SAP NetWeaver Java AS WD_CHAT - Information disclosure vulnerability
2015-04-12T00:00:00
ID ERPSCAN-16-016 Type erpscan Reporter ERPScan Modified 2015-04-12T00:00:00
Description
Application: SAP NetWeaver Versions Affected: SAP NetWeaver 7.1 – 7.5 Vendor URL: SAP Bugs: Information disclosure Reported: 04.12.2015 Vendor response: 05.12.2015 Date of Public Advisory: 08.03.2016 Reference: SAP Security Note 2255990 Author: Vahagn Vardanyan (ERPScan)
VULNERABILITY INFORMATION
Class: Information disclosure
Impact: Private data leakage
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2016-3973
CVSS Information
CVSS Base Score v3: 4.3 / 10
CVSS Base Vector:
AV : Access Vector (Related exploit range) | Network (N)
---|---
AC : Access Complexity (Required attack complexity) | Low (L)
Au : Authentication (Level of authentication needed to exploit) | None (N)
C : Impact to Confidentiality | Low(N)
I : Impact to Integrity | None(N)
A : Impact to Availability | None (N)
Description
Anonymous attacker can use a special HTTP request to get information about SAP NetWeaver users.
Business risk
An attacker can use an Information disclosure vulnerability to reveal additional information (system data, debugging information, etc) which will help him to learn about a system and to plan other attacks.
VULNERABLE PACKAGES
RTC 7.3-7.4
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2255990
TECHNICAL DESCRIPTION
Anonymous attacker can use a special HTTP request to get information about SAP NetWeaver users.
Steps to exploit the vulnerability
1. open http://SAP:50000/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#
2. press “Add users”
3. in the opened window, enter any chars and press search
{"id": "ERPSCAN-16-016", "bulletinFamily": "info", "title": "SAP NetWeaver Java AS WD_CHAT - Information disclosure vulnerability", "description": "**Application:** SAP NetWeaver \n**Versions Affected:** SAP NetWeaver 7.1 \u2013 7.5 \n**Vendor URL:** [ SAP](<http://sap.com>) \n**Bugs:** Information disclosure \n**Reported:** 04.12.2015 \n**Vendor response:** 05.12.2015 \n**Date of Public Advisory:** 08.03.2016 \n**Reference:** SAP Security Note [2255990](<https://service.sap.com/sap/support/notes/2255990>) \n**Author:** Vahagn Vardanyan (ERPScan)\n\n## VULNERABILITY INFORMATION\n\nClass: Information disclosure \nImpact: Private data leakage \nRemotely Exploitable: Yes \nLocally Exploitable: No \nCVE: CVE-2016-3973 \nCVSS Information \nCVSS Base Score v3: 4.3 / 10 \nCVSS Base Vector:\n\nAV : Access Vector (Related exploit range) | Network (N) \n---|--- \nAC : Access Complexity (Required attack complexity) | Low (L) \nAu : Authentication (Level of authentication needed to exploit) | None (N) \nC : Impact to Confidentiality | Low(N) \nI : Impact to Integrity | None(N) \nA : Impact to Availability | None (N) \n \n**Description** \nAnonymous attacker can use a special HTTP request to get information about SAP NetWeaver users.\n\n**Business risk** \nAn attacker can use an Information disclosure vulnerability to reveal additional information (system data, debugging information, etc) which will help him to learn about a system and to plan other attacks.\n\n## VULNERABLE PACKAGES\n\nRTC 7.3-7.4 \nOther versions are probably affected too, but they were not checked.\n\n## SOLUTIONS AND WORKAROUNDS\n\nTo correct this vulnerability, install SAP Security Note [2255990](<https://service.sap.com/sap/support/notes/2255990>)\n\n## TECHNICAL DESCRIPTION\n\nAnonymous attacker can use a special HTTP request to get information about SAP NetWeaver users.\n\nSteps to exploit the vulnerability\n\n1\\. open http://SAP:50000/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat# \n2\\. press \u201cAdd users\u201d \n3\\. in the opened window, enter any chars and press search\n", "published": "2015-04-12T00:00:00", "modified": "2015-04-12T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "https://erpscan.io/advisories/erpscan-16-016-sap-netweaver-7-4-information-disclosure-wd_chat/", "reporter": "ERPScan", "references": [], "cvelist": ["CVE-2016-3973"], "type": "erpscan", "lastseen": "2020-09-17T18:41:51", "edition": 6, "viewCount": 112, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-3973"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:137579"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106149"]}], "modified": "2020-09-17T18:41:51", "rev": 2}, "score": {"value": 5.8, "vector": "NONE", "modified": "2020-09-17T18:41:51", "rev": 2}, "vulnersScore": 5.8}, "scheme": null}
