cbcvebase.
CVE-2012-2611
published 2012-05-15

CVE-2012-2611: The DiagTraceR3Info function in the Dialog processor in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and…

PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.92%
98.5th percentile
The DiagTraceR3Info function in the Dialog processor in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2, when a certain Developer Trace configuration is enabled, allows remote attackers to execute arbitrary code via a crafted SAP Diag packet.

Affected

1 ranges
VendorProductVersion rangeFixed in
sapnetweaver

Detection & IOCsextracted from sources · hover to see the quote

port3200
filenamedisp+work.exe
versiondisp+work.exe 7010.29.15.58313
versiondisp+work.exe 7200.70.18.23869
commandPrependEncoder: \x81\xc4\x54\xf2\xff\xff (add esp, -3500 stack adjustment)
bytes
\x00\x10\x00\x00\x00\x00\x00\x00
bytes
\x10\x04\x02\x00\x0c\x00\x00\x00\xc8\x00\x00\x04\x4c\x00\x00\x0b\xb8
bytes
\x10\x06\x20
bytes
\x10\x04\x26\x00\x04\x00\x00\x00\x01
  • The SAP NetWeaver Dispatcher (disp+work.exe) is only exploitable when Developer Traces are configured at level 2 or 3; monitor or alert on this configuration setting.
  • Exploit traffic targets TCP port 3200 (SAP Dispatcher default). Monitor for crafted SAP Diag packets on this port, especially oversized messages in the DiagTraceR3Info message type (0x10 0x06 0x20 prefix).
  • The exploit uses a Metasploit post-exploitation migrate (-f) auto-run script; detect unexpected process migration activity on SAP application servers after disp+work.exe receives network connections.
  • The stack-pivot ROP chain for Windows 2003 SP2 target uses msvcrt.dll gadgets; detection of unusual ROP-like stack behavior (ADD ESP,2C; RETN sequences) in disp+work.exe process memory is indicative of exploitation.
  • ·The vulnerability is only triggerable when Developer Trace is enabled at level 2 or 3 in the SAP NetWeaver Dispatcher configuration. Systems with Developer Traces disabled or set to level 0/1 are not exploitable via this vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.