The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SAP BC Multiple Vulnerabilities (Arbitrary File Read/Delete, Phishing)
------------------------------------------------------------------------
SUMMARY
SAP Business Connector (SAP BC) is a middleware application based on B2B
integration server from webMethods.
Improper input validation allows attackers to perform directory traversal,
deletion and cause users to enter different locations outside SAP
interface.
DETAILS
Vulnerable Systems:
* SAP BC version 4.6
* SAP BC version 4.7
* SAP BC Core Fix 7 and prior
Arbitrary File Read/Delete:
SAP BC was found to allow reading and deleting any file from the file
system to which the user that the SAP BC is running as had access. The
vulnerability is present in the Monitoring functionality of the SAP
Adapter.
When you view a log file (such as new_sap.log) the URL used is:
http://sapbc/SAP/chopSAPLog.dsp?fullName=packages%2FSAP%2Flogs%2Fnew_sap.log
If the fullName parameter is changed to /etc/passwd (URL encoded) instead
of <SAP PATH>/packages/SAP/logs/new_sap.log been viewed, the contents of
the file /etc/passwd are presented to the user. As mentioned before any
file on the File System to which the user that the SAP BC is running as
has read access can be viewed.
The following URL (designed to allow deletion of log files) allows
deleting any file on the File System that the user the SAP BC is running
as can delete.
http://sapbc/invoke/sap.monitor.rfcTrace/deleteSingle?fullName=<path_to_file>
The Business Connector by default runs as a privileged user (administrator
on the Windows platform and root on *NIX platforms), which allows ANY file
on the File System to be read/deleted.
According to the SAP Business Connector Security Best Practices, the
following strategies are recommended for running the SAP BC in *NIX
environments:
1. Running as non root user, using a high port.
2. Running as non root user, using a high port and port remapping to
"see" the SAP BC in a restricted port.
3. Running the JVM setuid root.
4. Running SAP BC as root
If either strategy (1) or (2) was taken the scope of the vulnerability was
mitigated to allowing read/delete access to only the files owned by the
user which the BC was running as. However, if (3) or (4) had been chosen
ANY file on the File System could be read/deleted from the BC.
Moreover, (3) allowed any user of the Operating System to obtain root
since any Java program would be run with root privileges due to a SetUid
Java Virtual Machine.
The SAP Business Connector Security Best Practices has been corrected to
recommend running the BC as a non-root user and using a high-numbered port
or, if supported by the Operating System, giving the user privileges to
open a specific port below 1024 to be used by the BC.
Phishing Vector:
SAP BC was found to provide a vector to allow Phishing scams against the
SAP BC administrator.
The parameter url of the page adapter-index.dsp allows absolute URLs, such
as http://www.google.com. This can be used to mount a Phishing scam by
sending a link like
http://sapbc/WmRoot/adapter-index.dsp?url=http://www.attacker.com that if
clicked by the administrator (while logged in, or logs in after clicking)
will load the attacker's site webpage inside an HTML frame.
This can be used to mount a Phishing scam by sending a link, that if
clicked by the administrator (while logged in, or logs in after clicking)
will load the attacker's site webpage inside an HTML frame.
Disclosure Timeline:
12/06/2005: Initial Vendor Contact.
12/07/2005: Technical details for the vulnerabilities sent to vendor.
12/19/2005: Solutions provided by vendor for all vulnerabilities.
01/20/2006: Solution provided by vendor.
02/15/2006: Coordinate release of pre-advisory without technical details.
05/15/2006: Coordinate release of advisory with technical details.
ADDITIONAL INFORMATION
The information has been provided by <mailto:lmeiners@cybsec.com> Leandro
Meiners.
The original article can be found at:
<http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Arbitrary_File_Read_or_Delete_in_SAP_BC.pdf
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Arbitrary_File_Read_or_Delete_in_SAP_BC.pdf
,
<http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Phishing_Vector_in_SAP_BC.pdf>
http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_Phishing_Vector_in_SAP_BC.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