{"cve": [{"lastseen": "2020-10-03T12:10:45", "description": "The chat feature in the Real-Time Collaboration (RTC) services 7.3 and 7.4 in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to obtain sensitive user information by visiting webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat#, pressing \"Add users\", and doing a search, aka SAP Security Note 2255990.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-04-07T19:59:00", "title": "CVE-2016-3973", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3973"], "modified": "2018-12-10T19:29:00", "cpe": ["cpe:/a:sap:netweaver:7.40"], "id": "CVE-2016-3973", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3973", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:sap:netweaver:7.40:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-05-12T17:20:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3973"], "description": "SAP NetWeaver is prone to an information disclosure vulnerability.", "modified": "2020-05-08T00:00:00", "published": "2016-07-22T00:00:00", "id": "OPENVAS:1361412562310106149", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106149", "type": "openvas", "title": "SAP NetWeaver WD_CHAT Information Disclosure Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# SAP NetWeaver WD_CHAT Information Disclosure Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:sap:netweaver';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106149\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-07-22 14:30:27 +0700 (Fri, 22 Jul 2016)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_cve_id(\"CVE-2016-3973\");\n\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"SAP NetWeaver WD_CHAT Information Disclosure Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_sap_netweaver_detect.nasl\");\n script_mandatory_keys(\"sap_netweaver/installed\");\n\n script_tag(name:\"summary\", value:\"SAP NetWeaver is prone to an information disclosure vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if WD_CHAT is accessible.\");\n\n script_tag(name:\"insight\", value:\"The chat feature in the Real-Time Collaboration (RTC) services allows\n remote attackers to obtain sensitive user information.\");\n\n script_tag(name:\"impact\", value:\"An unauthenticated attacker can get information about SAP NetWeaver\n users.\");\n\n script_tag(name:\"affected\", value:\"Version 7.1 - 7.5\");\n\n script_tag(name:\"solution\", value:\"Check the references for solutions.\");\n\n script_xref(name:\"URL\", value:\"https://erpscan.com/advisories/erpscan-16-016-sap-netweaver-7-4-information-disclosure-wd_chat/\");\n script_xref(name:\"URL\", value:\"https://service.sap.com/sap/support/notes/2255990\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (version = get_app_version(cpe: CPE, port: port)) {\n if (version !~ \"^7.[1-5]\")\n exit(0);\n}\n\nurl = \"/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat\";\n\nif (http_vuln_check(port: port, url: url, pattern: \"set-cookie\", check_header: TRUE)) {\n report = http_report_vuln_url(port: port, url: url);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:34", "description": "", "published": "2016-06-22T00:00:00", "type": "packetstorm", "title": "SAP NetWeaver AS JAVA 7.5 Information Disclosure", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3973"], "modified": "2016-06-22T00:00:00", "id": "PACKETSTORM:137579", "href": "https://packetstormsecurity.com/files/137579/SAP-NetWeaver-AS-JAVA-7.5-Information-Disclosure.html", "sourceData": "`Application: SAP NetWeaver AS JAVA \n \nVersions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5 \n \nVendor URL: http://SAP.com \n \nBug: information disclosure \n \nSent: 04.12.2015 \n \nReported: 05.12.2015 \n \nVendor response: 05.12.2015 \n \nDate of Public Advisory: 08.03.2016 \n \nReference: SAP Security Note 2255990 \n \nAuthor: Vahagn Vardanyan (ERPScan) \n \n \n \n \nDescription \n \n1. ADVISORY INFORMATION \n \nTitle: SAP NetWeaver AS Java WD_CHAT \u2013 Information disclosure vulnerability \n \nAdvisory ID: [ERPSCAN-16-016] \n \nRisk: Medium \n \nAdvisory URL: https://erpscan.com/advisories/erpscan-16-016-sap-netweaver-7-4-information-disclosure-wd_chat/ \n \nDate published: 08.03.2016 \n \nVendors contacted: SAP \n \n \n2. VULNERABILITY INFORMATION \n \nClass: Information disclosure \n \nImpact: Private data leakage \n \nRemotely Exploitable: Yes \n \nLocally Exploitable: No \n \nCVE: CVE-2016-3973 \n \n \n \nCVSS Information \n \nCVSS Base Score v3: 4.3 / 10 \n \nCVSS Base Vector: \n \nAV : Access Vector (Related exploit range) Network (N) \n \nAC : Access Complexity (Required attack complexity) Low (L) \n \nAu : Authentication (Level of authentication needed to exploit) None (N) \n \nC : Impact to Confidentiality Low(N) \n \nI : Impact to Integrity None(N) \n \nA : Impact to Availability None (N) \n \n \n3. VULNERABILITY DESCRIPTION \n \nAnonymous attacker can use a special HTTP request to get information \nabout SAP NetWeaver users. \n \n \n4. VULNERABLE PACKAGES \n \nRTC 7.3-7.4 \n \nOther versions are probably affected too, but they were not checked. \n \n \n5. SOLUTIONS AND WORKAROUNDS \n \nTo correct this vulnerability, install SAP Security Note 2255990 \n \n \n6. AUTHOR \n \nVahagn Vardanyan (ERPScan) \n \n \n7. TECHNICAL DESCRIPTION \n \nAnonymous attacker can use a special HTTP request to get information \nabout SAP NetWeaver users. \n \n \nSteps to exploit the vulnerability \n \n1. open http://SAP:50000/webdynpro/resources/sap.com/tc~rtc~coll.appl.rtc~wd_chat/Chat# \n \n2. press \"Add users\" \n \n3. in the opened window, enter any chars and press search \n \n \n \n8. REPORT TIMELINE \n \nSent: 04.12.2015 \n \nReported: 05.12.2015 \n \nVendor response: 05.12.2015 \n \nDate of Public Advisory: 08.03.2016 \n \n \n \n9. REFERENCES \n \nhttps://erpscan.com/advisories/erpscan-16-016-sap-netweaver-7-4-information-disclosure-wd_chat/ \n \n \n10. ABOUT ERPScan Research \n \nThe company\u2019s expertise is based on the research subdivision of \nERPScan, which is engaged in vulnerability research and analysis of \ncritical enterprise applications. It has achieved multiple \nacknowledgments from the largest software vendors like SAP, Oracle, \nMicrosoft, IBM, VMware, HP for discovering more than 400 \nvulnerabilities in their solutions (200 of them just in SAP!). \n \nERPScan researchers are proud to have exposed new types of \nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be \nnominated for the best server-side vulnerability at BlackHat 2013. \n \nERPScan experts have been invited to speak, present, and train at 60+ \nprime international security conferences in 25+ countries across the \ncontinents. These include BlackHat, RSA, HITB, and private SAP \ntrainings in several Fortune 2000 companies. \n \nERPScan researchers lead the project EAS-SEC, which is focused on \nenterprise application security research and awareness. They have \npublished 3 exhaustive annual award-winning surveys about SAP \nsecurity. \n \nERPScan experts have been interviewed by leading media resources and \nfeatured in specialized info-sec publications worldwide. These include \nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, \nHeise, and Chinabyte, to name a few. \n \nWe have highly qualified experts in staff with experience in many \ndifferent fields of security, from web applications and \nmobile/embedded to reverse engineering and ICS/SCADA systems, \naccumulating their experience to conduct the best SAP security \nresearch. \n \n \n \n11. ABOUT ERPScan \n \nERPScan is the most respected and credible Business Application \nSecurity provider. Founded in 2010, the company operates globally and \nenables large Oil and Gas, Financial and Retail organizations to \nsecure their mission-critical processes. Named as an \u2018Emerging Vendor\u2019 \nin Security by CRN, listed among \u201cTOP 100 SAP Solution providers\u201d and \ndistinguished by 30+ other awards, ERPScan is the leading SAP SE \npartner in discovering and resolving security vulnerabilities. ERPScan \nconsultants work with SAP SE in Walldorf to assist in improving the \nsecurity of their latest solutions. \n \nERPScan\u2019s primary mission is to close the gap between technical and \nbusiness security, and provide solutions to evaluate and secure SAP \nand Oracle ERP systems and business-critical applications from both, \ncyber-attacks as well as internal fraud. Usually our clients are large \nenterprises, Fortune 2000 companies and managed service providers \nwhose requirements are to actively monitor and manage security of vast \nSAP landscapes on a global scale. \n \nWe \u2018follow the sun\u2019 and function in two hubs, located in the Palo Alto \nand Amsterdam to provide threat intelligence services, agile support \nand operate local offices and partner network spanning 20+ countries \naround the globe. \n \n \n \nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 \n \nPhone: 650.798.5255 \n \nTwitter: @erpscan \n \nScoop-it: Business Application Security \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/137579/ERPSCAN-16-016.txt"}]}
