SAP Control SOAP Web Service Remote Code Execution (SAP Note 1414444)

critical Nessus Plugin ID 66807

Language:

New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote web server hosts a SOAP service that can be abused to execute arbitrary code.

Description

The version of SAP Control, offered by 'sapstartsrv.exe', reportedly contains an arbitrary remote code execution vulnerability. A malformed SOAP request (via POST) can be used to reach an unbounded copy loop, which results in attacker-supplied data being written into existing function pointers. A remote, unauthenticated attacker could use this to execute code that, by default, runs as SYSTEM.

Solution

Apply the patch referenced in the vendor's advisory.

See Also

https://www.zerodayinitiative.com/advisories/ZDI-10-236/

https://service.sap.com/sap/support/notes/1414444

Plugin Details

Severity: Critical

ID: 66807

File Name: sap_control_note1414444.nasl

Version: 1.7

Type: remote

Family: CGI abuses

Published: 6/5/2013

Updated: 1/19/2021

Dependencies: sap_control_detect.nasl

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:ND

Vulnerability Information

CPE: cpe:/a:sap:netweaver

Required KB Items: www/sap_control

Exploit Ease: No known exploits are available

Patch Publication Date: 9/2/2010

Vulnerability Publication Date: 9/2/2010

Reference Information

BID: 44731