|
|
This is a multi-part message in MIME format.
--------------030906000702060201000203
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
(The following pre-advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_RFC_START_PROGRAM_RFC_Function_Multiple_Vulnerabilities.pdf )
CYBSEC S.A.
www.cybsec.com
Pre-Advisory Name: SAP RFC_START_PROGRAM RFC Function Multiple Vulnerabilities
=================
Vulnerability Class: Buffer Overflow, Information Disclosure
===================
Release Date: 2007-04-03
============
Affected Applications:
=====================. SAP RFC Library 6.40
. SAP RFC Library 7.00
Affected Platforms:
==================
. AIX 32bit
. AIX 64bit
. HP-UX on IA64 64bit
. HP-UX on PA-RISC 64bit
. Linux on IA32 32bit
. Linux on IA64 64bit
. Linux on Power 64bit
. Linux on x86_64 64bit
. Linux on zSeries 64bit
. Mac OS
. OS/400
. OS/400 V5R2M0
. Reliant 32bit
. Solaris on SPARC 32bit
. Solaris on SPARC 64bit
. Solaris on x64_64 64bit
. TRU64 64bit
. Windows Server on IA32 32bit
. Windows Server on IA64 64bit
. Windows Server on x64 64bit
. z/OS 32bit
Local / Remote: Remote
==============
Severity: High
========
Author: Mariano Nu=F1ez Di Croce
======
Vendor Status: Confirmed. Updates Released.
=============
Reference to Vulnerability Disclosure Policy: http://www.cybsec.com/vulnerability_policy.pdf
============================================
Product Overview:
================
"The RFC Library offers an interface to a SAP System. The RFC Library is the most commonly used and installed component of existing SAP Software. This
interface provides the opportunity to call any RFC Function in a SAP System from an external application. Moreover, the RFC Library offers the
possibility to write a RFC Server Program, which is accessible from any SAP System or external application. Most SAP Connectors use the RFC Library as
communication platform to SAP Systems."
RFC_START_PROGRAM RFC Function enables the execution of operating system programs on RFC-enabled components. This function is installed by default in
every external RFC server.
Vulnerability Description:
=========================
It is possible to remotely obtain information about external RFC server configuration. Besides, a buffer overflow vulnerability in the processing of
user input has been detected.
Technical Details:
=================
Technical details will be released three months after publication of this pre-advisory. This was agreed upon with SAP to allow their customers to
upgrade affected software prior to technical knowledge been publicly available.
Impact:
======
These vulnerabilities may allow an attacker to remotely obtain information about RFC server configuration and to remotely execute arbitrary commands
over vulnerable external RFC servers.
Solutions:
=========
SAP has released patches to address these vulnerabilities. Affected customers should apply the patches immediately.
More information can be found on SAP Notes 1004084 and 1003908.
Vendor Response:
===============
. 2006-11-21: Initial Vendor Contact.
. 2006-12-01: Vendor Confirmed Vulnerability.
. 2006-12-11: Vendor Releases Update for version 6.40.
. 2006-12-11: Vendor Releases Update for version 7.00.
. 2007-04-03: Pre-Advisory Public Disclosure.
Special Thanks:
==============
Thanks goes to Victor Montero and Gustavo Kunst.
Contact Information:
===================For more information regarding the vulnerability feel free to contact the author at mnunez