Internal Server Error: Exploiting Inter-Process Communication with new desynchronization primitives

Presented at DEF CON 30 (2022), Aug. 13, 2022, 5 p.m. (45 minutes)

In this talk I will show how to reverse engineer a proprietary HTTP Server in order to leverage memory corruption vulnerabilities using high level HTTP protocol exploitation techniques. To do so, I will present two critical vulnerabilities, CVE-2022-22536 and CVE-2022-22532, which were found in SAP's proprietary HTTP Server, and could be used by a remote unauthenticated attacker to compromise any SAP installation in the world.

First, I will explain how to escalate an error in the request handling process to Desynchronize data buffers and hijack every user’s account with Advanced Response Smuggling. Furthermore, as the primitives of this vulnerability do not rely on header parsing errors, I will show a new technique to persist the attack using the first Desync botnet in history. This attack will prove to be effective even in an “impossible to exploit” scenario: without a Proxy!

Next I will examine a Use-After-Free in the shared memory used for Inter-Process Communication. By exploiting the incorrect deallocation, I will show how to tamper messages belonging to other TCP connections and take control of all responses using Cache Poisoning and Response Splitting theory.

Finally, as the affected buffers could also contain IPC control data, I will explain how to corrupt memory address pointers and end up obtaining RCE.


Presenters:

  • Martin Doyhenard - Security Researcher at Onapsis
    Martin is a security researcher at the Onapsis Research Labs. His work includes performing security assessment on SAP and Oracle products and detecting vulnerabilities in ERP systems. His research is focused on Web stack security, reverse engineering and binary analisis, and he is also an active CTF player. Martin has spoken at different conferences including DEFCON, RSA, HITB and EkoParty, and presented multiple critical vulnerabilities.

Links:

Similar Presentations: