[ERPSCAN-17-051] Log injection in SAP NetWeaver AS Java using basic auth

Application: SAP NetWeaver AS Java
Versions Affected: ENGINEAPI 7.10-7.50
Vendor URL: SAP
Bug: Log Injection
Reported: 17.05.2017
Vendor response: 18.05.2017
Date of Public Advisory: 14.11.2017
Reference: SAP Security Note 2485208
Author: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: Injection
Risk: Medium
Impact: An attacker receives the privilege to read sensitive data
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS v3 Base Score: 4.3 / 10
CVSS Base v3 Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) Low (L)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality None (N)
I: Impact to Integrity Low (L)
A: Impact to AvailabilityNone (N)

DESCRIPTION

User input data isn’t checked for CRLF characters, an attacker may forge entries in a log file.

BUSINESS RISK

An attacker can use a Log Injection vulnerability to inject arbitrary data in the audit log. A large amount of illegal data can complicate the analysis of the audit log. It also can lead to the rapid filling of a disk space and damage the event log.

VULNERABLE PACKAGES

ENGINEAPI 7.10-7.50

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2485208

TECHNICAL DESCRIPTION

The vulnerability is presented in any component using basic authorization. For example, with this PoC any information can be injected into C:\usr\sap\%SID%\J00\j2ee\cluster\server0\log\system\security_%%.%.log

Proof of Concept