Re: [Full-disclosure] [ESNC-2013-005] Remote Code Injection in SAP ERP Central Component - Project System

[Ron Yount]

Please unsubscribe.  Address to be inactive.

-Original Message-
From: Full-Disclosure [mailto:full-disclosure-boun...@lists.grok.org.uk] On 
Behalf Of ESNC Security
Sent: Monday, May 6, 2013 10:31 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] [ESNC-2013-005] Remote Code Injection in SAP ERP 
Central Component - Project System

[ESNC-2013-005] Remote Code Injection in SAP ERP Central Component - Project 
System

Please refer to http://www.esnc.de for the original security advisory, updates 
and additional information.


1. Business Impact


Project System, which is part of SAP ERP, provides tools to track project costs 
and resources. It is tightly integrated with Controlling, Human Resources, and 
Logistics modules.

This vulnerability allows execution of arbitrary program code of the user's 
choice.

According to SAP, the user can:

* Inject and run their own code,

* Obtain additional information that should not be displayed,

* Modify data, delete data.

Since this issue exists on a remote function module, attacker can directly call 
the RFC from the network or from Internet via SOAP-RFC services.

Risk Level: High


2. Advisory Information


-- ESNC Security Advisory ID: ESNC-2013-005
-- CVE ID: CVE-2013-3244
-- Original security advisory:
http://www.esnc.de/sap-security-audit-and-scan-services/security-advisories/58-remote-code-injection-in-sap-erp-project-system
-- Vendor Patch Date: 11.12.2012
-- Public Advisory Date: 07.05.2013
-- Researcher: Ertunga Arsal


3. Vulnerability Information


-- Vendor: SAP
-- Affected Components: ERP Central Component PS-IS
-- Affected Versions: Please refer to SAP note for more information
-- Vulnerable Function: CJDB_FILL_MEMORY_FROM_PPB
-- Vulnerability Class: Remote Code Injection
-- CVSS v2 score by the vendor: 7.5 AV:N/AC:M/AU:S/C:P/I:P/A:C
-- Remotely Exploitable: Yes
-- Authentication Required: Yes
-- Additional Notes: An exploit for this vulnerability is available in ESNC 
Penetration Testing Suite


4. Solution


Please apply the security patch [SAP Note 1776695] supplied by the vendor.
More information can be found at vendor's site:

https://service.sap.com/sap/support/notes/1776695

To prevent this and similar flaws, enterprises can use ESNC Code Security for 
scanning their own ABAP code or for assessing the security of the ABAP programs 
installed on their SAP systems.


About ESNC


ESNC GmbH, Germany is a company specialized in SAP penetration testing, ABAP 
security review and SAP vulnerability assessment services.

It's flagship product ESNC Security Suite is used by many large enterprises for 
security scanning their SAP ABAP and Java AS systems, running ABAP code 
inspection, enforcing security compliance and for providing SAP security 
monitoring.

For more information about our products and services, please visit our web page 
at http://www.esnc.de

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ESNC-2013-005] Remote Code Injection in SAP ERP Central Component - Project System

[ESNC Security]

[ESNC-2013-005] Remote Code Injection in SAP ERP Central Component -
Project System

Please refer to http://www.esnc.de for the original security advisory,
updates and additional information.


1. Business Impact


Project System, which is part of SAP ERP, provides tools to track
project costs and resources. It is tightly integrated with
Controlling, Human Resources, and Logistics modules.

This vulnerability allows execution of arbitrary program code of the
user's choice.

According to SAP, the user can:

* Inject and run their own code,

* Obtain additional information that should not be displayed,

* Modify data, delete data.

Since this issue exists on a remote function module, attacker can
directly call the RFC from the network or from Internet via SOAP-RFC
services.

Risk Level: High


2. Advisory Information


-- ESNC Security Advisory ID: ESNC-2013-005
-- CVE ID: CVE-2013-3244
-- Original security advisory:
http://www.esnc.de/sap-security-audit-and-scan-services/security-advisories/58-remote-code-injection-in-sap-erp-project-system
-- Vendor Patch Date: 11.12.2012
-- Public Advisory Date: 07.05.2013
-- Researcher: Ertunga Arsal


3. Vulnerability Information


-- Vendor: SAP
-- Affected Components: ERP Central Component PS-IS
-- Affected Versions: Please refer to SAP note for more information
-- Vulnerable Function: CJDB_FILL_MEMORY_FROM_PPB
-- Vulnerability Class: Remote Code Injection
-- CVSS v2 score by the vendor: 7.5 AV:N/AC:M/AU:S/C:P/I:P/A:C
-- Remotely Exploitable: Yes
-- Authentication Required: Yes
-- Additional Notes: An exploit for this vulnerability is available in
ESNC Penetration Testing Suite


4. Solution


Please apply the security patch [SAP Note 1776695] supplied by the vendor.
More information can be found at vendor's site:

https://service.sap.com/sap/support/notes/1776695

To prevent this and similar flaws, enterprises can use ESNC Code
Security for scanning their own ABAP code or for assessing the
security of the ABAP programs installed on their SAP systems.


About ESNC


ESNC GmbH, Germany is a company specialized in SAP penetration
testing, ABAP security review and SAP vulnerability assessment
services.

It's flagship product ESNC Security Suite is used by many large
enterprises for security scanning their SAP ABAP and Java AS systems,
running ABAP code inspection, enforcing security compliance and for
providing SAP security monitoring.

For more information about our products and services, please visit our
web page at http://www.esnc.de

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/