Exploit for java platform in category web applications
Application: SAP NetWeaver AS JAVA
Versions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5
Vendor URL: http://SAP.com
Bug: Directory traversal
Sent: 29.09.2015
Reported: 29.09.2015
Vendor response: 30.09.2015
Date of Public Advisory: 08.03.2016
Reference: SAP Security Note 2234971
Author: Vahagn Vardanyan (ERPScan)
Description
1. ADVISORY INFORMATION
Title: [ERPSCAN-16-012] SAP NetWeaver AS Java directory traversal vulnerability
Advisory ID: [ERPSCAN-16-012]
Risk: medium
Advisory URL: https://erpscan.com/advisories/erpscan-16-012/
Date published: 08.03.2016
Vendors contacted: SAP
2. VULNERABILITY INFORMATION
Class: directory traversal
Impact: remotely read file from server
Remotely Exploitable: Yes
Locally Exploitable: No
CVE-2016-3976
CVSS Information
CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) Low (L)
PR : Privileges Required (Level of privileges needed to exploit) None (N)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Changed (C)
C : Impact to Confidentiality Low (L)
I : Impact to Integrity None (N)
A : Impact to Availability None (N)
3. VULNERABILITY DESCRIPTION
An authorized attacker can use a special request to read files from
the server and then escalate his or her privileges.
4. VULNERABLE PACKAGES
SAP NetWeaver AS JAVA 7.1 - 7.5
Other versions are probably affected too, but they were not checked.
5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2234971
6. AUTHOR
Vahagn Vardanyan (ERPScan)
7. TECHNICAL DESCRIPTION
An attacker can use an SAP NetWeaver function CrashFileDownloadServlet
to read files from the server.
PoC
GET /XXX/CrashFileDownloadServlet?fileName=..\security\data\SecStore.key
Disclaimer: According to the partnership agreement between ERPScan and
SAP, our company is not entitled to publish any detailed information
about detected vulnerabilities before SAP releases a patch. After the
release, SAP suggests respecting an implementation time of three
months and asks security researchers to not to reveal any details
during this time. However, In this case, the vulnerability allows an
attacker to read arbitrary files on a remote server, possibly
disclosing confidential information, and many such services are
exposed to the Internet. As responsible security researchers, ERPScan
team made a decision not to disseminate the full PoC even after the
specified time.
8. REPORT TIMELINE
Send: 29.09.2015
Reported: 29.09.2015
Vendor response: 30.09.2015
Date of Public Advisory: 08.03.2016
9. REFERENCES
https://erpscan.com/advisories/erpscan-16-012/
# 0day.today [2018-01-05] #