Vulnerability ID 5630

SAP NetWeaver 7.0/7.02/7.03 msg_server.exe Stack-based buffer overflow

SAP
CVSSv2 Temp ScoreCurrent Exploit Price
8.1$5k-$10k

A vulnerability was found in SAP NetWeaver 7.0/7.02/7.03 and classified as critical. Affected by this issue is an unknown function of the component msg_server.exe. The manipulation with an unknown input leads to a buffer overflow vulnerability (stack-based). Impacted is confidentiality, integrity, and availability. CVE summarizes:

Multiple stack-based buffer overflows in msg_server.exe in SAP NetWeaver ABAP 7.x allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a (1) long parameter value, (2) crafted string size field, or (3) long Parameter Name string in a package with opcode 0x43 and sub opcode 0x4 to TCP port 3900.

The weakness was published 06/28/2012 by e6af8de8b1d4b2b6d5ba2610cbf9cd38 with Zero Day Initiative as ZDI-12-104 as confirmed advisory (ZDI). The advisory is shared for download at zerodayinitiative.com. The public release has been coordinated with the vendor. This vulnerability is handled as CVE-2012-4341 since 08/15/2012. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details are unknown but a private exploit is available.

The vulnerability was handled as a non-public zero-day exploit for at least 244 days. During that time the estimated underground price was around $25k-$50k.

Applying a patch is able to eliminate this problem.

The vulnerability is also documented in the databases at OSVDB (83494), Secunia (SA49744) and SecurityTracker (ID 1027211). The entries 10310, 10987, 10990 and 11001 are pretty similar.

CVSS

Base Score: 9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C) [?]
Temp Score: 8.1 (CVSS2#E:ND/RL:OF/RC:C) [?]

Access VectorAccess ComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete

CPE

Exploiting

Class: Buffer overflow (CWE-119)
Local: No
Remote: Yes

Availability: Yes
Access: Private

Current Price Estimation:

0-Day$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k
Today$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k

Countermeasures

Recommended: Patch
Status: Official fix
0-Day Time: 244 days since found

Timeline

10/28/2011 | Vendor informed
06/27/2012 | SecurityTracker entry created
06/28/2012 | Advisory disclosed
07/02/2012 | OSVDB entry created
07/04/2012 | VulDB entry created
08/15/2012 | CVE assigned
08/15/2012 | NVD disclosed
12/07/2015 | VulDB entry updated

Sources

Advisory: ZDI-12-104
Researcher: e6af8de8b1d4b2b6d5ba2610cbf9cd38
Firma: Zero Day Initiative
Status: Confirmed
Confirmation: scn.sap.com
Coordinated: Yes

CVE: CVE-2012-4341 (mitre.org) (nvd.nist.org) (cvedetails.com)

Secunia: 49744 - SAP NetWeaver Multiple Buffer Overflow Vulnerabilities, Moderately Critical
SecurityTracker: 1027211 - SAP NetWeaver ABAP Flaw in 'msg_server.exe' Lets Remote Users Execute Arbitrary Code
OSVDB: 83494 - SAP Netweaver msg_server.exe Multiple Boundary Error Package Handling Overflows

See also: 10310, 10987, 10990, 11001, 13005, 65515, 65565, 65566, 65569, 65759, 8450, 8451, 8630 , 9738

Entry

Created: 07/04/2012
Updated: 12/07/2015
Entry: 87.1% complete