exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SAP NetWeaver Remote ABAP Code Injection

SAP NetWeaver Remote ABAP Code Injection
Posted Apr 24, 2013
Authored by Ertunga Arsal | Site esnc.de

A SAP NetWeaver vulnerability allows injection of ABAP code. In SAP security, this is the equivalent of getting an ultra-reliable ring 0 exploit which works through the network and never crashes. By exploiting this vulnerability an attacker can e.g. inject code which saves the passwords of all connecting SAP GUI users in a remote file, steal or change sensitive data such as HR salary information, execute bank transactions and transfer money, or simply plant an SAP backdoor for accessing the system later. The attacker can also manipulate or corrupt ABAP programs shipped by SAP and make the system inoperable.

tags | advisory, remote
advisories | CVE-2013-3243
SHA-256 | bef5435dd9e71bc842aef59db42966ef03ac40124905e2ccd226ca1a86276d90

SAP NetWeaver Remote ABAP Code Injection

Change Mirror Download
[ESNC-2013-004] Remote ABAP Code Injection in OpenText/IXOS ECM for
SAP NetWeaver

Please refer to http://www.esnc.de for the original security advisory,
updates and additional information.

------------------------------------------------------------------------
1. Business Impact
------------------------------------------------------------------------

This vulnerability allows injection of ABAP code to the remote SAP
system. In SAP security, this is the equivalent of getting an
ultra-reliable ring 0 exploit which works through the network and
never crashes.

By exploiting this vulnerability an attacker can e.g. inject code
which saves the passwords of all connecting SAP GUI users in a remote
file, steal or change sensitive data such as HR salary information,
execute bank transactions and transfer money, or simply plant an SAP
backdoor for accessing the system later. The attacker can also
manipulate or corrupt ABAP programs shipped by SAP and make the system
inoperable.

Risk Level: High

------------------------------------------------------------------------
2. Advisory Information
------------------------------------------------------------------------

-- ESNC Security Advisory ID: ESNC-2013-004
-- CVE ID: CVE-2013-3243
-- Original security advisory:
http://www.esnc.de/sap-security-audit-and-scan-services/security-advisories/57-esnc-2013-004-remote-abap-code-injection-in-opentext-ixos-ecm-suite-for-sap-netweaver
-- Reporting Date: 15.09.2012
-- Vendor Patch Date: 16.11.2012
-- Public Advisory Date: 24.04.2013
-- Researcher: Ertunga Arsal

------------------------------------------------------------------------
3. Vulnerability Information
------------------------------------------------------------------------

-- Vendor: OpenText/IXOS
-- Affected Components: ECM Suite - Doculink
-- Affected Versions: Please consult the vendor
-- Vulnerability Class: Remote ABAP Injection
-- CVSS v2 score: 8.5 (AV:N/AC:M/AU:S/C:C/I:C/A:C)
-- Remotely Exploitable: Yes
-- Authentication Required: Yes
-- Additional Notes: Since we have seen this component at every
customer we visited to date, we believe this security issue affects
many enterprises running SAP. An exploit for this vulnerability is
available in ESNC Penetration Testing Suite.

------------------------------------------------------------------------
4. Vulnerability Timeline
------------------------------------------------------------------------

15.09.2012 Informing the vendor about the discovery of a critical
security issue and asking for a contact person to discuss the matter.
24.09.2012 Second attempt. This time to product support. A message
came confirming a ticket is opened and they will respond within 4
hours.
06.10.2012 Still no response. We summon a major enterprise customer of
ours, which is also a customer of OpenText, for escalation.
25.10.2012 Key account manager from OpenText calls the customer and
mentions they are still in clarification about the topic.
04.11.2012 Day 50. Humans still haven't noticed they did not ask any
details about the vulnerability yet.
07.11.2012 OpenText asks information about the vulnerability.
16.11.2012 OpenText releases a correction. Correction basicly tells to
change the type of the vulnerable function from remote to local
04.12.2012 Telco about why this is a bad idea.
06.12.2012 OpenText informs us that they are implementing additonal measures.
18.01.2013 OpenText informs us that they want to close the ticket.

------------------------------------------------------------------------
5. Solution
------------------------------------------------------------------------

The vendor's fix can be found in
http://mimage.opentext.com/support/ecm/secure/patches/oneoffs/eccn-1351/llsaps-3271.zip.
Please consult the vendor for more accurate information and necessary
steps.

To prevent this and similar flaws, customers can use ESNC Code
Security for scanning their own ABAP code or for assessing the
security of external add-ons installed on their SAP systems.

------------------------------------------------------------------------
About ESNC
------------------------------------------------------------------------

ESNC GmbH, Germany is specialized in SAP security audit, SAP
penetration testing, ABAP security review and SAP vulnerability
assessment services.

It's flagship product ESNC Security Suite is used by many large
enterprises for vulnerability scanning their SAP ABAP and Java AS
systems, running ABAP code security reviews, enforcing security
baselines and SAP security monitoring.

For more information about our products and services, please visit our
web page at http://www.esnc.de
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close