SAP NetWeaver SOAP RFC SXPG_CALL_SYSTEM Command Execution
Added: 06/03/2013OSVDB: 93537
Background
SAP NetWeaver is a technology platform for building and integrating SAP business applications. Remote Function Call (RFC) is the standard SAP interface for communication between SAP systems. Transaction SM69 is used to create and maintain external operating system commands.Problem
SAP NetWeaver 7.02 and earlier contains a flaw in the SAP SOAP RFC service SXPG_CALL_SYSTEM command when configured with transaction SM69. This may allow a remote authenticated attacker to manipulate certain parameters related to the command and execute other, arbitrary commands.Resolution
Obtain an update at the SAP Customer Portal (login required).References
http://www.osvdb.org/show/osvdb/93537Limitations
This exploit has been tested against SAP NetWeaver 7.02 SP06 on Windows Server 2003 SP2 English (DEP OptOut), Windows Server 2008 SP2 (DEP OptOut), and SUSE Linux Enterprise Server 11 (x86_64) SP1.Valid credentials (user name and password) to the application's web interface (with privileges to use the SAP SOAP RFC) and a valid client ID must be provided to the exploit script.
The Perl module MIME::Base64 is required to run the exploit.
Wget utility tool must be installed on the target on Linux.
IPv6 is only fully supported for the exploit on Windows targets.
Platforms
WindowsLinux
Back to exploit index