Advertisement






SAP Application Server ABAP Open Redirection

CVE Category Price Severity
Author Risk Exploitation Type Date
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023100016

Below is a copy:

SAP Application Server ABAP Open Redirection
SEC Consult Vulnerability Lab Security Advisory < 20231005-0 >
=======================================================================
               title: Open Redirect in BSP Test Application it00
                      (Bypass for CVE-2020-6215 Patch)
             product: SAP Application Server ABAP and ABAP
                      Platform (SAP_BASIS)
  vulnerable version: see section "Vulnerable /  tested versions"
       fixed version: see SAP security note 3258950
          CVE number: CVE-2020-6215
              impact: medium
            homepage: https://www.sap.com
               found: 2022-09-23
                  by: Fabian Hagg (Office Vienna)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"SAP is one of the worlds leading producers of software for the management of
business processes."[1]

[1] https://www.sap.com/about/what-is-sap.html


Business recommendation:
------------------------
By exploiting the vulnerability documented in this advisory, attackers
can redirect users to arbitrary sites. Targeted users of such an
attack may be victims of successful phishing attempts jeopardizing the
confidentiality of logon information or other data.

SEC Consult recommends to implement the security note 3258950, where the
documented issue is fixed according to the vendor. We advise installing
the correction as a matter of priority to keep business-critical data secure.


Vulnerability overview/description:
-----------------------------------
1) Open Redirect Vulnerability (Patch bypass of CVE-2020-6215)
The sample Business Server Pages (BSP) application it00 suffers from an open
redirect vulnerability that is referred to by CVE-2020-6215 [2]. A patch
for this issue was made available via SAP Security Note 2872782 [3].
During analysis, it was identified that the patch is insufficient and can
be bypassed.

[2] https://nvd.nist.gov/vuln/detail/CVE-2020-6215
[3] https://me.sap.com/notes/2872782


Proof of concept:
-----------------
1) Open Redirect Vulnerability (Patch bypass of CVE-2020-6215)
The following source code excerpt of event handler OnInputProcessing() of
BSP subpage transition_navigation.htm shows that by the implementation of
SAP Security Note 2872782, an additional check was introduced that validates
the HTTP request parameter applicationUrl against pseudo-headers ~server_name,
respectively ~server_name_expanded. Thus, to verify that the provided URL
complies with these values to only allow redirects to the local server,
the IF condition checks if the specified applicationUrl parameter contains
the host name of the local server. Only if this check is evaluated successfully,
the browser of the calling user gets redirected to the intended page.

---------------------------------------------------------------------------
[...]
when 'call'.
     data: url1      type string,
           url2      type string,
           host_name type string.
     host_name = request->get_header_field( '~server_name' ).
     if host_name is initial.
       host_name = request->get_header_field( '~server_name_expanded' ).
     endif.
     url = request->get_form_field( 'applicationUrl' ).
     if url cs host_name.
       split url at '?' into url1 url2.
       url2 = cl_abap_dyn_prg=>escape_xss_url( url2 ).
       concatenate url1 '?' url2 into url.
       navigation->call_application( url = url ).
     endif.
* negative test cases
   when 'error_no_such_exit'.
     navigation->next_page( 'NAVFAIL' ).


endcase.
---------------------------------------------------------------------------

It was observed that this check can be bypassed, for example, by crafting
special HTTP requests that contain the host name of the target application
server (the PoC uses the <app server hostname> placeholder) within the query string
part of the URL provided via parameter applicationUrl. To validate this issue,
the following URL can be browsed to in order to trigger the vulnerability and
circumvent the implemented patch.

---------------------------------------------------------------------------
http[s]://<app server hostname>:<ICM port>/sap/bc/bsp/sap/it00/transition_
navigation.htm?ApplicationURL=http://127.0.0.1:8080/?<app server hostname>
&onInputProcessing%28call%29=Start+Application
---------------------------------------------------------------------------

For demonstration purposes, after a successful login, the browser is redirected
by the application server to localhost on port 8080 (any other host/port pair
could by specified by the attacker).

The server replies with a "302 Found" message redirecting the browser to the
localhost address defined in the response Location header field:

---------------------------------------------------------------------------
HTTP/2 302 Found
Content-Type: text/html
Content-Length: 0
Location: http://127.0.0.1:8080/?<app server hostname>&sap-params=[...]
---------------------------------------------------------------------------

An attacker can create a URL which would redirect the victim to a malicious
site, for example, a phishing site convincing the victim to login once again.


Vulnerable / tested versions:
-----------------------------
The following version has been tested and found to be vulnerable:

- SAP_BASIS release 755, SP level 01

According to the vendor the following releases and versions
are affected by the discovered vulnerability:

- SAP_BASIS 700-702
- SAP_BASIS 731
- SAP_BASIS 740
- SAP_BASIS 750-757


Vendor contact timeline:
------------------------
2022-10-03: Contacting vendor through vulnerability submission web form.
2022-10-04: Vendor confirms receipt and assigns internal ID #2270141902.
2022-10-19: Vendor confirms vulnerability and proposes new CVSS score of
             5.4 (NLNR|U|LLN).
2022-10-24: Asking vendor why new CVSS rating differs from initial
             vulnerability rating. No response.
2022-11-24: Asking vendor for update.
2022-11-30: Vendor states that the patch is about to be released with the
             upcoming Patch Tuesday December 2022.
2022-12-13: Vendor releases patch with SAP Security Note 3258950.
2023-10-05: Release of security advisory.


Solution:
---------
The vendor provides a patched version which should be installed immediately.
Patches are available in form of SAP Security Notes which can be accessed
via the SAP Customer Launchpad [4]. More information can also be found in
the Official SAP Security Patchday Blog [5].

The following Security Note needs to be implemented: 3258950

[4] https://me.sap.com/app/securitynotes
[5] https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10


Workaround:
-----------
Disable BSP test application it00 in the ICF service tree in transaction
SICF.


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF F. Hagg / @2023

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.