SAP Afaria product exposed a series of serious vulnerabilities that affect a large number of mobile device-bug warning-the black bar safety net

ID MYHACK58:62201567285
Type myhack58
Reporter 佚名
Modified 2015-09-23T00:00:00


Afaria is the German SAP software company developed a mobile device management MDM solutions that are currently on the market the most popular MDM solutions, there are about 6 3 0 0 a enterprise which manages 1 billion 3 0 0 million of the mobile device. ERPScan is specifically responsible for the protection of SAP and Oracle important the ERP system of the security company, its security personnel are in the SAP Afaria on the discovery of a series of serious vulnerabilities that their original plan was in 3 at the end of the Black Hat conference, Asia on the disclosure of these issues, but SAP did not promptly release a patch, so the original plan of the disclosure the speech is also delayed. Until Thursday in Atlanta held at the Hacker Halted conference before publication of the vulnerability details. Vulnerability one: permission bypass vulnerability Wherein ERPScan reports and identified the most severe of the vulnerabilities is a privilege bypass vulnerability, an attacker can use SAP Afaria in the vulnerability control user's mobile phone. Afaria allows administrators to manage on a mobile device sends an SMS message, you can then remotely perform a variety of operations, you can delete devices, lock devices, so WiFi is not available. The attacker will first forged an identity verification characters of a SHA256 hash value, and then to the victim on the phone to send a malicious administrator information. But the attacker to send a malicious administrator information when you need to have two conditions: 1, the victim's cell phone number; 2, The International Mobile Equipment identity code IMEI is. ERPScan technical Director Alexander Polyakov noted that an external attacker can through the social worker of the manner or from the target companies online to get the victims phone number. As for the IMEI it is a little difficult to get, you can in the target company somewhere near sniffing its GSM traffic. If it is inside of the attacker then it is simple and more, enterprises inside the entrance can be found to many phone numbers. “Typically, the company buys mobile devices will be buying in bulk, so the IMEI are relatively similar, only a few characters different. So as long as know a person's IMEI, you can follow the guess other people's IMEI, and thus can contribute to the company's employees sending administrator information.” The problem in the 3 on 1 2 January, on the report to the SAP, but the SAP in 2 months only after giving the repair. Vulnerability two: the storage typexss In addition, a more serious vulnerability is the storage typeXSSvulnerability that may affect the product's Management Console. The attacker can be Remote in the console on the injection of malicious javascript code, The administrator as long as the landing, the code will be executed. Theoretically, an attacker can exploit the vulnerability control all mobile devices, and send a malicious program. If an attacker infected the MDM is the attacker's invasion, then the victim's mobile device will be in complete control, but also can enhance their own privileges, to access the storage of the important data of the enterprise system. The storage typeXSSvulnerabilities in the 2 months report to SAP, 8 months before giving the Fix. Other vulnerabilities In addition to these two vulnerabilities outside, ERPScan also discovered several buffer overflow vulnerabilities, errors, authorization issues, hard-coded encryption key problem.