Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

[ERPSCAN-15-034] SAP NetWeaver – internal special account password leak

Application: SAP Netweaver
Versions Affected: SAP Netweaver 7.4
Vendor URL: SAP
Bugs: Coding error, Reading sensitive user data
Send: 05.09.2015
Reported: 05.09.2015
Vendor response: 06.09.2015
Date of Public Advisory: 08.12.2015
Reference: SAP Security Note 2240946
Author: Dmitry Chastuhin, Mathieu Geli (ERPScan)

VULNERABILITY INFORMATION
Class: Cryptographic issues
Impact: Reading sensitive user data
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information
CVSS Base Score: 4.6/10
CVSS Base Vector:

AV: Access Vector (Related exploit range) Network (N)
AC: Access Complexity (Required attack complexity) High (H)
Au: Authentication (Level of authentication needed to exploit) Single (S)
C: Impact to Confidentiality Partial (P)
I: Impact to Integrity Partial (P)
A: Impact to Availability Partial(P)

Business risk
An attacker can use an authentication bypass vulnerability to access the service and use service functionality, which has restricted access. This can lead to information disclosure and privilege escalation. Also, it can be exploited for remote file overwriting, denial of service, SMB relay attack, etc.

VULNERABILITY DESCRIPTION
An authenticated administrator user can leak the password of the special internal account that allows OS command execution.

VULNERABLE PACKAGES
SAP Netweaver7.4
Other versions are probably affected too, but they were not checked.

SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2240946

TECHNICAL DESCRIPTION
PoC
In SAP Netweaver Administration console, go to "Low Viewer: Overview"
Select "Connect to Remote System" in the View drop-down menu, Select "Define new connection"
Replace localhost by you host IP where you will have a listening socket on port 50013
Click "Apply Connections" and watch the incoming request
base64 decode the server field "Authorization" and you will get the credentials for the account "{221BA44F-F88E-4166-BB2B-E2541910B86A}"
You can then use the username/password to execute OS commands on the SAPControl port 50013