SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   SAP Business Connector Vendors:   SAP
SAP Business Connector Lets Remote Authenticated Users View and Delete Files
SecurityTracker Alert ID:  1016090
SecurityTracker URL:  http://securitytracker.com/id/1016090
CVE Reference:   CVE-2006-0732   (Links to External Site)
Updated:  Dec 13 2009
Original Entry Date:  May 15 2006
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.6, 4.7
Description:   Leandro Meiners of CYBSEC reported a vulnerability in SAP Business Connector. A remote authenticated user can view or delete files on the target system with the privileges of the SAP Business Connector process. A remote user can also conduct phishing attacks against the target administrator.

The Monitoring function of the SAP Adapter does not properly validate user-supplied input in the 'fullName' parameter. A remote authenticated user can supply a specially crafted URL to view files on the target system.

A demonstration exploit URL is provided:

http://[target]/SAP/chopSAPLog.dsp?fullName=<path_to_file>

A remote authenticated user can also supply a specially crafted URL to delete files on the target system. A demonstration exploit URL to delete a file on the system is provided:

http://[target]/invoke/sap.monitor.rfcTrace/deleteSingle?fullName=<path_to_file>

Files can be viewed and deleted with the privileges of the Business Connector process.

On Windows-based systems, the Business Connector runs with administrator privileges by default.

On Linux/UNIX-based systems, the Business Connector runs with root privileges by default.

The SAP Business Connector Core Fix 7 (and prior versions) may facilitate phishing attacks against the target administrator. The 'url' parameter of the 'adapter-index.dsp' script is not properly validated. A remote user can create a URL that includes an absolute URL in the 'url' parameter. When the created URL is loaded by the target administrator, the content specified in the absolute URL will load in an HTML frame.

The vendor was notified on December 6, 2005.

The original advisories are available at:

http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Arbitrary_File_Read_or_Delete_in_SAP_BC.pdf

http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Phishing_Vector_in_SAP_BC.pdf

Impact:   A remote authenticated user can view or delete files on the target system with the privileges of the SAP Business Connector process.

A remote user may be able to conduct phishing attacks against a target administrator.

Solution:   The vendor has issued a patch for the file disclosure and deletion vulnerability. More information is available in SAP note 906401.

The vendor has issued a patch for the phishing vulnerability for Server Core Fix 7. More information is available in SAP note 908349.

Vendor URL:  www.sap.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  CYBSEC - Security Advisory: Arbitrary File Read/Delete in SAP BC

(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Arbitrary_File_Read_or_Delete_in_SAP_BC.pdf )

CYBSEC S.A.
www.cybsec.com

Advisory Name: Arbitrary File Read/Delete in SAP BC (Business Connector)

Vulnerability Class: Improper Input Validation

Release Date: 05/15/2006

Affected Applications:  
* SAP BC 4.6
* SAP BC 4.7

Affected Platforms: 
* Platform-Independent

Local / Remote: Remote

Severity: Medium

Author:  Leandro Meiners.

Vendor Status:  
* Confirmed, patch released.

Reference to Vulnerability Disclosure Policy: 
http://www.cybsec.com/vulnerability_policy.pdf

Product Overview:
=================

SAP Business Connector (SAP BC) is a middleware application based on B2B
integration server from webMethods. It enables communication between SAP
applications and SAP R/3 and non-SAP applications, by making all SAP
functions accessible to business partners over the Internet as an
XML-based service.
The SAP Business Connector uses the Internet as a communication platform
and XML or HTML as the data format. It integrates non-SAP products by
using an open, non-proprietary technology.
 
Vulnerability Description:
==========================

SAP BC was found to allow reading and deleting any file from the file
system to which the user that the SAP BC is running as had access. The
vulnerability is present in the Monitoring functionality of the SAP
Adapter. 

Technical Details:
==================

When you view a log file (such as new_sap.log) the URL used is: 

http://sapbc/SAP/chopSAPLog.dsp?fullName=packages%2FSAP%2Flogs%
2Fnew_sap.log

If the fullName parameter is changed to /etc/passwd (URL encoded)
instead of <SAP PATH>/packages/SAP/logs/new_sap.log been viewed, the
contents of the file /etc/passwd are presented to the user. As mentioned
before any file on the File System to which the user that the SAP BC is
running as has read access can be viewed.

