SAP NetWeaver Command Injection

August 24, 2012

SAP NetWeaver is an application framework which forms the base for SAP's Business Suite. It includes a development and runtime environment for SAP and custom applications. NetWeaver uses the ABAP programming language specifically designed for business application programming along with industry standards allowing it to be integrated with technologies such as .NET and Java EE. NetWeaver contains several services and processes to handle incoming network requests. One such service is the remote management Simple Object Access Protocol (SOAP) interface. This particular interface allows administrators the ability to manage the system remotely from any computer with a web browser and Java support.

A command execution vulnerability exists in SAP NetWeaver. The vulnerability is due to insufficient validation of SOAP requests. When the vulnerable service receives a SOAP request from the user, it will use command-line tools in the background to process the request. Specifically, values from the mValue tag paired with mKey tags with values of "Database/Type", "Database/Password", "Database/Username" and "Database/Name" are used to create arguments for the shell command sapdbctrl.exe. The command line is generated in the following format:

 "C:Program FilesSAPhostctrlexesapdbctrl.exe" status "Database/Name" -P -T 1 -t "Database/Type" -p -u "Database/Username" 

The vulnerable code encloses the parameters in quotes if they contain spaces and passes them to sapdbctrl.exe without validation. The binary also creates a set of command line parameters which it uses in a call to another shell command. This makes it possible to indirectly pass arguments to the other, more privileged, binary. The program also allows users to execute arbitrary system commands by prefixing the command with an exclamation mark. For example, to execute the calculator application on the target host, the command '!calc.exe' can be injected.

By crafting a malicious request to create a script file containing commands to execute, followed by a malicious request to execute the script file, remote unauthenticated attackers can exploit this vulnerability to execute arbitrary commands on the target system. The executed commands will run with Administrative privileges.

Dell SonicWall has released an IPS signature that addresses attack permutations targeting this vulnerability. The following signature was released:

  • 8536 - SAP NetWeaver Remote Command Execution