Digital Security Research Group [DSecRG] Advisory [DSECRG-10-205]
  Internal #DSECRG-00144


Application:  SAP BASIS
Versions Affected:  SAP XRFC 6.40/7.00 may be others
Vendor URL:  http://SAP.com
Bug:  Stack Overflow
Exploits: YES (DoS PoC)
Reported:  29.03.2010
Vendor response:  29.03.2010
Solution:  YES
Date of Public Advisory: 09.11.2010
Authors:  Alexey Sintsov of Digital Security Research Group [DSecRG]



Description
***********

It is possible to make stack overflow condition via RFC SOAP request. In
common case
disp+work.exe (for windows version) will be restarted. If here will be
regular SOAP requests
than it's DoS. May be it's code execution possible.


Details
*******

Error present in XML parser, when it try to process tags from RFC SOAP
request.
Big count of inserted tag in tag causes a Stack Overflow condition.
User must be authenticated for this attack, but it's some default accounts:
EARLYWATCH, SAPCPIC, TMSADM, that can get access to SOAP interface.

Example
*******

http://dsecrg.com/pages/vul/show.php?id=205

References
**********

http://dsecrg.com/pages/vul/show.php?id=205
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a
https://service.sap.com/sap/support/notes/1469549




Fix Information
***************

Solution for this issue given in security note 1469549




About
*****

Digital Security is one of the leading IT security companies in CEMEA,
providing information security consulting, audit and penetration
testing services, ERP and SAP security assessment, certification for ISO/IEC
27001:2005 and PCI DSS and PA DSS standards.
Digital Security Research Group focuses on enterprise application (ERP) and
database
security problems with vulnerability reports, advisories and whitepapers
posted regularly on our website.

Contact: research [at] dsecrg [dot]com
http://www.dsecrg.com
http://www.erpscan.com