SAP NetWeaver AS JAVA 7.1 < 7.5 - Directory Traversal

Application: SAP NetWeaver AS JAVA
 
Versions Affected: SAP NetWeaver  AS JAVA 7.1 - 7.5
 
Vendor URL: http://SAP.com
 
Bug: Directory traversal
 
Sent:  29.09.2015
 
Reported: 29.09.2015
 
Vendor response: 30.09.2015
 
Date of Public Advisory: 08.03.2016
 
Reference: SAP Security Note 2234971
 
Author:         Vahagn Vardanyan  (ERPScan)
 
 
 
 
Description
 
 
1. ADVISORY INFORMATION
 
Title: [ERPSCAN-16-012] SAP NetWeaver AS Java directory traversal vulnerability
 
Advisory ID: [ERPSCAN-16-012]
 
Risk: medium
 
Advisory URL: https://erpscan.com/advisories/erpscan-16-012/
 
Date published: 08.03.2016
 
Vendors contacted: SAP
 
 
2. VULNERABILITY INFORMATION
 
Class: directory traversal
 
Impact: remotely read file from server
 
Remotely Exploitable: Yes
 
Locally Exploitable: No
 
CVE-2016-3976
 
 
CVSS Information
 
CVSS Base Score v3:  7.5  / 10
 
CVSS Base Vector:
 
AV : Attack Vector (Related exploit range) Network (N)
 
AC : Attack Complexity (Required attack complexity) Low (L)
 
PR : Privileges Required (Level of privileges needed to exploit) None (N)
 
UI : User Interaction (Required user participation) None (N)
 
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Changed (C)
 
C : Impact to Confidentiality Low (L)
 
I : Impact to Integrity None (N)
 
A : Impact to Availability None (N)
 
 
 
3. VULNERABILITY DESCRIPTION
 
An authorized attacker can use a special request to read files from
the server and then escalate his or her privileges.
 
 
 
 
4. VULNERABLE PACKAGES
 
SAP NetWeaver AS JAVA 7.1 - 7.5
 
Other versions are probably affected too, but they were not checked.
 
 
5. SOLUTIONS AND WORKAROUNDS
 
To correct this vulnerability, install SAP Security Note 2234971
 
 
 
6. AUTHOR
 
Vahagn Vardanyan  (ERPScan)
 
 
 
7. TECHNICAL DESCRIPTION
 
An attacker can use an SAP NetWeaver function CrashFileDownloadServlet
to read files from the server.
 
 
PoC
 
 
GET /XXX/CrashFileDownloadServlet?fileName=..\security\data\SecStore.key
 
 
Disclaimer: According to the partnership agreement between ERPScan and
SAP, our company is not entitled to publish any detailed information
about detected vulnerabilities before SAP releases a patch. After the
release, SAP suggests respecting an implementation time of three
months and asks security researchers to not to reveal any details
during this time. However, In this case, the vulnerability allows an
attacker to read arbitrary files on a remote server, possibly
disclosing confidential information, and many such services are
exposed to the Internet. As responsible security researchers, ERPScan
team made a decision not to disseminate the full PoC even after the
specified time.
 
 
 
8. REPORT TIMELINE
 
Send: 29.09.2015
 
Reported: 29.09.2015
 
Vendor response: 30.09.2015
 
Date of Public Advisory: 08.03.2016
 
 
 
 
9. REFERENCES
 
https://erpscan.com/advisories/erpscan-16-012/

#  0day.today [2018-01-05]  #