SAP NetWeaver Dispatcher DiagTraceR3Info Packet Parsing Vulnerability

Added: 06/04/2012
CVE: CVE-2012-2611
OSVDB: 81759

Background

SAP Netweaver is a technology platform for building and integrating SAP business applications.

Problem

SAP Netweaver is vulnerable to a stack buffer overflow when configured with the developer trace level set to 2 or higher. The vulnerability can be triggered by sending specially crafted SAP Diag packets to remote TCP port 32## (where ## is the SAP system number) of a host running the Dispatcher service of SAP Netweaver Application Server. The specific vulnerability is in the DiagTraceR3Info function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869.

Resolution

Contact the vendor for an update.

References

http://cxsecurity.com/cveshow/CVE-2012-2611/

Limitations

This exploit has been tested on SAP NetWeaver 7.01 SR1 and SAP NetWeaver 7.02 SP06 on Windows Server 2003 SP2 English (DEP OptOut).

SAP NetWeaver 7.01 SR1 only listens on IPv4.

The NetWeaver developer trace level must be set to 2 or higher for the exploit to succeed. This is done by modifying the instance profile file <install dir>\NSP\SYS\profile\NSP_DVEBMGS00_<instance name> by adding the line "rdisp/TRACE = 2".

Platforms

Windows

Back to exploit index