what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CYBSEC-SAPBC2.txt

CYBSEC-SAPBC2.txt
Posted May 22, 2006
Authored by Leandro Meiners | Site cybsec.com

CYBSEC Security Advisory - SAP BC was found to allow reading and deleting any file from the file system to which the user that the SAP BC is running as had access. The vulnerability is present in the Monitoring functionality of the SAP Adapter. Versions affected are SAP BC 4.6 and 4.7.

tags | exploit
SHA-256 | c8bc6a731b2ebaef23b185c3f666d7668b9b2e2c18e43dca79c563367958356d

CYBSEC-SAPBC2.txt

Change Mirror Download
(The following advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Arbitrary_File_Read_or_Delete_in_SAP_BC.pdf )

CYBSEC S.A.
www.cybsec.com

Advisory Name: Arbitrary File Read/Delete in SAP BC (Business Connector)

Vulnerability Class: Improper Input Validation

Release Date: 05/15/2006

Affected Applications:
* SAP BC 4.6
* SAP BC 4.7

Affected Platforms:
* Platform-Independent

Local / Remote: Remote

Severity: Medium

Author: Leandro Meiners.

Vendor Status:
* Confirmed, patch released.

Reference to Vulnerability Disclosure Policy:
http://www.cybsec.com/vulnerability_policy.pdf

Product Overview:
=================

SAP Business Connector (SAP BC) is a middleware application based on B2B
integration server from webMethods. It enables communication between SAP
applications and SAP R/3 and non-SAP applications, by making all SAP
functions accessible to business partners over the Internet as an
XML-based service.
The SAP Business Connector uses the Internet as a communication platform
and XML or HTML as the data format. It integrates non-SAP products by
using an open, non-proprietary technology.

Vulnerability Description:
==========================

SAP BC was found to allow reading and deleting any file from the file
system to which the user that the SAP BC is running as had access. The
vulnerability is present in the Monitoring functionality of the SAP
Adapter.

Technical Details:
==================

When you view a log file (such as new_sap.log) the URL used is:

http://sapbc/SAP/chopSAPLog.dsp?fullName=packages%2FSAP%2Flogs%
2Fnew_sap.log

If the fullName parameter is changed to /etc/passwd (URL encoded)
instead of <SAP PATH>/packages/SAP/logs/new_sap.log been viewed, the
contents of the file /etc/passwd are presented to the user. As mentioned
before any file on the File System to which the user that the SAP BC is
running as has read access can be viewed.

The following URL (designed to allow deletion of log files) allows
deleting any file on the File System that the user the SAP BC is running
as can delete.

http://sapbc/invoke/sap.monitor.rfcTrace/deleteSingle?fullName=<path_to_file>

Impact:
=======

The Business Connector by default runs as a privileged user
(administrator on the Windows platform and root on *NIX platforms),
which allows ANY file on the File System to be read/deleted.

According to the SAP Business Connector Security Best Practices, the
following strategies are recommended for running the SAP BC in *NIX
environments:
1. Running as non root user, using a high port.
2. Running as non root user, using a high port and port remapping to
"see" the SAP BC in a restricted port.
3. Running the JVM setuid root.
4. Running SAP BC as root

If either strategy (1) or (2) was taken the scope of the vulnerability
was mitigated to allowing read/delete access to only the files owned by
the user which the BC was running as. However, if (3) or (4) had been
chosen ANY file on the File System could be read/deleted from the BC.
Moreover, (3) allowed any user of the Operating System to obtain root
since any Java program would be run with root privileges due to a SetUid
Java Virtual Machine.

The SAP Business Connector Security Best Practices has been corrected to
recommend running the BC as a non-root user and using a high-numbered
port or, if supported by the Operating System, giving the user
privileges to open a specific port below 1024 to be used by the BC.

Solutions:
==========

SAP released a patch regarding this issue, for versions 4.6 and 4.7 of
SAP BC. Details can be found in SAP note 906401.

Vendor Response:
================

* 12/06/2005: Initial Vendor Contact.
* 12/07/2005: Technical details for the vulnerabilities sent to vendor.
* 01/20/2006: Solution provided by vendor.
* 02/15/2006: Coordinate release of pre-advisory without technical
details.
* 05/15/2006: Coordinate release of advisory with technical details.

Contact Information:
====================

For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>cybsec.com.

For more information regarding CYBSEC: www.cybsec.com


----------------------------
Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: lmeiners@cybsec.com
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com
PGP-Key: http://pgp.mit.edu:11371/pks/lookup?search=lmeiners&op=index
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close