Application: SAP NetWeaver
Versions Affected: SAP NetWeaver 7.1 – 7.5
Vendor URL: SAP
Bug: Directory traversal
Vendor response: 30.09.2015
Date of Public Advisory: 08.03.2016
Reference: SAP Security Note 2234971
Author: Vahagn Vardanyan (ERPScan)
Class: directory traversal
Impact: remotely read file from server
Remotely Exploitable: Yes
Locally Exploitable: No
CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:
|AV : Attack Vector (Related exploit range)||Network (N)|
|AC : Attack Complexity (Required attack complexity)||Low (L)|
|PR : Privileges Required (Level of privileges needed to exploit)||None (N)|
|UI : User Interaction (Required user participation)||None (N)|
|S : Scope (Change in scope due to impact caused to components beyond the vulnerable component)||Changed (C)|
|C : Impact to Confidentiality||Low (L)|
|I : Impact to Integrity||None (N)|
|A : Impact to Availability||None (N)|
An attacker can use a Directory traversal to access arbitrary files and directories located in an SAP server filesystem including application source code, configuration and system files. It allows obtaining critical technical and business-related information stored in the vulnerable SAP system.
An authorized attacker can use a special request to read files from the server and then escalate his or her privileges.
SAP NetWeaver AS JAVA 7.1 – 7.5
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2234971
An attacker can use an SAP NetWeaver function CrashFileDownloadServlet to read files from the server.
Disclaimer: According to the partnership agreement between ERPScan and SAP, our company is not entitled to publish any detailed information about detected vulnerabilities before SAP releases a patch. After the release, SAP suggests respecting an implementation time of three months and asks security researchers to not to reveal any details during this time. However, In this case, the vulnerability allows an attacker to read arbitrary files on a remote server, possibly disclosing confidential information, and many such services are exposed to the Internet. As responsible security researchers, ERPScan team made a decision not to disseminate the full PoC even after the specified time.