SAP Host Control SOAP Web Service 'Database/Name' Command Execution (SAP Note 1341333)
Critical Nessus Plugin ID 62293
SynopsisThe remote web server hosts a SOAP service that can be abused to execute arbitrary commands.
DescriptionThe version of SAP Host Control, offered by 'sapstartsrv.exe', fails to sanitize user input to the 'Database/Name' parameter when calling the 'GetDatabaseStatus' SOAP method. A remote, unauthenticated attacker may use this to run commands that, by default, run as SYSTEM.
Note that while this vulnerability affects all platforms, Nessus can only detect vulnerable instances running on Windows.
Nessus has not removed the global environment variable that it created.
This plugin will not report this host as vulnerable again until the 'MACHINE' key has been deleted from the registry at :
SolutionApply the patch referenced in the vendor's advisory.