Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ERPSCAN Research Advisory [ERPSCAN-15-017] SAP NetWeaver J2EE DAS
- service - Unauthorized Access
- Application: SAP NetWeaver
- Versions Affected: SAP NetWeaver AS JAVA, probably others
- Vendor URL: http://SAP.com
- Bugs: Unauthorized access
- Sent: 20.04.2013
- Reported: 21.04.2013
- Vendor response: 21.04.2013
- Date of Public Advisory: 13.10.2015
- Reference: SAP Security Note 1945215
- Author: Alexander Polyakov (ERPScan)
- Description
- 1. ADVISORY INFORMATION
- Title: SAP NetWeaver J2EE DAS service – Unauthorized Access
- Advisory ID: [ERPSCAN-15-017]
- Risk: High
- Advisory URL: http://erpscan.com/advisories/erpscan-15-017-sap-netweaver-j2ee-das-service-unauthorized-access/
- Date published: 13.10.2015
- Vendors contacted: SAP
- 2. VULNERABILITY INFORMATION
- Class: Unauthorized Access [CWE-284]
- Impact: Unauthorized access to some functions
- Remotely Exploitable: Yes
- Locally Exploitable: No
- CVSS Information
- CVSS Base Score: 3.5 / 10
- CVSS Base Vector:
- AV : Access Vector (Related exploit range)
- Network (N)
- AC : Access Complexity (Required attack complexity)
- Medium (M)
- Au : Authentication (Level of authentication needed to exploit)
- Single (S)
- C : Impact to Confidentiality
- Partial (P)
- I : Impact to Integrity
- None (N)
- A : Impact to Availability
- None (N)
- 3. VULNERABILITY DESCRIPTION
- An authenticated user can use the functions of XML Data Archiving
- Service access to which should be restricted. This may result in
- privilege escalation.
- 4. VULNERABLE PACKAGES
- SAP NetWeaver AS JAVA
- Other versions are probably affected too, but they were not checked.
- 5. SOLUTIONS AND WORKAROUNDS
- To correct this vulnerability, install SAP Security Note 1945215.
- 6. AUTHOR
- Alexander Polyakov (ERPScan)
- 7. TECHNICAL DESCRIPTION
- It is possible to call some of the DAS files without authorization
- because they do not check if a user is authorized to access some of
- the JSPs.
- Most JSPs have authorization checks:
- String authorization = (String) session.getAttribute("AuthRequHead");
- if (authorization == null)
- authorization = "";
- But in 3 JSPs those checks are not included:
- http://SAP_IP/DataArchivingService/webcontent/cas/cas_enter.jsp
- http://SAP_IP/DataArchivingService/webcontent/cas/cas_validate.jsp
- http://SAP_IP/DataArchivingService/webcontent/aas/aas_store.jsp
- It means that an anonymous user can call those JSPs.
- The most critical one is cas_enter.jsp.
- We can create any archiving directory and also:
- 1) Check if there is any file or directory on the server by analyzing
- the response while creating an archive store
- 2) Perform an SMBRelay attack by putting something like
- \\remotehost\aa into the Windows root variable
- 3) Potentially make HTTP calls and other calls while using WebDav
- 8. REPORT TIMELINE
- Sent: 20.04.2013
- Reported: 21.04.2013
- Vendor response: 21.04.2013
- Date of Public Advisory: 13.10.2015
- 9. REFERENCES
- http://erpscan.com/advisories/erpscan-15-017-sap-netweaver-j2ee-das-service-unauthorized-access/
- 10. ABOUT ERPScan Research
- The company’s expertise is based on the research subdivision of
- ERPScan, which is engaged in vulnerability research and analysis of
- critical enterprise applications. It has achieved multiple
- acknowledgments from the largest software vendors like SAP, Oracle,
- Microsoft, IBM, VMware, HP for exposing 400+ vulnerabilities in their
- solutions (200 of them just in SAP!).
- ERPScan researchers are proud to have exposed new types of
- vulnerabilities (TOP 10 Web Hacking Techniques 2012) and were
- nominated for best server-side vulnerability at BlackHat 2013.
- ERPScan experts have been invited to speak, present, and train at 60+
- prime international security conferences in 25+ countries across the
- continents. These include BlackHat, RSA, HITB as well as private
- trainings for SAP in several Fortune 2000 companies.
- ERPScan researchers lead project EAS-SEC, which is focused on
- enterprise application security research and awareness. They have
- published 3 exhaustive annual award-winning surveys about SAP
- security.
- ERPScan experts have been interviewed by leading media resources and
- specialized info-sec publications worldwide: Reuters, Yahoo, SC
- Magazine, The Register, CIO, PC World, DarkReading, Heise, and
- Chinabyte, to name a few.
- We have highly qualified experts in staff with experience in many
- different fields of security, from web applications and
- mobile/embedded to reverse engineering and ICS/SCADA systems,
- accumulating their experience to conduct research in SAP security.
- 11. ABOUT ERPScan
- ERPScan is the most respected and credible Business Application
- Security provider. Founded in 2010, the company operates globally and
- enables large Oil and Gas, Financial, and Retail organizations to
- secure their mission-critical processes. Named an Emerging Vendor in
- Security by CRN, listed among TOP 100 SAP Solution Providers and
- distinguished by 30+ other awards, ERPScan is the leading SAP SE
- partner in discovering and resolving security vulnerabilities. ERPScan
- consultants work with SAP SE in Walldorf to assist in improving the
- security of their latest solutions.
- ERPScan’s primary mission is to close the gap between technical and
- business security, and provide solutions to evaluate and secure SAP
- and Oracle ERP systems and business-critical applications from both
- cyber-attacks and internal fraud. Usually our clients are large
- enterprises, Fortune 2000 companies, and managed service providers
- whose requirements are to actively monitor and manage security of vast
- SAP landscapes on a global scale.
- We ‘follow the sun’ and function in two hubs, located in Palo Alto and
- Amsterdam, to provide threat intelligence services and agile support,
- operate local offices and partner network spanning 20+ countries
- around the globe.
- USA address: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
- Phone: 650.798.5255
- Twitter: @erpscan
- Scoop-it: Business Application Security
- http://erpscan.com
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement