[ERPSCAN-17-011] SAP GUI all versions Remote Code Execution + bypass security policy
Application: SAP GUI
Versions Affected: SAP GUI 7.2-7.5
Vendor URL: SAP
Vendor response: 16.12.2016
Date of Public Advisory: 14.03.2017
Reference: SAP Security Note 2407616
Authors: Dmitry Yudin (ERPScan) aka @ret5et, Vahagn Vardanyan (ERPScan), Dmitry Chastuhin (ERPScan)
Class: Remote Code Execution
Impact: Remote exploitation, bypass of security
Remotely Exploitable: yes
Locally Exploitable: no
CVSS Base Score v3: 8.0 / 10
CVSS Base Vector:
|AV: Attack Vector (Related exploit range)||Network (N)|
|AC: Attack Complexity (Required attack complexity)||High (H)|
|PR: Privileges Required (Level of privileges needed to exploit)||High (H)|
|UI: User Interaction (Required user participation)||None (N)|
|S: Scope (Change in scope due to impact caused to components beyond the vulnerable component)||Changed (C)|
|C: Impact to Confidentiality||High (H)|
|I: Impact to Integrity||High (H)|
|A: Impact to Availability||High (H)|
With a special ABAP code, an attacker can bypass SAP GUI security policy and execute the code.
An attacker can use an RCE vulnerability for unauthorized execution of commands remotely. The commands will run with the same privileges of the service that executed a command. An attacker can access arbitrary files and directories located in an SAP-server filesystem including an application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in a vulnerable SAP-system.
SAP GUI FOR WINDOWS 7.20 (no longer supported by SAP)
SAP GUI FOR WINDOWS 7.30 (no longer supported by SAP)
SAP GUI FOR WINDOWS 7.40 CORE SP00-SP011
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2407616
When we open SAP GUI > Options > Security > Security Configuration > Open security configuration, we can see the list of rules which SAP GUI uses. These rules determine whether or not to show security prompt during critical actions (e.g. when an ABAP code wants to read a local file, download a file from the server to client, or execute a program). Our research revealed that SAP GUI has a rule which allows reading, writing, executing of regsvr32.exe Windows application without the security prompt.
regsvr32.exe can load DLL files from a remote SMB share and execute DllMain function.