=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN440
_____________________________________________________________________

DATE                      : 09/11/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running SAP NetWeaver.

======================================================================
http://www.zerodayinitiative.com/advisories/ZDI-10-236/
______________________________________________________________________

SAP NetWeaver Composition Environment sapstartsrv.exe Remote Code Execution
Vulnerability
ZDI-10-236: November 8th, 2010
CVSS Score

      10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Affected Vendors

      SAP

Affected Products

      NetWeaver

TippingPoint IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by Digital
Vaccine protection filter ID 10656. For further product information on the
TippingPoint IPS:

      http://www.tippingpoint.com

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of SAP NetWeaver Composition Environment.
Authentication is not required to exploit this vulnerability.

The specific flaw exists within the sapstartsrv.exe process which listens by
default on ports 50013 and 50113. A malformed SOAP request (via POST) can be
used to reach an unbounded copy loop which results in attacker-supplied data
being written into existing function pointers. It is possible for a remote
attacker to leverage this vulnerability to execute arbitrary code.

Vendor Response

SAP states:

A solution was provided via SAP note 1414444
https://service.sap.com/sap/support/notes/1414444

Disclosure Timeline

      2010-10-18 - Vulnerability reported to vendor
      2010-11-08 - Coordinated public release of advisory

Credit
This vulnerability was discovered by:

      AbdulAziz Hariri

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================