ERPSCAN Research Advisory [ERPSCAN-15-017] SAP NetWeaver J2EE DAS service - Unauthorized Access
Application: SAP NetWeaver Versions Affected: SAP NetWeaver AS JAVA, probably others Vendor URL: http://SAP.com Bugs: Unauthorized access Sent: 20.04.2013 Reported: 21.04.2013 Vendor response: 21.04.2013 Date of Public Advisory: 13.10.2015 Reference: SAP Security Note 1945215 Author: Alexander Polyakov (ERPScan)
Description 1. ADVISORY INFORMATION Title: SAP NetWeaver J2EE DAS service – Unauthorized Access Advisory ID: [ERPSCAN-15-017] Risk: High Advisory URL: http://erpscan.com/advisories/erpscan-15-017-sap-netweaver-j2ee-das-service-unauthorized-access/ Date published: 13.10.2015 Vendors contacted: SAP
CVSS Information CVSS Base Score: 3.5 / 10 CVSS Base Vector: AV : Access Vector (Related exploit range) Network (N) AC : Access Complexity (Required attack complexity) Medium (M) Au : Authentication (Level of authentication needed to exploit) Single (S) C : Impact to Confidentiality Partial (P) I : Impact to Integrity None (N) A : Impact to Availability None (N)
VULNERABILITY DESCRIPTION An authenticated user can use the functions of XML Data Archiving Service access to which should be restricted. This may result in privilege escalation.
VULNERABLE PACKAGES SAP NetWeaver AS JAVA Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS To correct this vulnerability, install SAP Security Note 1945215.
AUTHOR Alexander Polyakov (ERPScan)
TECHNICAL DESCRIPTION It is possible to call some of the DAS files without authorization because they do not check if a user is authorized to access some of the JSPs.
Most JSPs have authorization checks:
String authorization = (String) session.getAttribute("AuthRequHead"); if (authorization == null) authorization = "";
But in 3 JSPs those checks are not included:
http://SAP_IP/DataArchivingService/webcontent/cas/cas_enter.jsp http://SAP_IP/DataArchivingService/webcontent/cas/cas_validate.jsp http://SAP_IP/DataArchivingService/webcontent/aas/aas_store.jsp
It means that an anonymous user can call those JSPs.
The most critical one is cas_enter.jsp.
We can create any archiving directory and also: 1) Check if there is any file or directory on the server by analyzing the response while creating an archive store 2) Perform an SMBRelay attack by putting something like \\remotehost\aa into the Windows root variable 3) Potentially make HTTP calls and other calls while using WebDav
REPORT TIMELINE Sent: 20.04.2013 Reported: 21.04.2013 Vendor response: 21.04.2013 Date of Public Advisory: 13.10.2015
ABOUT ERPScan Research The company’s expertise is based on the research subdivision of ERPScan, which is engaged in vulnerability research and analysis of critical enterprise applications. It has achieved multiple acknowledgments from the largest software vendors like SAP, Oracle, Microsoft, IBM, VMware, HP for exposing 400+ vulnerabilities in their solutions (200 of them just in SAP!). ERPScan researchers are proud to have exposed new types of vulnerabilities (TOP 10 Web Hacking Techniques 2012) and were nominated for best server-side vulnerability at BlackHat 2013. ERPScan experts have been invited to speak, present, and train at 60+ prime international security conferences in 25+ countries across the continents. These include BlackHat, RSA, HITB as well as private trainings for SAP in several Fortune 2000 companies. ERPScan researchers lead project EAS-SEC, which is focused on enterprise application security research and awareness. They have published 3 exhaustive annual award-winning surveys about SAP security. ERPScan experts have been interviewed by leading media resources and specialized info-sec publications worldwide: Reuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise, and Chinabyte, to name a few. We have highly qualified experts in staff with experience in many different fields of security, from web applications and mobile/embedded to reverse engineering and ICS/SCADA systems, accumulating their experience to conduct research in SAP security.
ABOUT ERPScan ERPScan is the most respected and credible Business Application Security provider. Founded in 2010, the company operates globally and enables large Oil and Gas, Financial, and Retail organizations to secure their mission-critical processes. Named an Emerging Vendor in Security by CRN, listed among TOP 100 SAP Solution Providers and distinguished by 30+ other awards, ERPScan is the leading SAP SE partner in discovering and resolving security vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to assist in improving the security of their latest solutions. ERPScan’s primary mission is to close the gap between technical and business security, and provide solutions to evaluate and secure SAP and Oracle ERP systems and business-critical applications from both cyber-attacks and internal fraud. Usually our clients are large enterprises, Fortune 2000 companies, and managed service providers whose requirements are to actively monitor and manage security of vast SAP landscapes on a global scale. We ‘follow the sun’ and function in two hubs, located in Palo Alto and Amsterdam, to provide threat intelligence services and agile support, operate local offices and partner network spanning 20+ countries around the globe.
USA address: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 Phone: 650.798.5255 Twitter: @erpscan Scoop-it: Business Application Security http://erpscan.com