SAP Application Server ABAP Open Redirection

2023.10.08
Credit: Fabian Hagg
Risk: Low
Local: No
Remote: Yes
CWE: CWE-601


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

SEC Consult Vulnerability Lab Security Advisory < 20231005-0 > ======================================================================= title: Open Redirect in BSP Test Application it00 (Bypass for CVE-2020-6215 Patch) product: SAP® Application Server ABAP and ABAP® Platform (SAP_BASIS) vulnerable version: see section "Vulnerable / tested versions" fixed version: see SAP security note 3258950 CVE number: CVE-2020-6215 impact: medium homepage: https://www.sap.com found: 2022-09-23 by: Fabian Hagg (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "SAP is one of the world’s leading producers of software for the management of business processes."[1] [1] https://www.sap.com/about/what-is-sap.html Business recommendation: ------------------------ By exploiting the vulnerability documented in this advisory, attackers can redirect users to arbitrary sites. Targeted users of such an attack may be victims of successful phishing attempts jeopardizing the confidentiality of logon information or other data. SEC Consult recommends to implement the security note 3258950, where the documented issue is fixed according to the vendor. We advise installing the correction as a matter of priority to keep business-critical data secure. Vulnerability overview/description: ----------------------------------- 1) Open Redirect Vulnerability (Patch bypass of CVE-2020-6215) The sample Business Server Pages (BSP) application it00 suffers from an open redirect vulnerability that is referred to by CVE-2020-6215 [2]. A patch for this issue was made available via SAP Security Note 2872782 [3]. During analysis, it was identified that the patch is insufficient and can be bypassed. [2] https://nvd.nist.gov/vuln/detail/CVE-2020-6215 [3] https://me.sap.com/notes/2872782 Proof of concept: ----------------- 1) Open Redirect Vulnerability (Patch bypass of CVE-2020-6215) The following source code excerpt of event handler OnInputProcessing() of BSP subpage transition_navigation.htm shows that by the implementation of SAP Security Note 2872782, an additional check was introduced that validates the HTTP request parameter ‘applicationUrl’ against pseudo-headers ~server_name, respectively ~server_name_expanded. Thus, to verify that the provided URL complies with these values to only allow redirects to the local server, the IF condition checks if the specified ‘applicationUrl’ parameter contains the host name of the local server. Only if this check is evaluated successfully, the browser of the calling user gets redirected to the intended page. --------------------------------------------------------------------------- [...] when 'call'. data: url1 type string, url2 type string, host_name type string. host_name = request->get_header_field( '~server_name' ). if host_name is initial. host_name = request->get_header_field( '~server_name_expanded' ). endif. url = request->get_form_field( 'applicationUrl' ). if url cs host_name. split url at '?' into url1 url2. url2 = cl_abap_dyn_prg=>escape_xss_url( url2 ). concatenate url1 '?' url2 into url. navigation->call_application( url = url ). endif. * negative test cases when 'error_no_such_exit'. navigation->next_page( 'NAVFAIL' ). endcase. --------------------------------------------------------------------------- It was observed that this check can be bypassed, for example, by crafting special HTTP requests that contain the host name of the target application server (the PoC uses the <app server hostname> placeholder) within the query string part of the URL provided via parameter ‘applicationUrl’. To validate this issue, the following URL can be browsed to in order to trigger the vulnerability and circumvent the implemented patch. --------------------------------------------------------------------------- http[s]://<app server hostname>:<ICM port>/sap/bc/bsp/sap/it00/transition_ navigation.htm?ApplicationURL=http://127.0.0.1:8080/?<app server hostname> &onInputProcessing%28call%29=Start+Application --------------------------------------------------------------------------- For demonstration purposes, after a successful login, the browser is redirected by the application server to localhost on port 8080 (any other host/port pair could by specified by the attacker). The server replies with a "302 Found" message redirecting the browser to the localhost address defined in the response Location header field: --------------------------------------------------------------------------- HTTP/2 302 Found Content-Type: text/html Content-Length: 0 Location: http://127.0.0.1:8080/?<app server hostname>&sap-params=[...] --------------------------------------------------------------------------- An attacker can create a URL which would redirect the victim to a malicious site, for example, a phishing site convincing the victim to login once again. Vulnerable / tested versions: ----------------------------- The following version has been tested and found to be vulnerable: - SAP_BASIS release 755, SP level 01 According to the vendor the following releases and versions are affected by the discovered vulnerability: - SAP_BASIS 700-702 - SAP_BASIS 731 - SAP_BASIS 740 - SAP_BASIS 750-757 Vendor contact timeline: ------------------------ 2022-10-03: Contacting vendor through vulnerability submission web form. 2022-10-04: Vendor confirms receipt and assigns internal ID #2270141902. 2022-10-19: Vendor confirms vulnerability and proposes new CVSS score of 5.4 (NLNR|U|LLN). 2022-10-24: Asking vendor why new CVSS rating differs from initial vulnerability rating. No response. 2022-11-24: Asking vendor for update. 2022-11-30: Vendor states that the patch is about to be released with the upcoming Patch Tuesday December 2022. 2022-12-13: Vendor releases patch with SAP Security Note 3258950. 2023-10-05: Release of security advisory. Solution: --------- The vendor provides a patched version which should be installed immediately. Patches are available in form of SAP Security Notes which can be accessed via the SAP Customer Launchpad [4]. More information can also be found in the Official SAP Security Patchday Blog [5]. The following Security Note needs to be implemented: 3258950 [4] https://me.sap.com/app/securitynotes [5] https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10 Workaround: ----------- Disable BSP test application it00 in the ICF service tree in transaction SICF. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF F. Hagg / @2023


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top