The following URL (designed to allow deletion of log files) allows
deleting any file on the File System that the user the SAP BC is running
as can delete.

http://sapbc/invoke/sap.monitor.rfcTrace/deleteSingle?fullName=<path_to_file>

Impact:
=======

The Business Connector by default runs as a privileged user
(administrator on the Windows platform and root on *NIX platforms),
which allows ANY file on the File System to be read/deleted.

According to the SAP Business Connector Security Best Practices, the
following strategies are recommended for running the SAP BC in *NIX
environments:
1. Running as non root user, using a high port.
2. Running as non root user, using a high port and port remapping to
"see" the SAP BC in a restricted port.
3. Running the JVM setuid root.
4. Running SAP BC as root

If either strategy (1) or (2) was taken the scope of the vulnerability
was mitigated to allowing read/delete access to only the files owned by
the user which the BC was running as. However, if (3) or (4) had been
chosen ANY file on the File System could be read/deleted from the BC.
Moreover, (3) allowed any user of the Operating System to obtain root
since any Java program would be run with root privileges due to a SetUid
Java Virtual Machine.

The SAP Business Connector Security Best Practices has been corrected to
recommend running the BC as a non-root user and using a high-numbered
port or, if supported by the Operating System, giving the user
privileges to open a specific port below 1024 to be used by the BC.

Solutions:
==========

SAP released a patch regarding this issue, for versions 4.6 and 4.7 of
SAP BC. Details can be found in SAP note 906401.

Vendor Response:
================

* 12/06/2005: Initial Vendor Contact.
* 12/07/2005: Technical details for the vulnerabilities sent to vendor.
* 01/20/2006: Solution provided by vendor.
* 02/15/2006: Coordinate release of pre-advisory without technical
details.
* 05/15/2006: Coordinate release of advisory with technical details.

Contact Information:
====================

For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>cybsec.com.

For more information regarding CYBSEC: www.cybsec.com


----------------------------
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: lmeiners@cybsec.com
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeiners&op=index





------



(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Phishing_Vector_in_SAP_BC.pdf )

CYBSEC S.A.
www.cybsec.com

Advisory Name: Phishing Vector in SAP BC (Business Connector)

Vulnerability Class: Phishing Vector / Improper Input Validation

Release Date: 05/15/2006

Affected Applications:  
* SAP BC Core Fix 7 (and below)

Affected Platforms: 
* Platform-Independent

Local / Remote: Remote

Severity: Low

Author:  Leandro Meiners.

Vendor Status:  
* Confirmed, patch released.

Reference to Vulnerability Disclosure Policy: 
http://www.cybsec.com/vulnerability_policy.pdf

Product Overview:
=================

SAP Business Connector (SAP BC) is a middleware application based on B2B
integration server from webMethods. It enables communication between SAP
applications and SAP R/3 and non-SAP applications, by making all SAP
functions accessible to business partners over the Internet as an
XML-based service.
The SAP Business Connector uses the Internet as a communication platform
and XML or HTML as the data format. It integrates non-SAP products by
using an open, non-proprietary technology.

Vulnerability Description:
==========================

SAP BC was found to provide a vector to allow Phishing scams against the
SAP BC administrator.

Technical Details:
==================

The parameter url of the page adapter-index.dsp allows absolute URLs,
such as http://www.google.com. This can be used to mount a Phishing scam
by sending a link like
http://sapbc/WmRoot/adapter-index.dsp?url=http://www.attacker.com that
if clicked by the administrator (while logged in, or logs in after
clicking) will load the attacker's site webpage inside an HTML frame.

Impact:
=======

This can be used to mount a Phishing scam by sending a link, that if
clicked by the administrator (while logged in, or logs in after
clicking) will load the attacker's site webpage inside an HTML frame.

Solutions:
==========

SAP released a patch regarding this issue, which requires Server Core
Fix 7. Details can be found in SAP note 908349.

Vendor Response:
================

* 12/06/2005: Initial Vendor Contact.
* 12/07/2005: Technical details for the vulnerabilities sent to vendor.
* 12/19/2005: Solutions provided by vendor for all vulnerabilities.
* 02/15/2006: Coordinate release of pre-advisory without technical
details.
* 05/15/2006: Coordinate release of advisory with technical details.

Contact Information:
====================

For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>cybsec.com.

For more information regarding CYBSEC: www.cybsec.com

----------------------------
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: lmeiners@cybsec.com
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeiners&op=index
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC