[ESNC-2013-004] Remote ABAP Code Injection in OpenText/IXOS ECM for SAP NetWeaver

[ESNC-2013-004] Remote ABAP Code Injection in OpenText/IXOS ECM for
SAP NetWeaver

Please refer to http://www.esnc.de for the original security advisory,
updates and additional information.

1. Business Impact

This vulnerability allows injection of ABAP code to the remote SAP
system. In SAP security, this is the equivalent of getting an
ultra-reliable ring 0 exploit which works through the network and
never crashes.

By exploiting this vulnerability an attacker can e.g. inject code
which saves the passwords of all connecting SAP GUI users in a remote
file, steal or change sensitive data such as HR salary information,
execute bank transactions and transfer money, or simply plant an SAP
backdoor for accessing the system later. The attacker can also
manipulate or corrupt ABAP programs shipped by SAP and make the system
inoperable.

Risk Level: High

2. Advisory Information

– ESNC Security Advisory ID: ESNC-2013-004
– CVE ID: CVE-2013-3243
– Original security advisory:
http://www.esnc.de/sap-security-audit-and-scan-services/security-advisories/57-esnc-2013-004-remote-abap-code-injection-in-opentext-ixos-ecm-suite-for-sap-netweaver
– Reporting Date: 15.09.2012
– Vendor Patch Date: 16.11.2012
– Public Advisory Date: 24.04.2013
– Researcher: Ertunga Arsal

3. Vulnerability Information

– Vendor: OpenText/IXOS
– Affected Components: ECM Suite - Doculink
– Affected Versions: Please consult the vendor
– Vulnerability Class: Remote ABAP Injection
– CVSS v2 score: 8.5 (AV:N/AC:M/AU:S/C:C/I:C/A:C)
– Remotely Exploitable: Yes
– Authentication Required: Yes
– Additional Notes: Since we have seen this component at every
customer we visited to date, we believe this security issue affects
many enterprises running SAP. An exploit for this vulnerability is
available in ESNC Penetration Testing Suite.

4. Vulnerability Timeline

15.09.2012 Informing the vendor about the discovery of a critical
security issue and asking for a contact person to discuss the matter.
24.09.2012 Second attempt. This time to product support. A message
came confirming a ticket is opened and they will respond within 4
hours.
06.10.2012 Still no response. We summon a major enterprise customer of
ours, which is also a customer of OpenText, for escalation.
25.10.2012 Key account manager from OpenText calls the customer and
mentions they are still in clarification about the topic.
04.11.2012 Day 50. Humans still haven't noticed they did not ask any
details about the vulnerability yet.
07.11.2012 OpenText asks information about the vulnerability.
16.11.2012 OpenText releases a correction. Correction basicly tells to
change the type of the vulnerable function from remote to local
04.12.2012 Telco about why this is a bad idea.
06.12.2012 OpenText informs us that they are implementing additonal measures.
18.01.2013 OpenText informs us that they want to close the ticket.

5. Solution

The vendor's fix can be found in
http://mimage.opentext.com/support/ecm/secure/patches/oneoffs/eccn-1351/llsaps-3271.zip.
Please consult the vendor for more accurate information and necessary
steps.

To prevent this and similar flaws, customers can use ESNC Code
Security for scanning their own ABAP code or for assessing the
security of external add-ons installed on their SAP systems.

About ESNC

ESNC GmbH, Germany is specialized in SAP security audit, SAP
penetration testing, ABAP security review and SAP vulnerability
assessment services.

It's flagship product ESNC Security Suite is used by many large
enterprises for vulnerability scanning their SAP ABAP and Java AS
systems, running ABAP code security reviews, enforcing security
baselines and SAP security monitoring.

For more information about our products and services, please visit our
web page at http://www.esnc.de