|
|
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig3D525CA88DFD75373E5E465F
Content-Type: multipart/mixed;
boundary="------------040609080206030402080604"
This is a multi-part message in MIME format.
--------------040609080206030402080604
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
-----------------------------------------
Mariano Nu=F1ez Di Croce
CYBSEC S.A. Security Systems
Email: mnunez@cybsec.com
Tel/Fax: (54-11) 4371-4444
Web: http://www.cybsec.com
PGP: http://www.cybsec.com/pgp/mnunez.txt
-----------------------------------------
(The following pre-advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_SYSTEM_CREATE_INSTANCE_RFC_Function_Buffer_Overflow.pdf )
CYBSEC S.A.
www.cybsec.com
Pre-Advisory Name: SAP SYSTEM_CREATE_INSTANCE RFC Function Buffer Overflow
=================
Vulnerability Class: Buffer Overflow
===================
Release Date: 2007-04-03
============
Affected Applications:
======================2E SAP RFC Library 6.40
=2E SAP RFC Library 7.00
Affected Platforms:
==================
=2E AIX 32bit
=2E AIX 64bit
=2E HP-UX on IA64 64bit
=2E HP-UX on PA-RISC 64bit
=2E Linux on IA32 32bit
=2E Linux on IA64 64bit
=2E Linux on Power 64bit
=2E Linux on x86_64 64bit
=2E Linux on zSeries 64bit
=2E Mac OS
=2E OS/400
=2E OS/400 V5R2M0
=2E Reliant 32bit
=2E Solaris on SPARC 32bit
=2E Solaris on SPARC 64bit
=2E Solaris on x64_64 64bit
=2E TRU64 64bit
=2E Windows Server on IA32 32bit
=2E Windows Server on IA64 64bit
=2E Windows Server on x64 64bit
=2E z/OS 32bit
Local / Remote: Remote
==============
Severity: High
========
Author: Mariano Nu=F1ez Di Croce
======
Vendor Status: Confirmed. Updates Released.
=============
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
============================================
Product Overview:
================
"The RFC Library offers an interface to a SAP System. The RFC Library is the most commonly used and installed component of existing SAP Software. This
interface provides the opportunity to call any RFC Function in a SAP System from an external application. Moreover, the RFC Library offers the
possibility to write a RFC Server Program, which is accessible from any SAP System or external application. Most SAP Connectors use the RFC Library as
communication platform to SAP Systems."
SYSTEM_CREATE_INSTANCE RFC Function allows the creation of remote objects, where some object adapter is available. This function is installed by
default in every external RFC server.
Vulnerability Description:
=========================
A remote buffer overflow vulnerability has been detected in the SYSTEM_CREATE_INSTANCE RFC Function.
Technical Details:
=================
Technical details will be released three months after publication of this pre-advisory. This was agreed upon with SAP to allow their customers to
upgrade affected software prior to technical knowledge been publicly available.
Impact:
======
This vulnerability may allow an attacker to remotely execute arbitrary commands over external RFC servers.
Solutions:
=========
SAP has released patches to address this vulnerability. Affected customers should apply the patches immediately.
More information can be found on SAP Note 1003910.
Vendor Response:
===============
=2E 2006-11-21: Initial Vendor Contact.
=2E 2006-12-01: Vendor Confirmed Vulnerability.
=2E 2006-12-11: Vendor Releases Update for version 6.40.
=2E 2006-12-11: Vendor Releases Update for version 7.00.
=2E 2007-04-03: Pre-Advisory Public Disclosure.
Special Thanks:
==============
Thanks goes to Victor Montero and Gustavo Kunst.
Contact Information:
===================For more information regarding the vulnerability feel free to contact the author at mnunez