Sap Internet Transaction Server Bugs

Full Version: Sap Internet Transaction Server Bugs

GovernmentSecurity.org > The Archives > Exploit Articles

ComSec

Sep 3 2003, 02:17 PM

SAP Internet Transaction Server Bugs in 'wgate.dll' Disclose Files to Remote Users

SecurityTracker Alert ID: 1007597
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: Aug 31 2003

Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information

Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes

Version(s): 4620.2.0.323011, Build 46B.323011 (win32/IIS 5.0)

Description: Several vulnerabilities were reported in the SAP Internet Transaction Server (ITS). A remote user can view files on the system. A remote user can view system information. A remote user can also conduct cross-site scripting attacks.

SEC-CONSULT reported several flaws affecting the 'wgate.dll' module.

It is reported that a remote user can view arbitrary files on the system. A demonstration exploit URL is provided:

http://[target]/scripts/wgate/pbw2/!?

The exploit requires the following parameters (where "+" is used to represent the encoded space character ["%20"]):

~language=en&
~runtimemode=DM&
~templatelanguage=&
~language=en&
~theme=..\..&
~t emplate=services\global.srvc++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++
++

In this particular example, the "global.srvc" configuration file will be displayed. This file contains usernames encrypted passwords. A remote user can retrieve the file and can use cracking methods to attempt to decrypt some passwords.

It is also reported that a remote user can supply specially crafted (and non-existent) values for the following parameters to cause the system to disclose system information:

~service
~templatelanguage
~language
~theme
~template

It is also reported that the software does not filter HTML code from certain parameters beforing displaying an error message containing the user-supplied input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the SAP ITS software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The following demonstration exploit URL and parameter is provided:

http://www.server.name/scripts/wgate .dll?

~service=--><img%09src=javascript:alert(1)%3bcrap

The vendor was reportedly notified on August 2, 2003.

Impact: A remote user can view arbitrary files on the system with the privileges of the ITS server.

A remote user can view system information.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the SAP ITS software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution: The vendor has reportedly developed patches, as described in the following technical notes:

SAP advice 598074, 595383 and 654038

Vendor URL: www.sap.com (Links to External Site)

Cause: Access control error, Exception handling error, Input validation error

Underlying OS: Windows (Any)

Reported By: Martin Eiszner <martin@websec.org>

Message History: None.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.