SAP NetWeaver Buffer Overflow (June 1, 2012)


SAP NetWeaver is a software framework that provides the foundation for applications in SAP’s Business Suite. It includes development and runtime environments for SAP and custom applications. NetWeaver uses the ABAP programming language developed by SAP. It is specifically designed to cater to business application development. NetWeaver uses industry standards allowing it to be integrated with other programming frameworks such as dotNET and Java.

Upon installation, NetWeaver starts multiple services and processes to handle incoming network requests. One such processes is the Dispatcher, which manages requests sent in by users and handles different types of transactions. One of the transaction types handled is the Diagnostic transaction. This transaction requires an initial connection setup message followed by the request itself. Network communication utilizes a proprietary SAP protocol which is not publicly documented.

The Diagnostic transaction request, denoted by a specific code, includes a field containing a NULL terminated string. The following table illustrates the diagnostic transaction request structure:

 Offset     Bytes        Description ---------- ------------ ------------------------------------- 0x0000     4            length 0x0004     8            unknown 0x000C     9            unknown 0x0015     3            message code 0x0018     2            unknown 0x001A     ?            string 

A buffer overflow vulnerability exists in SAP NetWeaver’s Dispatcher process due to an error during handling of certain Diagnostic request messages. Specifically, upon receiving a request, the vulnerable code fails to validate the length of a string contained in the message. The string is expanded to Unicode and copied into a stack buffer of a fixed size, without validation of the string length. This can result in a stack buffer overflow, corrupting the stack and overwriting important data such as function variables and return addresses.

A remote, unauthenticated attacker can leverage this vulnerability by sending a Diagnostic request with an overly large string to the vulnerable service. Successful exploitation would allow execution of arbitrary code in the security context of the service. If an exploitation attempt fails, the server may terminate abnormally.
The risk of this vulnerability is mitigated by a required non-default service configuration.

Dell SonicWALL has released an IPS signature to address this issue. The following signature was released:

  • 7917 – SAP NetWeaver Dispatcher Buffer Overflow Attempt

This vulnerability has been assigned CVE-2012-2611 by mitre.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.