[ERPSCAN-17-033] SAP POS Missing Authentication in XpressServer

Application: SAP POS Xpress Server
Vendor URL: SAP
Bugs: Missing Authentication
Reported: 03.04.2017
Vendor response: 04.04.2017
Date of Public Advisory: 11.07.2017
Reference: SAP Security Note 2520064
Author: Dmitry Chastuhin (ERPScan)

VULNERABILITY INFORMATION

Class: Missing Authentication Check
Impact: broken authentication
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS v3 Base Score: 8.1 / 10
CVSS v3 Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) High (H)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality High (H)
I: Impact to Integrity High (H)
A: Impact to AvailabilityHigh (H)

Description

An attacker can read/write/delete files on the SAP POS server.

Business risk

An attacker can use a Missing Authorization Check vulnerability for access to a service without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks.

VULNERABLE PACKAGES

XPRESSBU 1020
XPRESSBU 1030

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2520064

TECHNICAL DESCRIPTION

An attacker can read/write/delete files on SAP POS server through XpressServer TCP port 2200 without authentication.

For that, an attacker can send different types of request:

Common packet format is {MSG_TYPE+MsgLen}DATA

Proof of Concept

Anonymous file reading

Send this request on 2200 port:

or an attacker can use absolute path to file

Vulnerable code located in CTmxSocketCtrl::SendFile function of xps.exe file

Anonymous file writing

Send this request on 2200 port:
PoC

response:

Then check file c:\ala.txt on the SAP POS server.