|
This is a multi-part message in MIME format.
--------------030808050103080800030204
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
(The following pre-advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_TRUSTED_SYSTEM_SECURITY_RFC_Function_Information_Disclosure.pdf )
CYBSEC S.A.
www.cybsec.com
Pre-Advisory Name: SAP TRUSTED_SYSTEM_SECURITY RFC Function Information Disclosure
=================
Vulnerability Class: Information Disclosure
===================
Release Date: 2007-04-03
============
Affected Applications:
=====================. SAP RFC Library 6.40
. SAP RFC Library 7.00
Affected Platforms:
==================
. AIX 32bit
. AIX 64bit
. HP-UX on IA64 64bit
. HP-UX on PA-RISC 64bit
. Linux on IA32 32bit
. Linux on IA64 64bit
. Linux on Power 64bit
. Linux on x86_64 64bit
. Linux on zSeries 64bit
. Mac OS
. OS/400
. OS/400 V5R2M0
. Reliant 32bit
. Solaris on SPARC 32bit
. Solaris on SPARC 64bit
. Solaris on x64_64 64bit
. TRU64 64bit
. Windows Server on IA32 32bit
. Windows Server on IA64 64bit
. Windows Server on x64 64bit
. z/OS 32bit
Local / Remote: Remote
==============
Severity: Low
========
Author: Mariano Nu=F1ez Di Croce
======
Vendor Status: Confirmed. Updates Released.
=============
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
============================================
Product Overview:
================
"The RFC Library offers an interface to a SAP System. The RFC Library is the most commonly used and installed component of existing SAP Software. This
interface provides the opportunity to call any RFC Function in a SAP System from an external application. Moreover, the RFC Library offers the
possibility to write a RFC Server Program, which is accessible from any SAP System or external application. Most SAP Connectors use the RFC Library as
communication platform to SAP Systems."
TRUSTED_SYSTEM_SECURITY RFC function was developed for internal use by SAP only. This function is installed by default in every external RFC server.
Vulnerability Description:
=========================
The original purpose of this function was to obtain a fingerprint of a Windows domain. By the way it is developed, it is possible to take advantage of
its functionality to obtain further information.
Technical Details:
=================
Technical details will be released three months after publication of this pre-advisory. This was agreed upon with SAP to allow their customers to
upgrade affected software prior to technical knowledge been publicly available.
Impact:
======
This vulnerability may allow an attacker to remotely verify the existence of user accounts/groups in external server's system/domain/trusted domains.
Solutions:
=========
SAP has released patches to address this vulnerability. Affected customers should apply the patches immediately.
More information can be found on SAP Note 1003910.
Vendor Response:
===============
. 2006-11-21: Initial Vendor Contact.
. 2006-12-01: Vendor Confirmed Vulnerability.
. 2006-12-11: Vendor Releases Update for version 6.40.
. 2006-12-11: Vendor Releases Update for version 7.00.
. 2007-04-03: Pre-Advisory Public Disclosure.
Special Thanks:
==============
Thanks goes to Victor Montero and Gustavo Kunst.
Contact Information:
===================For more information regarding the vulnerability feel free to contact the author at mnunez