Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

 Subscribe me to your mailing list

[ERPSCAN-15-017] SAP NetWeaver J2EE DAS service – Unauthorized Access

Application: SAP NetWeaver JAVA
Vendor URL: http://www.sap.com
Bugs: Unauthorized access
Reported: 20.04.2013
Vendor response: 21.04.2013
Date of Public Advisory: 15.07.2015
Reference: SAP Security Note 1945215
Authors: Alexander Polyakov (ERPScan)

VULNERABILITY INFORMATION
Class: Unauthorized Access [CWE-284]
Impact: Unauthorized access to some functions
Remotely Exploitable: Yes
Locally Exploitable: No
CVSS Information
CVSS Base Score: 3.5 / 10
CVSS Base Vector:

AV : Access Vector (Related exploit range) Network (N)
AC : Access Complexity (Required attack complexity) Medium (M)
Au : Authentication (Level of authentication needed to exploit) Single (S)
C : Impact to Confidentiality Partial (P)
I : Impact to Integrity None (N)
A : Impact to Availability None (N)

Description
It is possible to call some of the DAS files without authorization because they do not check if the user is authorized to access some of the JSPs.

Business Risk
An attacker can use a missing authorization check to access the service without any authorization procedures and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks.

VULNERABLE PACKAGES
SAP NetWeaver AS JAVA
Other versions are probably affected too, but they were not checked.

SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 1945215.

TECHNICAL DESCRIPTION
It is possible to call some of the DAS files without authorization because they do not check if a user is authorized to access some of the JSPs.

Most JSPs have authorization checks:

But in 3 JSPs those checks are not included:

  • http://SAP_IP/DataArchivingService/webcontent/cas/cas_enter.jsp
  • http://SAP_IP/DataArchivingService/webcontent/cas/cas_validate.jsp
  • http://SAP_IP/DataArchivingService/webcontent/aas/aas_store.jsp

It means that an anonymous user can call those JSPs.
The most critical one is cas_enter.jsp.

We can create any archiving directory and also:

  • Check if there is any file or directory on the server by analyzing the response while creating an archive store
  • Perform an SMBRelay attack by putting something like \\remotehost\aa into the Windows root variable
  • Potentially make HTTP calls and other calls while using WebDav