The two primary compression algorithms used by SAP SE products, some of the most popular enterprise and business management software platforms on the market, contain multiple, remotely exploitable security vulnerabilities.
Martin Gallo of Core Security Consulting Services found vulnerabilities in the decompression routines of two compression algorithms deployed across SAP’s line of products. SAP uses proprietary implementations of the Lempel-Ziv-Thomas (LZC) adaptive dictionary compression algorithm and the Lempel-Ziv-Huffman (LZH) compression algorithm. Gallo was able to trigger these exploits in different scenarios in order to remotely and locally execute arbitrary code and cause denial of service conditions.
Gallo reported two vulnerabilities, CVE-2015-2282 and CVE-2015-2278, an out of bounds write and read, which he described on the Full Disclosure Mailing List. Gallo released the details of these bugs in coordination with SAP, which has resolved these vulnerabilities, though admins will have to install the patches in order to protect their systems.
Vulnerable products include, but are not limited to, the SAP Netweaver Application Server ABAP, SAP Netweaver Application Server Java, SAP Netweaver RFC SDK, SAP RFC SDK, SAP GUI, SAP MaxDB database and SAPCAR archive tool. These are merely the products that Gallo tested. It remains possible that other products and versions are vulnerable as well.
SAP products use LZC and LZH algorithms to compress data in transit and for distributing files. The algorithms are also deployed in numerous open-source platforms.
The code that handles decompression for LZC is prone to memory corruption via stack-based buffer overflow, which is caused by the out-of-bounds write mentioned above. The LZH algorithm vulnerability is caused by an out-of-bounds read of a buffer used by the decompression routine when performing lookups of non-simple codes.
An attacker could potentially trigger these vulnerabilities in server-side components of Netweaver by sending specially crafted packets. On the client side, attacker could send a specially crafted .CAR or .SAR archive file intended for decompression or deploy a rogue SAP server in order to convince users to connect to the malicious server via their SAP user interface. Man-in-the-middle attacks are also possible because most of the affected services do not encrypt communications data.
Gallo first discovered the bug in January. Core Security and SAP worked together to disclose the bug in a coordinated manner.