[ERPSCAN-16-031] SAP NetWeaver AS ABAP – Directory traversal using READ DATASET
Application: SAP NetWeaver AS ABAP
Versions Affected: SAP NetWeaver AS ABAP 7.4
Vendor URL: SAP
Bugs: Directory traversal
Vendor response: 23.04.2016
Date of Public Advisory: 09.08.2016
Reference: SAP Security Note 2312966
Author: Daria Prosochkina (ERPScan)
Class: Directory traversal
Impact: Read file from system
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVSS Base Score v3: 4.3 / 10
CVSS Base Vector:
|AV: Attack Vector (Related exploit range)||Network (N)|
|AC: Attack Complexity (Required attack complexity)||Low (L)|
|PR: Privileges Required (Level of privileges needed to exploit)||Low (L)|
|UI: User Interaction (Required user participation)||None (N)|
|S: Scope (Change in scope due to impact caused to components beyond the vulnerable component)||Unchanged (U)|
|C: Impact to Confidentiality||Low (L)|
|I: Impact to Integrity||None (N)|
|A: Impact to Availability||None (N)|
An attacker may be able to read the contents of unexpected files and expose sensitive data. If a targeted file is used as a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.
An attacker can use Directory traversal to access to arbitrary files and directories located in an SAP server filesystem including application source code, configuration and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2312966.
Attacker can read any file from OS with use
Filename used in statement
READ DATASET (line 428) is entered in this statement by user input. User can pass to input arbitrary filepath, for example
/etc/passwd. As a result of execution of the
BUPA_BIP_FILE_IMPORT program, data from
/etc/passwd will be wtitten in
P_FLEN variable in hex format.
p_flen = 0.
READ DATASET p_ifilea INTO lw.
* Exit conditions for accessing in a loop
IF sy-subrc NE 0. EXIT. ENDIF.
APPEND lw TO p_itab .
p_flen = p_flen + XSTRLEN( lw-d ) .
* Closing the fully accessed sequential dataset
CLOSE DATASET p_ifilea.