SAP Host Control SOAP Web Service 'Database/Name' Command Execution (SAP Note 1341333)

critical Nessus Plugin ID 62293

Synopsis

The remote web server hosts a SOAP service that can be abused to execute arbitrary commands.

Description

The version of SAP Host Control, offered by 'sapstartsrv.exe', fails to sanitize user input to the 'Database/Name' parameter when calling the 'GetDatabaseStatus' SOAP method. A remote, unauthenticated attacker may use this to run commands that, by default, run as SYSTEM.

Note that while this vulnerability affects all platforms, Nessus can only detect vulnerable instances running on Windows.

Nessus has not removed the global environment variable that it created.
This plugin will not report this host as vulnerable again until the 'MACHINE' key has been deleted from the registry at :

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment

Solution

Apply the patch referenced in the vendor's advisory.

See Also

https://service.sap.com/sap/support/notes/1341333

http://www.contextis.com/research/blog/sap4/

Plugin Details

Severity: Critical

ID: 62293

File Name: sap_host_control_note1341333.nasl

Version: 1.8

Type: remote

Family: CGI abuses

Published: 9/25/2012

Updated: 1/19/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:sap:netweaver

Required KB Items: www/sap_host_control, www/sap_control

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 5/1/2012

Vulnerability Publication Date: 8/5/2012

Exploitable With

Metasploit (SAP NetWeaver HostControl Command Injection)

Reference Information

BID: 55084