DSECRG Advisories

[ERPSCAN-13-025] SAP CRM crm_flex_data – XXE

Application: SAP CRM
Versions Affected: SAP CRM 7.02 EHP 2
Vendor URL: http://www.sap.com
Bugs: XXE
Exploits: YES
Reported: 09.07.2013
Vendor response: 10.07.2013
Date of Public Advisory: 16.11.2013
Reference: SAP Note 1909665
Authors: Alexey Tyurin, Nikolay Mescherin (ERPScan)

SAP XML parser (/sap/crm/crm_flex_data) validates all incoming XML requests with user specified DTD.

Business Risk
It is possible for attackers to send any packets to any port of any system including localhost. It means that it is possible, for example, to send any administrative command to Gateway or Message server because the source of the packet will be localhost, and there is no restrictions for localhost. Another example is an attack on other interfaces.