[ERPSCAN-12-038] SAP NetWeaver PI SDK – XXE and XXE Tunneling

DSECRG Advisories

Application: SAP PI SDK
Versions Affected: SAP PI SDK
Vendor URL: http://www.sap.com
Bugs: Security Bypass
Exploits: YES
Reported: 12.03.2012
Vendor response: 13.03.2012
Date of Public Advisory: 22.10.2012
Reference: SAP Security Note 1723641
Authors: Alexander Polyakov, Alexey Tyurin, Alexandr Minozhenko (ERPScan)

SAP PI SDK XML parser validates all incoming xml-requests with user specified DTD. It is also possible to execute XXE Tunelling via gopher scheme.

Business Risk
It is possible for attackers to send any packets to any port of any system including localhost. It means that it is possible, for example, to send any administrative command to Gateway or Message server because the source of the packet will be localhost, and there is no restrictions for localhost. Another example is an attack on other interfaces.