Directory traversal + log injection = I can see your privates
A pair of recently patched security vulnerabilities in SAP NetWeaver Application Server Java* could have been combined to hack customer relationship management (CRM) systems.
When exploited together, the directory traversal and log injection flaws lead to information disclosure, privilege escalation and full SAP CRM system compromise. Both bugs were resolved by updates last month.
The security issues were rated as 6.3 and 7.7 by CVSS Base Score v.3 but their combined impact was much more severe, according to enterprise app security specialists ERPScan, the consultancy that uncovered the vulnerabilities.
The results of a scan by the firm released yesterday suggest that more than 500 SAP CRM systems were unpatched against the flaws and accessible via the internet.
The researchers shared details of the bugs and how they can be exploited with SAP prior to the development of patches.
- An attacker uses the directory traversal vuln to read encrypted admin credentials from system config file
- They decrypt this password and log into SAP CRM portal
- Then the attacker uses another directory traversal vulnerability to change SAP log file path to the web application root path
- Finally, using special request, they can inject the log file with malicious code and call it anonymously from a remote web server
ERPScan’s researchers found a bug in SAP NetWeaver AS Java as far back as February 2016 but SAP was initially unable to replicate the problem. It was then wrongly classified as a duplicate of a previously reported issue, delaying the German software maker’s normally efficient remediation process.
In response to queries from El Reg, SAP confirmed that it had patched both issues last month and urged customers to apply its updates, if they hadn’t done so already. It thanked the ERPScan team for flagging up the faults.