SAP Crystal Reports Information Disclosure

2019.07.08

Credit: Mohamed

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2019-0285

CWE: CWE-200

CVSS Base Score: 5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: None

Availability impact: None

# Exploit Title: [Sensitive Information Disclosure in SAP Crystal Reports]
# Date: [2019-04-10]
# Exploit Author: [Mohamed M.Fouad - From SecureMisr Company]
# Vendor Homepage: [https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114]
# Version: [SAP Crystal Reports for Visual Studio, Version - 2010] (REQUIRED)
# Tested on: [Windows 10]
# CVE : [CVE-2019-0285]

POC:

1- Intercept the "Export" report http request

2- Copy the "__CRYSTALSTATE" + <crystal report user control> Viewer name parameter value. 

3- You will find a base64 value in "viewerstate" attribute. 

4- decode the value you will get database information such as: name, credentials, Internal Path disclosure and some debugging information.

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

SAP Crystal Reports Information Disclosure

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

SAP Crystal Reports Information Disclosure

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.