[ERPSCAN-15-017] SAP NetWeaver J2EE DAS service – Unauthorized Access
Application: SAP NetWeaver JAVA
Vendor URL: http://www.sap.com
Bugs: Unauthorized access
Vendor response: 21.04.2013
Date of Public Advisory: 15.07.2015
Reference: SAP Security Note 1945215
Authors: Alexander Polyakov (ERPScan)
Class: Unauthorized Access [CWE-284]
Impact: Unauthorized access to some functions
Remotely Exploitable: Yes
Locally Exploitable: No
CVSS Base Score: 3.5 / 10
CVSS Base Vector:
|AV : Access Vector (Related exploit range)||Network (N)|
|AC : Access Complexity (Required attack complexity)||Medium (M)|
|Au : Authentication (Level of authentication needed to exploit)||Single (S)|
|C : Impact to Confidentiality||Partial (P)|
|I : Impact to Integrity||None (N)|
|A : Impact to Availability||None (N)|
It is possible to call some of the DAS files without authorization because they do not check if the user is authorized to access some of the JSPs.
An attacker can use a missing authorization check to access the service without any authorization procedures and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation, and other attacks.
SAP NetWeaver AS JAVA
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 1945215.
It is possible to call some of the DAS files without authorization because they do not check if a user is authorized to access some of the JSPs.
Most JSPs have authorization checks:
String authorization = (String) session.getAttribute("AuthRequHead");
if (authorization == null)
authorization = "";
But in 3 JSPs those checks are not included:
It means that an anonymous user can call those JSPs. The most critical one is cas_enter.jsp.
We can create any archiving directory and also:
- Check if there is any file or directory on the server by analyzing the response while creating an archive store
- Perform an SMBRelay attack by putting something like \\remotehost\aa into the Windows root variable
- Potentially make HTTP calls and other calls while using WebDav