======= Summary ======= Name: SAP Message Server Heap Overflow Release Date: 5 July 2007 Reference: NGS00485 Discover: Mark Litchfield Vendor: SAP Vendor Reference: SECRES-292 Systems Affected: All Versions Risk: Critical Status: Fixed ======== TimeLine ======== Discovered: 4 January 2007 Released: 19 January 2007 Approved: 29 January 2007 Reported: 11 January 2007 Fixed: 2 May 2007 Published: =========== Description =========== The Message Server is a service used by the different applications servers to exchange data and internal messages. It is also used for licence checking and workload balancing together with the SAP logon utility. The Message Server can found to be listening on the following default TCP Ports: Message Server - 3600 Message Server HTTP - 8100 Message Server HTTPS - No Default Note: All the Message Server available ports share the same PID Depending on the number of instances that have been installed, the Message Server can be found to listen on other PORTS. The PORT allocation follows the rule of incorporating the instance number to generate the TCP port allocation (). Examples are Message Server - 36 Message Server HTTP - 81 Message Server HTTPS (if installed) - 444 ================= Technical Details ================= In this particular attack, we are targeting the Message HTTP Server in an unauthenticated state. As can be seen from the example below, we are sending a GET request to the Message Server listening on (in this case) TCP Port 8100, passing a Parameter of Group to the URL /msgserver/html/group with a value of 498 bytes. Sending such a request will cause a write access violation to your specified string value. For example using a lower case x would be an access violation writing to location 0x78787878. GET /msgserver/html/group?group=**498 bytes** HTTP/1.0 Accept: */* Accept-Language: en-us Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) Host: sapserver:8100 Proxy-Connection: Keep-Alive Whilst this bug allows the remote unauthenticated execution of arbitrary code (running as SYSTEM on Windows), as can be determined by the functionality of this service, within a business environment, the termination of this process can have dire effects to the operation of SAP and its components. =============== Fix Information =============== Please ensure you have the latest version NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070