[ERPSCAN-18-003] SAP Java P4 SLD SSRF

Application: SAP NetWeaver
Versions Affected: SAP Netweaver 7.4, 7.5
Vendor URL: SAP
Bug: SSRF
Reported: 05.10.2017
Vendor response: 06.10.2017
Date of Public Advisory: 13.02.2018
Reference: SAP Security Note 2565622
Author: Mathieu Geli (ERPScan)

VULNERABILITY INFORMATION

Class: Missing Authentication Check
Risk: Medium
Impact: Read, modify or delete sensitive information
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS v3 Base Score: 8.3 / 10
CVSS Base v3 Base Vector:

DESCRIPTION

An attacker can force the SAP server to send an SLD query to any internal servers.

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Changed (C)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity Low (L)
A: Impact to AvailabilityLow (L)

BUSINESS RISK

An attacker can use a Server Side Request Forgery vulnerability to gain an access to the internal server which is not accessible directly to the attacker.

VULNERABLE PACKAGES

SAP Netweaver 7.4, 7.5

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2565622

TECHNICAL DESCRIPTION

While connecting to Java bean SLDJAVA_ACCESSOR_REQUEST via P4 protocol, we have noticed that the method pingSLD() of the class AbapSLDRequest is available to the J2EE_GUEST user (identity taken by an anonymous network user connected to the J2EE engine).

This method has the following prototype: .pingSLD(String host, Integer port, String user, String pass) and connects to the specified host with specified port and passing user:pass has HTTP Basic authentication. The anonymous network client controls all those parameters. It means that it is possible to force the server to connect to any internal servers/ports and to port scanning or try to authenticate on legitimate SLD servers.

Proof of Concept

The result of execution by connecting to the SAP server 172.16.30.29 and asking to connect back to us on port 4444 (our IP is 172.16.2.179) looks like this: