[ERPSCAN-17-032] SAP POS Missing Authentication in XpressServer

Application: SAP POS Xpress Server
Vendor URL: SAP
Bug: Missing Authentication Check
Reported: 15.05.2017
Vendor response: 16.05.2017
Date of Public Advisory: 11.07.2017
Reference: SAP Security Note 2520064
Author: Vladimir Egorov (ERPScan)

VULNERABILITY INFORMATION

Class: Missing Authentication Check
Impact: broken authentication
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS v3 Base Score: 8.1 / 10
CVSS v3 Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) High (H)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality High (H)
I: Impact to Integrity High (H)
A: Impact to AvailabilityHigh (H)

Description

An attacker can read and clear file content on SAP POS server, shutdown the Xpress Server application, monitor POS terminals content and brute-force cashiers login and password.

Business risk

An attacker can use a Missing Authorization Check vulnerability to access a service without any authorization procedures and use service functionality that has restricted access. This can lead to information disclosure, privilege escalation and other attacks.

VULNERABLE PACKAGES

XPRESSBU 1020
XPRESSBU 1030

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2520064

TECHNICAL DESCRIPTION

An attacker can read and clear file content on SAP POS server, shutdown the Xpress Server application, monitor POS terminals content and brute-force cashiers’ login and password through Xpress Server TCP port 2202 without authentication.

For that, an attacker can connect to servers port 2202 using telnet. The welcome message shows the Xpress Servers version and name. “Help” command discovers some possible actions:

Nonetheless, there are some additional commands:

The most critical commands are provided below.

SHOWTERM

Show active and non-active terminals of the system and Backup Server, including Store Number, terminal number cashier and its number.

PoC

MONTERM

Let the user monitor all what ever appears on the receipt window of the POS terminal.

PoC

RUNEOD AND TERMACTION

Initialize End of Day and sign off from POS terminal.

PoC

SHUTDOWN

Shutdown the Xpress Server application.

PoC

APM-VALIDATE-PASSWD

Change the current cashier`s password (need to check it) on the new one.

PoC

FILE-OPEN AND FILE-READ

Read data from any file on server.

PoC