[ERPSCAN-17-047] SAP NetWeaver AS Java logon_app OpenRedirect

Application: SAP NetWeaver AS Java
Versions Affected: SAP NetWeaver AS Java 7.11-7.50
Vendor URL: SAP
Bug: Open redirect
Reported: 18.01.2017
Vendor response: 19.01.2017
Date of Public Advisory: 08.08.2017
Reference: SAP Security Note 2423540
Author: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: Open redirect
Risk: Medium
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS Base Score v3: 4.3 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) Required (R)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity None (N)
A: Impact to AvailabilityNone (N)

DESCRIPTION

An Open Redirect vulnerability is identified in SAP NetWeaver AS Java. An attacker can redirect a victim to another untrusted site.

BUSINESS RISK

An attacker can use an Open Redirect vulnerability for redirecting a user to phishing or malicious sites while the user does not realize it. It is possible because an application takes a parameter and redirects the user to the parameter value without any validation.

VULNERABLE PACKAGES

J2EE-APPS 7.11, 7.20, 7.30, 7.31, 7.40, 7.50

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2423540

TECHNICAL DESCRIPTION

In the servlet, you encod colon char (:) to %3a, and we can’t use http://evil.com or https://evil.com scheme for openredirect, but if we use, //evil.com can successfully bypass the security mechanism.

Proof of Concept

Open this URL

and press “Log On Again” button.