[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

SAP Netweaver 7.40 SP 12 SCTC_TMS_MAINTAIN_ALOG Command Injection Vulnerability

Author
Pablo Artuso
Risk
[
Security Risk High
]
0day-ID
0day-ID-25344
Category
remote exploits
Date add
04-10-2016
CVE
CVE-2016-7435
Platform
windows
Onapsis Security Advisory ONAPSIS-2016-043: SAP OS Command Injection in SCTC_TMS_MAINTAIN_ALOG

1. Impact on Business
=====================
By exploiting this vulnerability an authenticated user will be able to take full control of the system.

Risk Level: Critical

2. Advisory Information
=======================
- Public Release Date: 09/22/2016
- Last Revised: 09/22/2016
- Security Advisory ID: ONAPSIS-2016-043
- Onapsis SVS ID: ONAPSIS-00256
- CVE: CVE-2016-7435
- Researcher: Pablo Artuso
- Vendor Provided CVSS v3: 9.0 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H)
- Onapsis CVSS v3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

3. Vulnerability Information
============================
- Vendor: SAP AG
- Affected Components: SAP Netweaver 7.40 SP 12
- Vulnerability Class: Improper Neutralization of Special Elements used in an OS Command (CWE-78)
- Remotely Exploitable: Yes
- Locally Exploitable: No
- Authentication Required: Yes
- Original Advisory: https://www.onapsis.com/research/security-advisories/sap-os-command-injection-sctctmsmaintainalog

4. Affected Components Description
==================================
SAP NetWeaver is the SAP technological integration platform, on top of which, enterprise and business solutions are developed and run.
In particular, SCTC is a subpackage of SAP_BASIS which holds technical configurations.

5. Vulnerability Details
========================
The SCTC_TMS_MAINTAIN_ALOG function doesn't correctly sanitize variables used when executing CALL 'SYSTEM' statement, allowing an attacker, with particular privileges, to execute any arbitrary OS command.

6. Solution
===========
Implement SAP Security Note 2260344.

7. Report Timeline
==================
- 11/26/2015: Onapsis provides vulnerability information to SAP AG.
- 11/27/2015: SAP AG confirms reception of vulnerability report.
- 01/12/2016: SAP reports fix is In Process.
- 03/08/2016: SAP releases SAP Security Note 2260344 fixing the vulnerability.
- 09/22/2016: Onapsis Releases Security Advisory.



#  0day.today [2024-12-24]  #