE NULL 
HTTP_COOKIE SID=E63A7F73B20A5021442BAF3C8F70B97A 
HTTP_SESSION_ID NULL 
Event DBM_INTERN_TEST 
Action REFRESH 
****************************************************** By making the request again, but ammeding the Cookie Value, or if one is not prersent, simply add it as an HTTP header request, we can cause a stack based overflow within WAHTTP.exe The same Overflow can also be achieved in numerous other fields. If we take the sapdbwa_GetQueryString, we can simply pass an additional parameter by appending & + string =============== Fix Information =============== Please ensure you are running the latest version NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070