[ERPSCAN-16-041] SAP NetWeaver directory creation outside of the JVM

Application: SAP NetWeaver
Versions Affected: SAP NetWeaver AS JAVA UMEADMIN component
Vendor URL: SAP
Bugs: Directory traversal
Reported: 04.12.2015
Vendor response: 05.12.2015
Date of Public Advisory: 13.12.2016
Reference: SAP Security Note 2310790
Author: Mathieu Geli (ERPScan)

VULNERABILITY INFORMATION

Class: Directory traversal
Impact: deletion of critical file system content
Remotely Exploitable: yes
Locally Exploitable: no

CVSS Information

CVSS Base Score v3: 6.8 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) High (H)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Changed (C)
C: Impact to Confidentiality None (N)
I: Impact to Integrity High (H)
A: Impact to Availability None(N)

Description

Using SAP NetWeaver web administration, an authenticated user can trigger directory creation anywhere where the SAP OS user has access.

Business risk

The vulnerability defines a directory in which a certain component of the Java server stores some analysis files. The component first deletes the complete content of the working directory. If it is an OS system directory or Java server directory, its content will be purged, thus destroying a corresponding functionality.

VULNERABLE PACKAGES

UMEADMIN 7.00
UMEADMIN 7.10
UMEADMIN 7.20
UMEADMIN 7.30
UMEADMIN 7.31
UMEADMIN 7.40
UMEADMIN 7.50

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2310790.

TECHNICAL DESCRIPTION

Through the “Consistency Check” web service, SAP Netweaver Admin Console allows an authenticated user to create any directory with SAP OS user rights outside of the JVM.

Default is /tmp but can be set to any other directory.

Proof of Concept

Login as Administrator to http://sapserver:50000
Go to “Identify Management”
Select “Consistency Check”
Select “Choose working directory”
Save
(directory has been created in filesystem)