[ERPSCAN-17-019] SAP TREX RCE

Application: SAP TREX
Versions Affected: SAP TREX 7.10
Vendor URL: SAP
Bugs: RCE
Reported: 23.01.2017
Vendor response: 24.01.2017
Date of Public Advisory: 11.04.2017
Reference: SAP Security Note 2419592
Author: Mathieu Geli (ERPScan)

VULNERABILITY INFORMATION

Class: Missing Authentication for Critical Function
Impact: disclose OS files and potentially get RCE on the server (example for Linux)
Remotely Exploitable: yes
Locally Exploitable: no
CVE Name: CVE-2017-11459

CVSS Information

CVSS v3 Base Score: 9.4 / 10
CVSS v3 Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality High (H)
I: Impact to Integrity High (H)
A: Impact to Availability Low (L)

Description

Some sensitive operations are available anonymously that can be combined to potentially get remote command execution on the server.

Business risk

A Remote Command Execution vulnerability allows an attacker to inject the code that can be executed by the application. The executed commands will run with the same privileges as the service that executed the command.

VULNERABLE PACKAGES

SAP TREX 7.10.72 (other versions not tested)
SAP HANA SPS12 (1.00.122.01.1470046197I)
SAP HANA 2.0 express edition (2.00.000.00.1479874437I)

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2419592

TECHNICAL DESCRIPTION

An attacker can forge special request to the TREXNet ports 3NN01, 3NN02, 3NN03, 3NN04, 3NN06, 3NN07, 3NN08 to read OS files (command 'fget') or create files (command 'fdir').

If the system is Linux (by default SSH is activated), we can showcase how to get a shell on the server with those two operations by uploading a public key in the service’s file ~/.ssh/authorized_keys and then connect via SSH to the server, taking full control of the TREX daemon.

Proof of Concept

The first attached file "trex_fget_passwd.bin" is a request to dump OS file /etc/passwd on a Unix TREX 7.10 patched server.

You can run the exploit like this:

NB: The port can be any of the TREX ports (from 30001 to 30009).

The response should be the content of the @/etc/passwd@ file like:

The second file is for HANA SPS12, dumping @/etc/passwd@

NB: The port can be any of the TREX ports (from 30001 to 30009)

The response should be the content of the @/etc/passwd@ file looking like: