Open Redirect in SAP® BSP Test Application it00 (Bypass for CVE-2020-6215 Patch)
Title
Open Redirect in BSP Test Application it00 (Bypass for CVE-2020-6215 Patch)
Product
SAP® Application Server ABAP and ABAP® Platform (SAP_BASIS)
Vulnerable Version
see section "Vulnerable / tested versions"
Fixed Version
see SAP security note 3258950
CVE Number
CVE-2020-6215
Impact
medium
Homepage
https://www.sap.comFound
23.09.2022
By
Fabian Hagg (Office Vienna) | SEC Consult Vulnerability Lab
Vendor description
"SAP is one of the world’s leading producers of software for the management of business processes."
https://www.sap.com/about/what-is-sap.html
Business recommendation
By exploiting the vulnerability documented in this advisory, attackers can redirect users to arbitrary sites. Targeted users of such an attack may be victims of successful phishing attempts jeopardizing the confidentiality of logon information or other data.
SEC Consult recommends to implement the security note 3258950, where the documented issue is fixed according to the vendor. We advise installing the correction as a matter of priority to keep business-critical data secure.
Vulnerability overview/description
1) Open Redirect Vulnerability (Patch bypass of CVE-2020-6215)
The sample Business Server Pages (BSP) application it00 suffers from an open redirect vulnerability that is referred to by CVE-2020-6215. A patch for this issue was made available via SAP® Security Note 2872782.
During analysis, it was identified that the patch is insufficient and can be bypassed.
Proof of concept
1) Open Redirect Vulnerability (Patch bypass of CVE-2020-6215)
The following source code excerpt of event handler OnInputProcessing() of BSP subpage transition_navigation.htm shows that by the implementation of SAP Security Note 2872782, an additional check was introduced that validates the HTTP request parameter ‘applicationUrl’ against pseudo-headers ~server_name, respectively ~server_name_expanded. Thus, to verify that the provided URL complies with these values to only allow redirects to the local server, the IF condition checks if the specified ‘applicationUrl’ parameter contains the host name of the local server. Only if this check is evaluated successfully, the browser of the calling user gets redirected to the intended page.
[...]
when 'call'.
data: url1 type string,
url2 type string,
host_name type string.
host_name = request->get_header_field( '~server_name' ).
if host_name is initial.
host_name = request->get_header_field( '~server_name_expanded' ).
endif.
url = request->get_form_field( 'applicationUrl' ).
if url cs host_name.
split url at '?' into url1 url2.
url2 = cl_abap_dyn_prg=>escape_xss_url( url2 ).
concatenate url1 '?' url2 into url.
navigation->call_application( url = url ).
endif.
* negative test cases
when 'error_no_such_exit'.
navigation->next_page( 'NAVFAIL' ).
endcase.It was observed that this check can be bypassed, for example, by crafting special HTTP requests that contain the host name of the target application server (the PoC uses the <app server hostname> placeholder) within the query string part of the URL provided via parameter ‘applicationUrl’. To validate this issue, the following URL can be browsed to in order to trigger the vulnerability and circumvent the implemented patch.
http[s]://<app server hostname>:<ICM port>/sap/bc/bsp/sap/it00/transition_
navigation.htm?ApplicationURL=http://127.0.0.1:8080/?<app server hostname>
&onInputProcessing%28call%29=Start+ApplicationFor demonstration purposes, after a successful login, the browser is redirected by the application server to localhost on port 8080 (any other host/port pair could by specified by the attacker).
The server replies with a "302 Found" message redirecting the browser to the localhost address defined in the response Location header field:
HTTP/2 302 Found
Content-Type: text/html
Content-Length: 0
Location: http:// 127.0.0.1:8080/?<app server hostname>&sap-params=[...]An attacker can create a URL which would redirect the victim to a malicious site, for example, a phishing site convincing the victim to login once again.
Vulnerable / tested versions
The following version has been tested and found to be vulnerable:
- SAP_BASIS release 755, SP level 01
According to the vendor the following releases and versions are affected by the discovered vulnerability:
- SAP_BASIS 700-702
- SAP_BASIS 731
- SAP_BASIS 740
- SAP_BASIS 750-757
Vendor contact timeline
| 2022-10-03 | Contacting vendor through vulnerability submission web form. |
| 2022-10-04 | Vendor confirms receipt and assigns internal ID #2270141902. |
| 2022-10-19 | Vendor confirms vulnerability and proposes new CVSS score of 5.4 (NLNR / U / LLN). |
| 2022-10-24 | Asking vendor why new CVSS rating differs from initial vulnerability rating. No response. |
| 2022-11-24 | Asking vendor for update. |
| 2022-11-30 | Vendor states that the patch is about to be released with the upcoming Patch Tuesday December 2022. |
| 2022-12-13 | Vendor releases patch with SAP® Security Note 3258950. |
| 2023-10-05 | Release of security advisory. |
Solution
The vendor provides a patched version which should be installed immediately. Patches are available in form of SAP® Security Notes which can be accessed via the SAP® Customer Launchpad [4]. More information can also be found in the Official SAP® Security Patchday Blog [5].
The following Security Note needs to be implemented: 3258950
Workaround
Disable BSP test application it00 in the ICF service tree in transaction SICF.
Advisory URL
https://sec-consult.com/vulnerability-lab/
EOF Fabian Hagg / @2023
Interested to work with the experts of SEC Consult? Send us your application
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices