SAP Application Server ABAP Open Redirection

`SEC Consult Vulnerability Lab Security Advisory < 20231005-0 >  
=======================================================================  
title: Open Redirect in BSP Test Application it00  
(Bypass for CVE-2020-6215 Patch)  
product: SAP® Application Server ABAP and ABAP®  
Platform (SAP_BASIS)  
vulnerable version: see section "Vulnerable / tested versions"  
fixed version: see SAP security note 3258950  
CVE number: CVE-2020-6215  
impact: medium  
homepage: https://www.sap.com  
found: 2022-09-23  
by: Fabian Hagg (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"SAP is one of the world’s leading producers of software for the management of  
business processes."[1]  
  
[1] https://www.sap.com/about/what-is-sap.html  
  
  
Business recommendation:  
------------------------  
By exploiting the vulnerability documented in this advisory, attackers  
can redirect users to arbitrary sites. Targeted users of such an  
attack may be victims of successful phishing attempts jeopardizing the  
confidentiality of logon information or other data.  
  
SEC Consult recommends to implement the security note 3258950, where the  
documented issue is fixed according to the vendor. We advise installing  
the correction as a matter of priority to keep business-critical data secure.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Open Redirect Vulnerability (Patch bypass of CVE-2020-6215)  
The sample Business Server Pages (BSP) application it00 suffers from an open  
redirect vulnerability that is referred to by CVE-2020-6215 [2]. A patch  
for this issue was made available via SAP Security Note 2872782 [3].  
During analysis, it was identified that the patch is insufficient and can  
be bypassed.  
  
[2] https://nvd.nist.gov/vuln/detail/CVE-2020-6215  
[3] https://me.sap.com/notes/2872782  
  
  
Proof of concept:  
-----------------  
1) Open Redirect Vulnerability (Patch bypass of CVE-2020-6215)  
The following source code excerpt of event handler OnInputProcessing() of  
BSP subpage transition_navigation.htm shows that by the implementation of  
SAP Security Note 2872782, an additional check was introduced that validates  
the HTTP request parameter ‘applicationUrl’ against pseudo-headers ~server_name,  
respectively ~server_name_expanded. Thus, to verify that the provided URL  
complies with these values to only allow redirects to the local server,  
the IF condition checks if the specified ‘applicationUrl’ parameter contains  
the host name of the local server. Only if this check is evaluated successfully,  
the browser of the calling user gets redirected to the intended page.  
  
---------------------------------------------------------------------------  
[...]  
when 'call'.  
data: url1 type string,  
url2 type string,  
host_name type string.  
host_name = request->get_header_field( '~server_name' ).  
if host_name is initial.  
host_name = request->get_header_field( '~server_name_expanded' ).  
endif.  
url = request->get_form_field( 'applicationUrl' ).  
if url cs host_name.  
split url at '?' into url1 url2.  
url2 = cl_abap_dyn_prg=>escape_xss_url( url2 ).  
concatenate url1 '?' url2 into url.  
navigation->call_application( url = url ).  
endif.  
* negative test cases  
when 'error_no_such_exit'.  
navigation->next_page( 'NAVFAIL' ).  
  
  
endcase.  
---------------------------------------------------------------------------  
  
It was observed that this check can be bypassed, for example, by crafting  
special HTTP requests that contain the host name of the target application  
server (the PoC uses the <app server hostname> placeholder) within the query string  
part of the URL provided via parameter ‘applicationUrl’. To validate this issue,  
the following URL can be browsed to in order to trigger the vulnerability and  
circumvent the implemented patch.  
  
---------------------------------------------------------------------------  
http[s]://<app server hostname>:<ICM port>/sap/bc/bsp/sap/it00/transition_  
navigation.htm?ApplicationURL=http://127.0.0.1:8080/?<app server hostname>  
&onInputProcessing%28call%29=Start+Application  
---------------------------------------------------------------------------  
  
For demonstration purposes, after a successful login, the browser is redirected  
by the application server to localhost on port 8080 (any other host/port pair  
could by specified by the attacker).  
  
The server replies with a "302 Found" message redirecting the browser to the  
localhost address defined in the response Location header field:  
  
---------------------------------------------------------------------------  
HTTP/2 302 Found  
Content-Type: text/html  
Content-Length: 0  
Location: http://127.0.0.1:8080/?<app server hostname>&sap-params=[...]  
---------------------------------------------------------------------------  
  
An attacker can create a URL which would redirect the victim to a malicious  
site, for example, a phishing site convincing the victim to login once again.  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following version has been tested and found to be vulnerable:  
  
- SAP_BASIS release 755, SP level 01  
  
According to the vendor the following releases and versions  
are affected by the discovered vulnerability:  
  
- SAP_BASIS 700-702  
- SAP_BASIS 731  
- SAP_BASIS 740  
- SAP_BASIS 750-757  
  
  
Vendor contact timeline:  
------------------------  
2022-10-03: Contacting vendor through vulnerability submission web form.  
2022-10-04: Vendor confirms receipt and assigns internal ID #2270141902.  
2022-10-19: Vendor confirms vulnerability and proposes new CVSS score of  
5.4 (NLNR|U|LLN).  
2022-10-24: Asking vendor why new CVSS rating differs from initial  
vulnerability rating. No response.  
2022-11-24: Asking vendor for update.  
2022-11-30: Vendor states that the patch is about to be released with the  
upcoming Patch Tuesday December 2022.  
2022-12-13: Vendor releases patch with SAP Security Note 3258950.  
2023-10-05: Release of security advisory.  
  
  
Solution:  
---------  
The vendor provides a patched version which should be installed immediately.  
Patches are available in form of SAP Security Notes which can be accessed  
via the SAP Customer Launchpad [4]. More information can also be found in  
the Official SAP Security Patchday Blog [5].  
  
The following Security Note needs to be implemented: 3258950  
  
[4] https://me.sap.com/app/securitynotes  
[5] https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10  
  
  
Workaround:  
-----------  
Disable BSP test application it00 in the ICF service tree in transaction  
SICF.  
  
  
Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult, an Eviden business  
Europe | Asia  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF F. Hagg / @2023  
  
`