Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

Advisory for SAP Security Note 3022622 – [CVE-2021-21480][PoC]

Application: SAP NetWeaver AS Java
Versions Affected: 15.1/15.4
Vendor URL: https://sap.com/
Bug: Remote Command Execution
Reversed: 21.09.2022
Discovered: N/A
Author: RedRays Team

Description

SAP Manufacturing Integration and Intelligence (MII) empowers users to create dashboards and save them as JSP (JavaServer Pages) through the Self Service Composition Environment (SSCE). An attacker can intercept a request to the server, inject malicious JSP code in the request, and forward it to the server. When this dashboard is opened by users with at least the SAP_XMII_Developer role, the malicious content in the dashboard gets executed, leading to remote code execution on the server, allowing privilege escalation. The malicious JSP code can contain certain OS commands, through which an attacker can read sensitive files on the server, modify files, or even delete contents on the server, thereby compromising the confidentiality, integrity, and availability of the server hosting the SAP MII application.

Proof of Concept (PoC) HTTP Request

Here is a PoC HTTP request that demonstrates the vulnerability:

				
					POST /XMII/Catalog HTTP/1.1
Host: %target_system%:50000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: MYSAPSSO2=%COOKIE%

content=SHELL_CODE_HERE&Mode=Save&ObjectName=./shell.jsp&JsCodeSeparation=false
				
			

Replace `%target_system%` with the appropriate target system and `%COOKIE%` with the necessary cookie value. Please exercise caution when using this PoC, as it is meant for informational purposes only and should not be used maliciously.

Solution

To mitigate this issue, the following steps should be taken:

  1. Saving a file as JSP through SSCE will not be allowed after the installation of this note.

  2. There is no workaround to the issue reported. SSCE by default is designed to support JSP creation. Customers should provide access to SSCE only to authorized users. All JSP content should be validated manually before moving it to production systems.

  3. If the correction is not applicable to the Support Package (SP) you are currently in, please upgrade to the next applicable SP.

CVSS

CVSS v3.0 Base Score: 9.1 / 10

CVSS v3.0 Base Vector:

  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality Impact (C): High (H)
  • Integrity Impact (I): High (H)
  • Availability Impact (A): High (H)


Software Components

  • From: XMII 15.1
  • To: XMII 15.4
  • And subsequent

Support Package Patches

  • XMII 15.2 SP003
  • XMII 15.1 SP006
  • XMII 15.4 SP001
  • XMII 15.3 SP001

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.