-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SAP Internet Graphics Server (IGS) XMLCHART XXE attack (CVE-2018-2392 and CVE-2018-2393) #14163
Conversation
When creating a pull request, please ensure that the default pull request template has been updated with the required details. |
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
AboutThis module implements the SAP Internet Graphics Server (IGS) XXE attack. Verification Steps
OptionsFILEFile to read from the remote server, example: SHOW
URNVulnerable SAP IGS URN by default: Actions
ScenariosVulnerable SAP IGS release: 7.45 running on SUSE Linux Enterprise Server for SAP Applications 12 SP1
|
@cdelafuente-r7 add docs #14163 (comment) |
All of this information should be moved from this comment into a file at Additionally, if you could run |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made some recommendations based on the code so far, code will likely need a few more rounds of review before its ready to land. Please let me know if you have any questions or concerns as I know a few of the recommended changes may be a little confusing.
|
||
end | ||
|
||
def action_dos |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A lot of the code for this function seems similar to the code for the check
method, which is in turn similar to the code for the action_file_read
function. I would look at trying to reduce code reuse throughout your module as it seems a lot of these functions perform nearly identical actions at times.
@Vladimir-Ivanov-Git Reviewed some of the changes you made, there are a few that seem like they weren't addressed though. I'll edit a few of these issues where I can tomorrow but until then I still need the following info:
|
|
URN: |
Thanks for your pull request! As part of our landing process, we manually verify that all modules work as expected. We have been unable to test this module successfully. This may be due to software or hardware requirements we cannot replicate. To help unblock this pull request, please:
Once there's a clear path for testing and evaluating this module, we can progress with this further. |
@Vladimir-Ivanov-Git I have tried to get access to the SAP IGS server as a download but it appears that it is paid software and Rapid7 does not have a copy of it in our testing labs. Most likely we will need to receive PCAPs from you showing that this module works as expected unless we are somehow able to obtain a legal copy of the software for testing. Please send these PCAPs to the address listed above. Additionally this module is still missing setup steps. I have attempted to add some initial setup steps and marked where I had to stop with Please additionally note that within the module I was not able to determine as which user the file read occurs as. Is it the user running the SAP IGS server? SYSTEM? Some other user? It would be helpful given this essentially an arbitrary file read vulnerability to know who we are reading the files as since certain files such as I have also made several changes in the meantime to sort out some of the issues described in my earlier reviews. There is still more work to do though and I will be adding another round of reviews in after these issues |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes from 0a6f3a7 look good, still reviewing the other commit
This output is not from after b080803 was applied: it does not include several changes that were made to the output. |
08f4284 Should fix the issues identified in the last review. The comment at #14163 (comment) still applies though, as does the part about updating the documentation with the new output from the exploit. |
Current ltype - |
After 0c26fd2
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Last commits look all good, should be good to land this now 👍
Alright going to do a quick rebase of this module @Vladimir-Ivanov-Git, just so that the commit history is a little easier to see as right now there are a lot of cases where there are multiple commits which are all essentially doing the same thing. Once this is cleaned up (which I will do now) I'll land this in. |
Quick note for future @Vladimir-Ivanov-Git but if in future you could make sure your commit messages have useful info about what they change, that would be helpful. Its a little confusing looking at a commit message that just says "Update script", as it doesn't tell me what that commit actually did. |
…at was only used once
…lls a bit cleaner, as well as make some of the explanations a bit neater. Also remove duplicate code from a few places
…so remove some excess information that was leading to some potential confusion
…E bugs in SAP in the future. Also update the documentation accordingly.
…cumentation accordingly.
…e to the documentation to note the renaming of the PATH option to URIPATH. Also update the check method so that it now works correctly and so that other functions return errors appropriately.
…, and to update the return types of send_first_request.
My bad |
No problem fixed it up, all good :) |
Original Release Notes |
Thanks for the submission @Vladimir-Ivanov-Git, and congrats on landing your first PR in Metasploit! 🥳 |
Release NotesNew module |
This PR adds in support for exploiting CVE-2018-2392 and CVE-2018-2393, two XXE bugs in SAP Internet Graphics Server (IGS) version 7.20, 7.20EXT, 7.45, 7.49, 7.53. There are two options for exploitation. The first one is
READ
, which abuses these two vulnerabilities to read an arbitrary file from the SAP IGS server as the user which started the IGS service, which will typically be the SAP administrator. The second one isDOS
, which will exploit the XXE issue to cause a denial of service condition on the targeted SAP IGS server.Verification
List the steps needed to make sure this thing works
msfconsole
workspace [WORKSPACE]
use auxiliary/admin/sap/sap_igs_xmlchart_xxe
set RHOSTS [IP]
set FILE "/etc/passwd"
set action READ
check
check
method correctly determines if the target is vulnerable or not.run
run
method runs thecheck
code again and also successfully retrieves the contents of the target file, which in this case will be/etc/passwd
.