SAP Control SOAP Web Service Remote Code Execution (SAP Note 1414444)

Critical Nessus Plugin ID 66807

Synopsis

The remote web server hosts a SOAP service that can be abused to execute arbitrary code.

Description

The version of SAP Control, offered by 'sapstartsrv.exe', reportedly contains an arbitrary remote code execution vulnerability. A malformed SOAP request (via POST) can be used to reach an unbounded copy loop, which results in attacker-supplied data being written into existing function pointers. A remote, unauthenticated attacker could use this to execute code that, by default, runs as SYSTEM.

Solution

Apply the patch referenced in the vendor's advisory.

See Also

https://www.zerodayinitiative.com/advisories/ZDI-10-236/

https://service.sap.com/sap/support/notes/1414444

Plugin Details

Severity: Critical

ID: 66807

File Name: sap_control_note1414444.nasl

Version: 1.6

Type: remote

Family: CGI abuses

Published: 2013/06/05

Modified: 2018/11/15

Dependencies: 62291

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:ND

Vulnerability Information

CPE: cpe:/a:sap:netweaver

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2010/09/02

Vulnerability Publication Date: 2010/09/02

Reference Information

BID: 44731