[Full-disclosure] CYBSEC - Security Pre-Advisory: Arbitrary File Read/Delete in SAP BC
lmeiners at cybsec.com
Wed Feb 15 13:31:06 GMT 2006
(The following advisory is also available in PDF format for download at:
Pre-Advisory Name: Arbitrary File Read/Delete in SAP BC (Business
Vulnerability Class: Improper Input Validation
Release Date: 02/15/2006
* SAP BC 4.6
* SAP BC 4.7
Affected Platforms: Platform-Independent
Local / Remote: Remote
Author: Leandro Meiners.
Vendor Status: Confirmed, patch released.
Reference to Vulnerability Disclosure Policy:
SAP Business Connector (SAP BC) is a middleware application based on B2B
integration server from webMethods. It enables communication between SAP
applications and SAP R/3 and non-SAP applications, by making all SAP
functions accessible to business partners over the Internet as an
The SAP Business Connector uses the Internet as a communication platform
and XML or HTML as the data format. It integrates non-SAP products by
using an open, non-proprietary technology.
SAP BC was found to allow reading and deleting any file from the file
system to which the user that the SAP BC is running as had access. The
vulnerability is present in the Monitoring functionality of the SAP
Technical details will be released three months after publication of
this pre-advisory. This was agreed upon with SAP to allow their clients
to upgrade affected software prior to the technical knowledge been
The Business Connector by default runs as a privileged user
(administrator on the Windows platform and root on *NIX platforms),
which allows ANY file on the File System to be read/deleted.
According to the SAP Business Connector Security Best Practices, the
following strategies are recommended for running the SAP BC in *NIX
1. Running as non root user, using a high port.
2. Running as non root user, using a high port and port remapping to
"see" the SAP BC in a restricted port.
3. Running the JVM setuid root.
4. Running SAP BC as root
If either strategy (1) or (2) was taken the scope of the vulnerability
was mitigated to allowing read/delete access to only the files owned by
the user which the BC was running as. However, if (3) or (4) had been
chosen ANY file on the File System could be read/deleted from the BC.
Moreover, (3) allowed any user of the Operating System to obtain root
since any Java program would be run with root privileges due to a SetUid
Java Virtual Machine.
The SAP Business Connector Security Best Practices has been corrected to
recommend running the BC as a non-root user and using a high-numbered
port or, if supported by the Operating System, giving the user
privileges to open a specific port below 1024 to be used by the BC.
SAP released a patch regarding this issue, for versions 4.6 and 4.7 of
SAP BC. Details can be found in SAP note 906401.
* 12/06/2005: Initial Vendor Contact.
* 12/07/2005: Technical details for the vulnerabilities sent to vendor.
* 01/20/2006: Solution provided by vendor.
* 02/15/2006: Coordinate release of pre-advisory without technical
* 05/15/2006: Coordinate release of advisory with technical details.
For more information regarding the vulnerability feel free to contact
the author at lmeiners<at>cybsec.com. Please bear in mind that technical
details will be disclosed three months after the release of this
pre-advisory, so such questions won't be answered until then.
For more information regarding CYBSEC: www.cybsec.com
CYBSEC S.A. Security Systems
E-mail: lmeiners at cybsec.com
Tel/Fax: [54-11] 4382-1600
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060215/db4f0a2f/attachment.bin
Full-Disclosure is hosted and sponsored by Secunia.