Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

 Subscribe me to your mailing list

[ERPSCAN-16-009] SAP xMII – directory traversal vulnerability

Application: SAP xMII
Versions Affected: SAP MII 15.0
Vendor URL: SAP
Bugs: Directory traversal
Reported: 29.07.2015
Vendor response: 30.07.2015
Date of Public Advisory: 09.02.2016
Reference: SAP Security Note 2230978
Author: Dmitry Chastuhin (ERPScan)

VULNERABILITY INFORMATION
Class: [CWE-36]
Impact: SAP xMII directory traversal, read file from server
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2016-2389

CVSS Information
CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:

AV : Access Vector (Related exploit range) Network (N)
AC : Access Complexity (Required attack complexity) Low (L)
Au : Authentication (Level obf authentication needed to exploit) None (N)
C : Impact to Confidentiality High (H)
I : Impact to Integrity None(N)
A : Impact to Availability None (N)

Description
An attacker can use a special request to read files from a server to escalate their privileges.

Business risk
An attacker can use a directory traversal vulnerability to access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in the vulnerable SAP system.

VULNERABLE PACKAGES
SAP MII 15.0

SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2230978

TECHNICAL DESCRIPTION
An attacker can use xMII function GetFileList to read files from the server.
PoC