Close

HAVE QUESTIONS?

A partner account manager can help. Contact us today.

 Subscribe me to your mailing list

[ERPSCAN-16-032] SAP Telnet Console – Directory traversal vulnerability

Application: SAP NetWeaver AS JAVA
Versions Affected: SAP NetWeaver AS JAVA 7.4
Vendor URL: SAP
Bugs: Directory traversal
Reported: 04.12.2015
Vendor response: 05.12.2015
Date of Public Advisory: 09.08.2016
Reference: SAP Security Note 2280371
Author: Mathieu Geli (ERPScan)

VULNERABILITY INFORMATION

Class: Directory traversal
Impact: Read file from system
Remotely Exploitable: Yes
Locally Exploitable: Yes

CVSS Information

CVSS Base Score v3: 3.4 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Adjacent (A)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) High (H)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Changed (C)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity None (N)
A: Impact to Availability None (N)

Description

An authenticated user to the Telnet service can disclose files outside of the JVM.

Business risk

An attacker can use a Directory traversal vulnerability to access arbitrary files and directories located in an SAP server filesystem including application source code, configuration, and system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.

VULNERABLE PACKAGES

J2EE ENGINE SERVERCORE 7.10
J2EE ENGINE SERVERCORE 7.11
J2EE ENGINE SERVERCORE 7.20
J2EE ENGINE SERVERCORE 7.30
J2EE ENGINE SERVERCORE 7.31
J2EE ENGINE SERVERCORE 7.40
J2EE ENGINE SERVERCORE 7.50

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2280371.

TECHNICAL DESCRIPTION

Proof of Concept