Lucene search
Francisco Leon <@arphanetx>NMAP:HTTP-SAP-NETWEAVER-LEAK.NSEHistoryOct 19, 2018 - 5:00 a.m.
http-sap-netweaver-leak NSE Script
2018-10-1905:00:46
Francisco Leon <@arphanetx>
nmap.org
678
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Detects SAP Netweaver Portal instances that allow anonymous access to the KM unit navigation page. This page leaks file names, ldap users, etc.
SAP Netweaver Portal with the Knowledge Management Unit enable allows unauthenticated users to list file system directories through the URL ‘/irj/go/km/navigation?Uri=/’.
This issue has been reported and won’t be fixed.
References:
- <https://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/5c004250995a6ae10000000a42189b/frameset.htm>
Script Arguments
slaxml.debug
See the documentation for the slaxml library.
http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
vulns.short, vulns.showall
See the documentation for the vulns library.
Example Usage
-
nmap -p 80 --script http-sap-netweaver-leak <target> -
nmap -sV --script http-sap-netweaver-leak <target>
Script Output
PORT STATE SERVICE REASON
443/tcp open https syn-ack
| http-sap-netweaver-leak:
| VULNERABLE:
| Anonymous access to SAP Netweaver Portal
| State: VULNERABLE (Exploitable)
| SAP Netweaver Portal with the Knowledge Management Unit allows attackers to obtain system information
| including file system structure, LDAP users, emails and other information.
|
| Disclosure date: 2018-02-1
| Check results:
| Visit /irj/go/km/navigation?Uri=/ to access this SAP instance.
| Extra information:
| ~system
| discussiongroups
| documents
| Entry Points
| etc
| Reporting
| References:
|_ https://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/5c004250995a6ae10000000a42189b/frameset.htm
Requires
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"
local table = require "table"
description = [[
Detects SAP Netweaver Portal instances that allow anonymous access to the
KM unit navigation page. This page leaks file names, ldap users, etc.
SAP Netweaver Portal with the Knowledge Management Unit enable allows unauthenticated
users to list file system directories through the URL '/irj/go/km/navigation?Uri=/'.
This issue has been reported and won't be fixed.
References:
* https://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/5c004250995a6ae10000000a42189b/frameset.htm
]]
---
-- @usage nmap -p 80 --script http-sap-netweaver-leak <target>
-- @usage nmap -sV --script http-sap-netweaver-leak <target>
--
-- @output
-- PORT STATE SERVICE REASON
-- 443/tcp open https syn-ack
-- | http-sap-netweaver-leak:
-- | VULNERABLE:
-- | Anonymous access to SAP Netweaver Portal
-- | State: VULNERABLE (Exploitable)
-- | SAP Netweaver Portal with the Knowledge Management Unit allows attackers to obtain system information
-- | including file system structure, LDAP users, emails and other information.
-- |
-- | Disclosure date: 2018-02-1
-- | Check results:
-- | Visit /irj/go/km/navigation?Uri=/ to access this SAP instance.
-- | Extra information:
-- | ~system
-- | discussiongroups
-- | documents
-- | Entry Points
-- | etc
-- | Reporting
-- | References:
-- |_ https://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/5c004250995a6ae10000000a42189b/frameset.htm
--
-- @xmloutput
-- <table key="NMAP-1">
-- <elem key="title">Anonymous access to SAP Netweaver Portal</elem>
-- <elem key="state">VULNERABLE (Exploitable)</elem>
-- <table key="description">
-- <el em>SAP Netweaver Portal with the Knowledge Management Unit allows attackers to obtain system information

-- including file system structure, LDAP users, emails and other information.
</elem>
-- </table>
-- <table key="dates">
-- <table key="disclosure">
-- <elem key="day">1</elem>
-- <elem key="year">2018</elem>
-- <elem key="month">02</elem>
-- </table>
-- </table>
-- <elem key="disclosure">2018-02-1</elem>
-- <table key="check_results">
-- <elem>Visit /irj/go/km/navigation?Uri=/ to access this SAP instance.</elem>
-- </table>
-- <table key="extra_info">
-- <elem>&#x7e;system</elem>
-- </table>
-- <table key="refs">
-- <elem>https://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/5c004250995a6ae10000000a42189b/frameset.htm</elem>
-- </table>
-- </table>
-- </script>
---
author = "Francisco Leon <@arphanetx>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "discovery"}
local evil_path = "/irj/go/km/navigation?Uri=/"
portrule = shortport.http
action = function(host, port)
local vuln = {
title = 'Anonymous access to SAP Netweaver Portal',
state = vulns.STATE.NOT_VULN,
description = [[
SAP Netweaver Portal with the Knowledge Management Unit allows attackers to obtain system information
including file system structure, LDAP users, emails and other information.
]],
references = {
'https://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/5c004250995a6ae10000000a42189b/frameset.htm',
},
dates = {
disclosure = {year = '2018', month = '02', day = '1'},
},
}
local status_404, result_404, _= http.identify_404(host,port)
if (status_404 and result_404 == 200 ) then
stdnse.debug1("Exiting due to ambiguous response from web server on %s%:s.All URIs return status 200", host.ip, port.number)
return nil
end
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local output_table = stdnse.output_table()
local options = {header={}, no_cache=true, bypass_cache=true}
--We need a valid User Agent for SAP Netweaver Portal servers
options['header']['User-Agent'] = "Mozilla/5.0 (compatible; MSIE 10.6; Windows NT 6.1; Trident/5.0; InfoPath.2; SLCC1;"
..".NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727) 3gpp-gba UNTRUSTED/1.0"
local response = http.get(host, port, evil_path, options)
if response and response.status == 200 then
if string.find(response.body,'logon') then
stdnse.debug1("String 'logon' was found in this page. Exiting.")
return vuln_report:make_output(vuln)
else
local files = {}
for file in string.gmatch(response.body, "[Cc][Ll][Aa][Ss][Ss][=][\"]urTxtStd[\"]>([^$<]*.)</[Ss][Pp][Aa][Nn]>") do
table.insert(files, file)
end
if #files>0 then
vuln.state = vulns.STATE.EXPLOIT
vuln.extra_info = files
vuln.check_results = string.format("Visit %s to obtain more information about the files.", evil_path)
end
return vuln_report:make_output(vuln)
end
else
stdnse.debug1("SAP Netweaver Portal not found.")
return vuln_report:make_output(vuln)
end
end
Related
nmap
nmap
ajp-headers NSE Script
2012-05-07 18:49:22
netbus-info NSE Script
2010-12-13 18:00:02
bitcoin-info NSE Script
2011-11-09 18:56:16
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Related for NMAP:HTTP-SAP-NETWEAVER-LEAK.NSE