TUCoPS :: Web :: Servers

TUCoPS :: Web :: Servers :: tb11529.htm
SAP DB Web Server Stack Overflow

SAP DB Web Server Stack Overflow SAP DB Web Server Stack Overflow


======Summary
======Name: SAP DB Web Server Stack Overflow
Release Date:  5 July 2007
Reference: NGS00486
Discover: Mark Litchfield  
Vendor: SAP
Vendor Reference: SECRES-291
Systems Affected: All Versions
Risk: Critical
Status: Fixed

=======TimeLine
=======Discovered:  3 January 2007
Released: 19 January 2007
Approved: 29 January 2007
Reported: 11 January 2007
Fixed: 27 March 2007
Published:

==========Description
==========SAP DB is an open source database server sponsored by SAP AG that provides
a series of web tools to administer database servers via web browsers.
These tools can be integrated into third-party web servers such as IIS, or
run on its own web server which by default is installed to TCP Port 9999.

When installed as its own web server, the process waHTTP.exe is found to
be listening on TCP Port 9999.

================Technical Details
================http://target:9999/webdbm?Event=DBM_INTERN_TEST&Action=REFRESH 

Looking at the 200 response we can determine the function offered by the
request:

******************************************


Test
sapdbwa_GetRequestURI  /webdbm 
sapdbwa_GetIfModifiedSince  NULL 
sapdbwa_GetQueryString  Event=DBM_INTERN_TEST&Action=REFRESH 
sapdbwa_GetPathInfo  NULL 
sapdbwa_GetMethod  GET 
sapdbwa_GetContentType  NULL 
sapdbwa_GetContentLength  NULL 
sapdbwa_GetPathTranslated  NULL 
sapdbwa_GetServerName  NULL 
AUTH_TYPE  NULL 
CONTENT_LENGTH  NULL 
CONTENT_TYPE  NULL 
GATEWAY_INTERFACE  NULL 
HTTP_ACCEPT  */* 
PATH_INFO  NULL 
QUERY_STRING  NULL 
REMOTE_ADDR  NULL 
REMOTE_HOST  NULL 
REMOTE_USER  NULL 
REQUEST_METHOD  NULL 
SCRIPT_NAME  NULL 
SERVER_NAME  NULL 
SERVER_PORT  NULL 
SERVER_PROTOCOL  NULL 
SERVER_SOFTWARE  NULL 
HTTP_ACCEPT  */* 
HTTP_ACCEPT_CHARSET  NULL 
HTTP_ACCEPT_ENCODING  NULL 
HTTP_ACCEPT_LANGUAGE  NULL 
HTTP_ACCEPT_RANGES  NULL 
HTTP_AGE  NULL 
HTTP_ALLOW  NULL 
HTTP_AUTHORIZATION  NULL 
HTTP_CACHE_CONTROL  NULL 
HTTP_CONNECTION  NULL 
HTTP_CONTENT_ENCODING  NULL 
HTTP_CONTENT_LANGUAGE  NULL 
HTTP_CONTENT_LENGTH  NULL 
HTTP_CONTENT_LOCATION  NULL 
HTTP_CONTENT_MD5  NULL 
HTTP_CONTENT_RANGE  NULL 
HTTP_CONTENT_TYPE  NULL 
HTTP_DATE  NULL 
HTTP_ETAG  NULL 
HTTP_EXPECT  NULL 
HTTP_EXPIRES  NULL 
HTTP_FROM  NULL 
HTTP_HOST  localhost 
HTTP_IF_MATCH  NULL 
HTTP_IF_MODIFIED_SINCE  NULL 
HTTP_IF_NONE_MATCH  NULL 
HTTP_IF_RANGE  NULL 
HTTP_IF_UNMODIFIED_SINCE  NULL 
HTTP_LAST_MODIFIED  NULL 
HTTP_LOCATION  NULL 
HTTP_MAX_FORWARDS  NULL 
HTTP_PRAGMA  NULL 
HTTP_PROXY_AUTHENTICATE  NULL 
HTTP_PROXY_AUTHORIZATION  NULL 
HTTP_RANGE  NULL 
HTTP_REFERER  NULL 
HTTP_RETRY_AFTER  NULL 
HTTP_SERVER  NULL 
HTTP_TE  NULL 
HTTP_TRAILER  NULL 
HTTP_TRANSFER_ENCODING  NULL 
HTTP_UPGRADE  NULL 
HTTP_USER_AGENT  NULL 
HTTP_VARY  NULL 
HTTP_VIA  NULL 
HTTP_WARNING  NULL 
HTTP_WWW_AUTHENTICATE  NULL 
HTTP_COOKIE  SID=E63A7F73B20A5021442BAF3C8F70B97A 
HTTP_SESSION_ID  NULL 
Event  DBM_INTERN_TEST 
Action  REFRESH 



******************************************************

By making the request again, but ammeding the Cookie Value, or if one is
not prersent, simply add it as an HTTP header request, we can cause a
stack based overflow within WAHTTP.exe

The same Overflow can also be achieved in numerous other fields.

If we take the sapdbwa_GetQueryString, we can simply pass an additional
parameter by  appending & + string

==============Fix Information
==============Please ensure you are running the latest version

NGSSoftware Insight Security Research
http://www.ngssoftware.com/ 
http://www.databasesecurity.com/ 
http://www.nextgenss.com/ 
+44(0)208 401 0070

sapdbwa_GetRequestURI	/webdbm
sapdbwa_GetIfModifiedSince	NULL
sapdbwa_GetQueryString	Event=DBM_INTERN_TEST&Action=REFRESH
sapdbwa_GetPathInfo	NULL
sapdbwa_GetMethod	GET
sapdbwa_GetContentType	NULL
sapdbwa_GetContentLength	NULL
sapdbwa_GetPathTranslated	NULL
sapdbwa_GetServerName	NULL
AUTH_TYPE	NULL
CONTENT_LENGTH	NULL
CONTENT_TYPE	NULL
GATEWAY_INTERFACE	NULL
HTTP_ACCEPT	/
PATH_INFO	NULL
QUERY_STRING	NULL
REMOTE_ADDR	NULL
REMOTE_HOST	NULL
REMOTE_USER	NULL
REQUEST_METHOD	NULL
SCRIPT_NAME	NULL
SERVER_NAME	NULL
SERVER_PORT	NULL
SERVER_PROTOCOL	NULL
SERVER_SOFTWARE	NULL
HTTP_ACCEPT	/
HTTP_ACCEPT_CHARSET	NULL
HTTP_ACCEPT_ENCODING	NULL
HTTP_ACCEPT_LANGUAGE	NULL
HTTP_ACCEPT_RANGES	NULL
HTTP_AGE	NULL
HTTP_ALLOW	NULL
HTTP_AUTHORIZATION	NULL
HTTP_CACHE_CONTROL	NULL
HTTP_CONNECTION	NULL
HTTP_CONTENT_ENCODING	NULL
HTTP_CONTENT_LANGUAGE	NULL
HTTP_CONTENT_LENGTH	NULL
HTTP_CONTENT_LOCATION	NULL
HTTP_CONTENT_MD5	NULL
HTTP_CONTENT_RANGE	NULL
HTTP_CONTENT_TYPE	NULL
HTTP_DATE	NULL
HTTP_ETAG	NULL
HTTP_EXPECT	NULL
HTTP_EXPIRES	NULL
HTTP_FROM	NULL
HTTP_HOST	localhost
HTTP_IF_MATCH	NULL
HTTP_IF_MODIFIED_SINCE	NULL
HTTP_IF_NONE_MATCH	NULL
HTTP_IF_RANGE	NULL
HTTP_IF_UNMODIFIED_SINCE	NULL
HTTP_LAST_MODIFIED	NULL
HTTP_LOCATION	NULL
HTTP_MAX_FORWARDS	NULL
HTTP_PRAGMA	NULL
HTTP_PROXY_AUTHENTICATE	NULL
HTTP_PROXY_AUTHORIZATION	NULL
HTTP_RANGE	NULL
HTTP_REFERER	NULL
HTTP_RETRY_AFTER	NULL
HTTP_SERVER	NULL
HTTP_TE	NULL
HTTP_TRAILER	NULL
HTTP_TRANSFER_ENCODING	NULL
HTTP_UPGRADE	NULL
HTTP_USER_AGENT	NULL
HTTP_VARY	NULL
HTTP_VIA	NULL
HTTP_WARNING	NULL
HTTP_WWW_AUTHENTICATE	NULL
HTTP_COOKIE	SID=E63A7F73B20A5021442BAF3C8F70B97A
HTTP_SESSION_ID	NULL
Event	DBM_INTERN_TEST
Action	REFRESH