SAP Host Control SOAP Web Service 'Database/Name' Command Execution (SAP Note 1341333)

Critical Nessus Plugin ID 62293

Synopsis

The remote web server hosts a SOAP service that can be abused to execute arbitrary commands.

Description

The version of SAP Host Control, offered by 'sapstartsrv.exe', fails to sanitize user input to the 'Database/Name' parameter when calling the 'GetDatabaseStatus' SOAP method. A remote, unauthenticated attacker may use this to run commands that, by default, run as SYSTEM.

Note that while this vulnerability affects all platforms, Nessus can only detect vulnerable instances running on Windows.

Nessus has not removed the global environment variable that it created.
This plugin will not report this host as vulnerable again until the 'MACHINE' key has been deleted from the registry at :

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment

Solution

Apply the patch referenced in the vendor's advisory.

See Also

https://service.sap.com/sap/support/notes/1341333

http://www.contextis.com/research/blog/sap4/

Plugin Details

Severity: Critical

ID: 62293

File Name: sap_host_control_note1341333.nasl

Version: 1.7

Type: remote

Family: CGI abuses

Published: 2012/09/25

Modified: 2018/08/08

Dependencies: 62292, 62291, 11936

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:sap:netweaver

Required KB Items: www/sap_control, www/sap_host_control

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 2012/05/01

Vulnerability Publication Date: 2012/08/05

Exploitable With

Metasploit (SAP NetWeaver HostControl Command Injection)

Reference Information

BID: 55084

EDB-ID: 20944