Release Date: 03/01/2006 Affected Applications: SAP WebAS Kernel up to version 7.00 Affected Platforms: Platform-Independant Local / Remote: Remote Severity: Medium to High Author: A. Grossmann arnold.grossmann (at) gmail.com Vendor Status: Confirmed Product Overview ( cited from SAP ):==================================== SAP Web Application Server The only Application Platform for the SAP NetWeaver Suite SAP Web Application Server (SAP Web AS) is the application platform of SAPNetWeaver, i.e. it provides the complete infrastructure to develop, deployand run all SAP NetWeaver applications. The major key capability of SAP WebAS is the full support for both the proven ABAP technology and the innovativeopen source internet-driven technologies Java, Java 2 Enterprise Edition(J2EE) and Web Services. Vulnerability Description:========================== SAP Web Application Server was found to be vulnerable to an URL manipulationallowing an attacker to prefix the http response ( to a request containing amanipulated URL ) with a sequence of bytes of his choice.The vulnerability may be exploited to mount various attacks to gain knowledgeof authentication information valid within the context of the WAS website( like cookies, usernames or passwords ). Also the vulnerability may aid anattacker in manipulating the way a website is cached, served or interpreted -leading to a false sense of trust or a partial defacement. Technical Details:================== One way the vulnerability can be exploited is by inserting ";%20" into the httprequest URL, followed by the characters to be inserted, replacing allcharacters with special meaning like "/", CR, LF and "=" by one of theirillegal UTF-8- and URL-encoded representations. This results in an incorrectlyhandled http error. WAS translates each illegal character representation intoone byte and returns the sequence chosen by the attacker, followed by somegarbage characters built from the URL, a slightly incorrect http response-headerplus the original http message-body, thus allowing the complete control over thefirst sequence of bytes of the response. If the attacker inserts a http messagecontaining a HTML page in it's entity-body, the user's browser will render thatpage and discard the rest of the response. Cache manipulations might be done by letting WAS return one or multiplespecially crafted HTTP responses within the bytes inserted. This couldfacilitate phishing or defacement style attacks. Exploit (Poc):============== Following proof of concept will return a html page thatis defined by the request URL. http://sap-was/x.htm;%20HTTP%c0%af1.0%20200%20OK%c0%8d%c0%8aContent-Length:%2035%c0%8d%c0%8aContent-Type:text%c0%afhtml%c0%8d%c0%8a%c0%8d%c0%8a%3Chtml%3e%3cbody%3ehello%3c%c0%afbody%3e%3c%c0%afhtml%3e%c0%8d%c0%8a%c0%8d%c0%8a Solution:========= Patches are provided from SAP. See SAP Note 908147 and 915084 for details. Vendor Response:================ * 11/29/2005: Initial Vendor Contact.* 11/30/2005: Technical details for the vulnerabilities sent to vendor.* 01/10/2006: patch provided by vendor.* 03/01/2006: Coordinate release of pre-advisory without technical details* 05/16/2006: Coordinate release of advisory with technical details
