Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

[ERPSCAN-14-026] SAP NetWeaver – SMB Relay

Application: SAP
Vendor URL: http://www.sap.com
Bugs: Security Bypass, Directory Traversal, SMB Relay
Exploits: YES
Reported: 01.07.2014
Vendor response: 02.07.2014
Date of Public Advisory: 15.12.2014
Reference: SAP Security Note 2077260
Author: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION
Class: Directory Traversal [CWE-22]
Impact: An attacker can use Directory Traversal to access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and system files.
Remotely Exploitable: Yes
Locally Exploitable: No

Business Risk
An attacker can use Directory Traversal to access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.

Description
Security vulnerabilities were found in default SAP programs. An attacker can use an SMB Relay vulnerability to escalate their privileges up to the OS user who started the SAP server. These privileges will give the attacker unlimited access to the data stored in the SAP system. This information can be used to control all business processes and perform sensitive operations in the SAP landscape, possibly taking remote control over the affected systems.

VULNERABLE PACKAGES
SAP NetWeaver 7.0
Other versions are probably affected too, but they were not checked.

SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2077260.

TECHNICAL DESCRIPTION
An attacker can use Directory Traversal to access arbitrary files and directories located in an SAP server filesystem, including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.

PoC