[ERPSCAN-12-038] SAP NetWeaver PI SDK – XXE and XXE Tunneling
Application: SAP PI SDK
Versions Affected: SAP PI SDK
Vendor URL: http://www.sap.com
Bugs: Security Bypass
Vendor response: 13.03.2012
Date of Public Advisory: 22.10.2012
Reference: SAP Security Note 1723641
Authors: Alexander Polyakov, Alexey Tyurin, Alexandr Minozhenko (ERPScan)
SAP PI SDK XML parser validates all incoming xml-requests with user specified DTD. It is also possible to execute XXE Tunelling via gopher scheme.
It is possible for attackers to send any packets to any port of any system including localhost. It means that it is possible, for example, to send any administrative command to Gateway or Message server because the source of the packet will be localhost, and there is no restrictions for localhost. Another example is an attack on other interfaces.