Source |
Code White |
Identifiant |
366253 |
Date de publication |
2017-05-17 16:56:28 (vue: 2017-05-17 16:56:28) |
Titre |
SAP Customers: Make sure your SAPJVM is up to date! |
Texte |
SummaryCode White have already an impressive publication record on Java Deserialization. This post is dedicated to a vulnerability in SAP NetWeaver Java. We could reach remote code execution through the p4 protocol and the Jdk7u21 gadget with certain engines and certain versions of the SAP JVM.We would like to emphasize the big threat unauthenticated RCE poses to a SAP NetWeaver Java. An attacker with a remote shell can read out the secure storage, access the database, create a local NetWeaver user with administrative privileges, in other words, fully compromise the host. Unfortunately, this list is far from being complete. An SAP landscape is usually a network of tightlyconnected servers and services. It wouldn't be unusual that the database of the server stores technical users with high privileges for other SAP systems, be it NetWeaver ABAP or others. Once the attacker gets hold of credentials for those users she can extend her foothold in the organization and eventually compromise the entire SAP landscape.We tested our exploit successfully on 7.20, 7.30 and 7.40 machines, for detailed version numbers see below. When contacted, SAP Product Security Response told us they published 3 notes (see [7], [8] and [9]) about updates fixing the problems (already in June 2013) with SAP JVM versions 1.5.0_086, 1.6.0_052 and 1.7.0_009 (we tested on earlier versions, see below). In addition SAP have recently adopted JDK JEP 290 (a Java enhancement that allows to filter incoming serialized data). However, neither do these three notes mention Java Deserialization nor is it obvious to the reader they relate to security in any other way.Due to missing access to the SAP Service Marketplace we're unable to make any statement about the aforementioned SAP JVM versions. We could only analyze the latest available SAP JVM from tools.hana.ondemand.com (see [6]) which contained a fix for the problem.DetailsIn his RuhrSec 2016 talk, Code White's former employee Matthias Kaiser already talked about SAP NetWeaver Java being vulnerable [2]. The work described here is completely independent of his research.The natural entry point in this area is the p4 protocol. We found a p4 test client on SAP Collaboration Network and sniffed the traffic. One doesn't need to wait long until a serialized object is sent over the wire:00000000 76 31 v100000002 18 23 70 23 34 4e 6f 6e 65 3a 31 32 37 2e 30 2e .#p#4Non e:127.0.00000012 31 2e 31 3a 35 39 32 35 36 1.1:5925 6 00000000 76 31 19 23 70 23 34 4e 6f 6e 65 3a 31 30 2e 30 v1.#p#4N one:10.0 00000010 2e 31 2e 31 38 34 3a 35 30 30 30 34 .1.184:5 00040000001B 00 00 11 00 00 00 00 00 00 00 ff ff ff ff 00 00 ........ ........0000002B 00 00 00 00 00 00 0a 00 63 00 6f 00 63 00 72 ........ c.o.c.r 0000001C 00 00 75 00 00 00 ff ff ff ff 9e 06 60 00 00 00 ..u..... ....`...&nbs |
Envoyé |
Oui |
Condensat |
#p#4n #p#4non sap *0000005e 0 00 00000000 00000010 00000012 0000001b 0000001c 0000002b 0000002c 0000003a 0000003c 0000004a 0000004c 0000005a 0000005c 0000005e 0000006c 0000006e 0000007c 0000008c 0000009c 000000ae 000000be 000000ce 00040000001b 007 009 034 048 052 06 086 099 117 131 141 184:5 1875026 1875035 1875042 1:5925 2013 2016 2017 2443673 290 2a 31 34 34 35 36 40000003a 49 4e 5sap 6 69 6c 6d 6e 6sap 72 72 8*16+3 98 9c 9e a0000009e abap about access accordingly actually add addition administrative adopted aforementioned after allows already also always analyze annotationinvocationhandler any anymore application april are area aren arrays attacker attention available awareness b0000008e before being below big bit block blocks bring build but byte bytecode bytes can cannot carefully case certain challenge client clienti code collaboration com com/2015/11/06/what com/additional/sapjvm com/codewhitesec/sap com/frohoff/ysoserialhttps://cal com/https://github com/watch common complete completely compromise conclusion: consists contacted contained contents core corresponding could create credentials current custom customers customers: cw98653 cycles dangerous data database date datereferenceshttps://foxglovesecurity dedicated demonstrate described deserialization detailed details detailsin did didn directory disarmed doesn downloaded dpropaga000000de due e:127 earlier easily emphasize employee encoded endian engines enhancement enough entire entry establish even eventually exec execution explicitely exploit exploitation exploithttps://tools exploits expose extend far ff file filter finally find firewall make first fix fixing following foothold format former found from fromthe fully g0000007e gadget getruntime gets github hana have header her here hex high highlighted his hold host how however impressive incoming indeed independent information instance instead java jboss jdk jdk7u21 jdkgadget jenkinsopennms jep june just jvm kaiser landscape lang last later latest lead left length like linux list little local long look looks machines make marketplace matthias mention message messages missing mitigation block modern more natural need needed neither netweaver network nor not note notes now null numbers object objectoutputstream obvious obviously offset once ondemand one one:10 only order organization other others out over part parts patched payload payload:when plain plan point poses post privileges problem problems product program: protocol publication published python r raise rce reach read reader real realized recently record relate release remote replace replies reply re |
Tags |
Guideline
|
Stories |
|
Notes |
|
Move |
|