Internet Transaction Server Multiple Vulnerabilities

[01.09.2003] Internet Transaction Server Multiple Vulnerabilities

 

Product: ITS ITS, Version 4620.2.0.323011, Build 46B.323011 (win32/IIS 5.0)

Vendor: SAP (http://www.sap.com/)

Vendor-Status: vendor contacted (02.08.2003)

Vendor-Patchs: SAP advice 598074,595383 and 654038

 

Vulnerablities

 

* Path/information disclosure

* Directory traversal

* Filename truncation

* Arbitrary file disclosure

* Cross site scripting/Cookie Theft

 

 

Exploitable

Local: ---

Remote: YES

 

Introduction

 

Visit "http://www.sap.com" and try to find additional information.

 

 

Vulnerability Details

 

1) DIRECTORY/INFO DISCLOSURE

 

OBJECT:

wgate.dll (win32 CGI-Communication binary)

 

DESCRIPTION:

Insufficient input- and output validation on miscellaneous userinput allows the insertion of non existing values for the following user supplied paramters:

 

##################

~service

~templatelanguage

~language

~theme

~template

##################

 

Thus leading to several unwanted error messages which may include sensitive information on operating-system, software version and the directory structure of the attacked server.

 

EXAMPLE:

---*---

Http-Request:

www.server.name/scripts/wgate/pbw2/!?

 

with params:

~runtimemode=DM&

~language=en&

~theme=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&

---*---

 

REMARKS:

It might be possible that "~template" is an undocumented or forgotten variable (NOT confirmed).

 

2) ARBITRARY FILE DISCLOSURE (Directory Traversal / File Truncation)

 

OBJECT:

wgate.dll (win32 CGI-Communication binary)

 

DESCRIPTION:

 

EXAMPLE:

---*---

Http-Request:

www.server.name/scripts/wgate/pbw2/!?

 

with params:

~language=en&

~runtimemode=DM&

~templatelanguage=&

~language=en&

~theme=..\..&

~template=services\global.srvc+++++++ ++++++ +++++++++++ +++++++ +++++++ ++++++ ++++ +++++ +++++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++++ ++

---*---

 

(where "+" stands for spaces "%20" uri encoded).

 

Above will respond with the global server configuration file "global.srvc" on an ITS default-installation.

 

Normally the default-template extension (.html ?) gets concatenated to the rest of the template information.

Most probably somebody wanted to avoid a possible Bufferoverflow by truncating the input values if they exceed a given length. Thus making it possible to shed the ".html" extension.

 

For some strange reason now and then the program responds with an error-message instead of giving out the requested file. This might be due to unwanted?/additional? HTTP-Request-Header infos (NOT confirmed).

 

REMARKS:

 

The global configuration file "global.srvc" contains username and des-encrypted password

---*---

~password des26(2c94f116f4393f3d)

~login Master

---*---

 

A good DES-cracker should be able to crack this password-hash either by using wordlistst or by brute-force methods (NOT confirmed).

 

 

3) CROSS SITE SCRIPTING / COOKIE THEFT

 

OBJECT:

wgate.dll (win32 CGI-Communication binary)

 

DESCRIPTION:

Insufficient input- and output validation on miscellaneous userinput-parameters enables insertion of html/client side scripting tags.

 

EXAMPLE:

---*---

Http-Request:

www.server.name/scripts/wgate.dll?

 

with params:

~service=--><img%09src=javascript:alert(1)%3bcrap<BR>---*---

 

REMARKS:

Due to excessive usage of cookies for managing sessions and/or states cookie-theft is very likely.

There might be several other location where html/scripting tags can be inserted (NOT confirmed).

 

 

GENERAL REMARKS

 

Above findings derive from an external(black box) security test.

we would like to apologize in advance for potential nonconformities and/or known issues.

 

 

Recommended Hotfixes

 

software patch(es).

 

 

EOF Martin Eiszner / @2003

m.eiszner at sec-consult dot com