Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

Subscribe me to your mailing list

[ERPSCAN-16-031] SAP NetWeaver AS ABAP – Directory traversal using READ DATASET

Application: SAP NetWeaver AS ABAP
Versions Affected: SAP NetWeaver AS ABAP 7.4
Vendor URL: SAP
Bugs: Directory traversal
Reported: 22.04.2016
Vendor response: 23.04.2016
Date of Public Advisory: 09.08.2016
Reference: SAP Security Note 2312966
Author: Daria Prosochkina (ERPScan)

VULNERABILITY INFORMATION

Class: Directory traversal
Impact: Read file from system
Remotely Exploitable: Yes
Locally Exploitable: Yes

CVSS Information

CVSS Base Score v3: 4.3 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) Low (L)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity None (N)
A: Impact to Availability None (N)

Description

An attacker may be able to read the contents of unexpected files and expose sensitive data. If a targeted file is used as a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.

Business risk

An attacker can use Directory traversal to access to arbitrary files and directories located in an SAP server filesystem including application source code, configuration and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.

VULNERABLE PACKAGES

SAP_ABA 700
SAP_ABA 701
SAP_ABA 702
SAP_ABA 710
SAP_ABA 711
SAP_ABA 730
SAP_ABA 731
SAP_ABA 740
SAP_ABA 750
SAP_ABA 751
SAP_ABA 75A
SAP_ABA 75B

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2312966.

TECHNICAL DESCRIPTION

Attacker can read any file from OS with use BUPA_BIP_FILE_IMPORT program.

Filename used in statement READ DATASET (line 428) is entered in this statement by user input. User can pass to input arbitrary filepath, for example /etc/passwd. As a result of execution of the BUPA_BIP_FILE_IMPORT program, data from /etc/passwd will be wtitten in P_FLEN variable in hex format.

Vulnerable code