[ERPSCAN-16-039] SAP NetWeaver 7.5 Information disclosure + port scan in SLD test application
Application: SAP NetWeaver AS Java
Versions Affected: SAP NetWeaver SLD
Vendor URL: SAP
Bugs: Information disclosure
Vendor response: 23.04.2016
Date of Public Advisory: 08.11.2016
Reference: SAP Security Note 2342940
Author: Mathieu Geli (ERPScan)
Impact: loss of information and system configuration confidentiality
Remotely Exploitable: yes
Locally Exploitable: no
CVSS Base Score v3: 5.3 / 10
CVSS Base Vector:
|AV: Attack Vector (Related exploit range)||Network (N)|
|AC: Attack Complexity (Required attack complexity)||Low (L)|
|PR: Privileges Required (Level of privileges needed to exploit)||None (N)|
|UI: User Interaction (Required user participation)||None (N)|
|S: Scope (Change in scope due to impact caused to components beyond the vulnerable component)||Unchanged (U)|
|C: Impact to Confidentiality||Low (L)|
|I: Impact to Integrity||None (N)|
|A: Impact to Availability||None (N)|
The SLD webdynpro component allows entering an URL anonymously and making the server send a fixed (SLD specific) payload to it.
An attacker can use Information disclosure vulnerability for revealing additional information (system data, debugging information, etc.) which will help to learn about a system and to plan other attacks.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2342940.
SAP NetWeaver 7.5 information disclosure on SLD Test application.
Proof of Concept