[ERPSCAN-16-041] SAP NetWeaver directory creation outside of the JVM
Application: SAP NetWeaver
Versions Affected: SAP NetWeaver AS JAVA UMEADMIN component
Vendor URL: SAP
Bugs: Directory traversal
Vendor response: 05.12.2015
Date of Public Advisory: 13.12.2016
Reference: SAP Security Note 2310790
Author: Mathieu Geli (ERPScan)
Class: Directory traversal
Impact: deletion of critical file system content
Remotely Exploitable: yes
Locally Exploitable: no
CVSS Base Score v3: 6.8 / 10
CVSS Base Vector:
|AV: Attack Vector (Related exploit range)||Network (N)|
|AC: Attack Complexity (Required attack complexity)||Low (L)|
|PR: Privileges Required (Level of privileges needed to exploit)||High (H)|
|UI: User Interaction (Required user participation)||None (N)|
|S: Scope (Change in scope due to impact caused to components beyond the vulnerable component)||Changed (C)|
|C: Impact to Confidentiality||None (N)|
|I: Impact to Integrity||High (H)|
|A: Impact to Availability||None(N)|
Using SAP NetWeaver web administration, an authenticated user can trigger directory creation anywhere where the SAP OS user has access.
The vulnerability defines a directory in which a certain component of the Java server stores some analysis files. The component first deletes the complete content of the working directory. If it is an OS system directory or Java server directory, its content will be purged, thus destroying a corresponding functionality.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2310790.
Through the “Consistency Check” web service, SAP Netweaver Admin Console allows an authenticated user to create any directory with SAP OS user rights outside of the JVM.
/tmp but can be set to any other directory.
Proof of Concept
Login as Administrator to http://sapserver:50000
Go to “Identify Management”
Select “Consistency Check”
Select “Choose working directory”
(directory has been created in filesystem)