[ERPSCAN-15-033] SAP Mobile Platform – Unauthenticated access vulnerability

Application: SAP Mobile Platform
Vendor: http://www.sap.com
Bugs: Authentication bypass
Reported: 05.09.2015
Vendor response: 06.09.2015
Date of Public Advisory: 08.12.2015
Reference: SAP Security Note 2227855
Author: Vahagn Vardanyan (ERPScan)

Class: Authentication bypass
Impact: deploy mobile application, read log
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information
CVSS Base Score: 6.8 / 10
CVSS Base Vector:

AV: Access Vector (Related exploit range) Network (N)
AC: Access Complexity (Required attack complexity) Medium (M)
Au: Authentication (Level of authentication needed to exploit) None (N)
C: Impact to Confidentiality Partial (P)
I: Impact to Integrity Partial (P)
A: Impact to Availability Partial (P)

Business risk
Some web services were added to the SCC server as an additional support to some native functions of the UI like log uploads/downloads and application deployment. Normal usage would require a user to authenticate as a user in the Administrator role before they would navigate to use these services, but an attacker with network access to this server could bypass this normal usage. This can lead to information disclosure and privilege escalation. Also, it can be exploited for remote file overwriting or reading business sensitive information.

An attacker can access SysAdminWebTool servlets without authentication.

SAP Mobile Platform 2.3, 3.0

To correct this vulnerability, install SAP Security Note 2227855

Some URLs on the SAP Control Center Admin UI for SMP 2.3 and the MBO support addon for SMP 3.0 had no access control policy assigned. This could result in denial of service attacks or data compromise.


To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: