SAP NetWeaver SOAP RFC SXPG_COMMAND_EXECUTE Command Execution

Added: 07/03/2013
BID: 55084
OSVDB: 93536

Background

SAP NetWeaver is a technology platform for building and integrating SAP business applications. Remote Function Call (RFC) is the standard SAP interface for communication between SAP systems. Transaction SM69 is used to create and maintain external operating system commands.

Problem

A vulnerability in the SXPG_COMMAND_EXECUTE Remote Function Call allows a remote, authenticated attacker to execute arbitrary commands by sending a command that is configured with transaction SM69 containing specially crafted arguments.

Resolution

Obtain an update at the SAP Customer Portal (login required).

References

http://osvdb.org/93536

Limitations

Exploit works on SAP NetWeaver 7.02 SP06 on Windows Server 2003 SP2 (DEP OptOut), Windows Server 2008 SP2 (DEP OptOut), and SUSE Linux Enterprise Server 11 (x86_64) SP1 and requires a valid user's credentials to the application's web interface.

A valid client ID must be specified.

The Perl module 'MIME::Base64' is required to run the exploit.

The wget utility must be installed on Linux targets.

IPv6 is only supported for Windows targets.

Platforms

Windows
Linux

Back to exploit index