SEC Consult Vulnerability Lab Security Advisory < 20231005-0 >
=======================================================================
title: Open Redirect in BSP Test Application it00
(Bypass for CVE-2020-6215 Patch)
product: SAP® Application Server ABAP and ABAP®
Platform (SAP_BASIS)
vulnerable version: see section "Vulnerable / tested versions"
fixed version: see SAP security note 3258950
CVE number: CVE-2020-6215
impact: medium
homepage: https://www.sap.com
found: 2022-09-23
by: Fabian Hagg (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"SAP is one of the world’s leading producers of software for the management of
business processes."[1]
[1] https://www.sap.com/about/what-is-sap.html
Business recommendation:
------------------------
By exploiting the vulnerability documented in this advisory, attackers
can redirect users to arbitrary sites. Targeted users of such an
attack may be victims of successful phishing attempts jeopardizing the
confidentiality of logon information or other data.
SEC Consult recommends to implement the security note 3258950, where the
documented issue is fixed according to the vendor. We advise installing
the correction as a matter of priority to keep business-critical data secure.
Vulnerability overview/description:
-----------------------------------
1) Open Redirect Vulnerability (Patch bypass of CVE-2020-6215)
The sample Business Server Pages (BSP) application it00 suffers from an open
redirect vulnerability that is referred to by CVE-2020-6215 [2]. A patch
for this issue was made available via SAP Security Note 2872782 [3].
During analysis, it was identified that the patch is insufficient and can
be bypassed.
[2] https://nvd.nist.gov/vuln/detail/CVE-2020-6215
[3] https://me.sap.com/notes/2872782
Proof of concept:
-----------------
1) Open Redirect Vulnerability (Patch bypass of CVE-2020-6215)
The following source code excerpt of event handler OnInputProcessing() of
BSP subpage transition_navigation.htm shows that by the implementation of
SAP Security Note 2872782, an additional check was introduced that validates
the HTTP request parameter ‘applicationUrl’ against pseudo-headers ~server_name,
respectively ~server_name_expanded. Thus, to verify that the provided URL
complies with these values to only allow redirects to the local server,
the IF condition checks if the specified ‘applicationUrl’ parameter contains
the host name of the local server. Only if this check is evaluated successfully,
the browser of the calling user gets redirected to the intended page.
---------------------------------------------------------------------------
[...]
when 'call'.
data: url1 type string,
url2 type string,
host_name type string.
host_name = request->get_header_field( '~server_name' ).
if host_name is initial.
host_name = request->get_header_field( '~server_name_expanded' ).
endif.
url = request->get_form_field( 'applicationUrl' ).
if url cs host_name.
split url at '?' into url1 url2.
url2 = cl_abap_dyn_prg=>escape_xss_url( url2 ).
concatenate url1 '?' url2 into url.
navigation->call_application( url = url ).
endif.
* negative test cases
when 'error_no_such_exit'.
navigation->next_page( 'NAVFAIL' ).
endcase.
---------------------------------------------------------------------------
It was observed that this check can be bypassed, for example, by crafting
special HTTP requests that contain the host name of the target application
server (the PoC uses the <app server hostname> placeholder) within the query string
part of the URL provided via parameter ‘applicationUrl’. To validate this issue,
the following URL can be browsed to in order to trigger the vulnerability and
circumvent the implemented patch.
---------------------------------------------------------------------------
http[s]://<app server hostname>:<ICM port>/sap/bc/bsp/sap/it00/transition_
navigation.htm?ApplicationURL=http://127.0.0.1:8080/?<app server hostname>
&onInputProcessing%28call%29=Start+Application
---------------------------------------------------------------------------
For demonstration purposes, after a successful login, the browser is redirected
by the application server to localhost on port 8080 (any other host/port pair
could by specified by the attacker).
The server replies with a "302 Found" message redirecting the browser to the
localhost address defined in the response Location header field:
---------------------------------------------------------------------------
HTTP/2 302 Found
Content-Type: text/html
Content-Length: 0
Location: http://127.0.0.1:8080/?<app server hostname>&sap-params=[...]
---------------------------------------------------------------------------
An attacker can create a URL which would redirect the victim to a malicious
site, for example, a phishing site convincing the victim to login once again.
Vulnerable / tested versions:
-----------------------------
The following version has been tested and found to be vulnerable:
- SAP_BASIS release 755, SP level 01
According to the vendor the following releases and versions
are affected by the discovered vulnerability:
- SAP_BASIS 700-702
- SAP_BASIS 731
- SAP_BASIS 740
- SAP_BASIS 750-757
Vendor contact timeline:
------------------------
2022-10-03: Contacting vendor through vulnerability submission web form.
2022-10-04: Vendor confirms receipt and assigns internal ID #2270141902.
2022-10-19: Vendor confirms vulnerability and proposes new CVSS score of
5.4 (NLNR|U|LLN).
2022-10-24: Asking vendor why new CVSS rating differs from initial
vulnerability rating. No response.
2022-11-24: Asking vendor for update.
2022-11-30: Vendor states that the patch is about to be released with the
upcoming Patch Tuesday December 2022.
2022-12-13: Vendor releases patch with SAP Security Note 3258950.
2023-10-05: Release of security advisory.
Solution:
---------
The vendor provides a patched version which should be installed immediately.
Patches are available in form of SAP Security Notes which can be accessed
via the SAP Customer Launchpad [4]. More information can also be found in
the Official SAP Security Patchday Blog [5].
The following Security Note needs to be implemented: 3258950
[4] https://me.sap.com/app/securitynotes
[5] https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10
Workaround:
-----------
Disable BSP test application it00 in the ICF service tree in transaction
SICF.
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult, an Eviden business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF F. Hagg / @2023