Share
## https://sploitus.com/exploit?id=75F44E16-D76D-596E-A23F-1F440DA58219
* CVE-2022-22536
SAP memory pipes desynchronization vulnerability(MPI) CVE-2022-22536.
--------
** Description
    - POC for CVE-2022-22536: SAP memory pipes(MPI) desynchronization vulnerability.
    - create by antx at 2022-02-15.
--------
** Detail
    SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
--------
** CVE Severity
    - attackComplexity: LOW
    - attackVector: NETWORK
    - availabilityImpact: HIGH
    - confidentialityImpact: HIGH
    - integrityImpact: HIGH
    - privilegesRequired: NONE
    - scope: CHANGED
    - userInteraction: NONE
    - version: 3.1
    - baseScore: 10.0
    - baseSeverity: CRITICAL
--------
** Affect
    - SAP Web Dispatcher
        - 7.49
        - 7.53
        - 7.77
        - 7.81
        - 7.85
        - 7.22EXT
        - 7.86
        - 7.87
    - SAP NetWeaver and ABAP Platform
        - KERNEL 7.22
        - 8.04
        - 7.49
        - 7.53
        - 7.77
        - 7.81
        - 7.85
        - 7.86
        - 7.87
        - KRNL64UC 8.04
        - 7.22
        - 7.22EXT
        - 7.49
        - 7.53
        - KRNL64NUC 7.22
        - 7.22EXT
        - 7.49
    - SAP Content Server
        - 7.53
--------
** Scenarios supported
This tool has been tested in the following scenarios:
    - Direct testing against a SAP System
        This tool provided realible results when used to test systems directly. This means with no HTTP(s) proxy device between the host executing the test and the target SAP system.
    - SAP WEB Dispatcher as Proxy
        This tool provided reliable results when the SAP system under test was behind a SAP Web Dispatcher.
    - Other configurations / Proxies
        This tool was not tested in any other environment or with any other proxy. Reliable results in any other scenario than the mentioned above are not guaranteed.
--------
** Proof of Concept
    - [[./CVE-2022-22536.py][Poc]]
--------
** Mitigations
    - The official has published a [[https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022][patch]] for CVE-2022-22536.
--------
** Reference
    - Ref-Source
        - [[https://github.com/Onapsis/onapsis_icmad_scanner][MPI Scanner]]
    - Ref-Article
        - [[https://thecyphere.com/blog/icmad-sap-vulnerability/][ICMAD SAP Vulnerability (CVE-2022-22536) โ€“ Critical Risk]]
        - [[https://www.tenable.com/blog/cve-2022-22536-sap-patches-internet-communication-manager-advanced-desync-icmad][Communication Manager Advanced Desync (ICMAD) Vulnerabilities]]
    - Ref-Twitter
        - [[https://twitter.com/search?q=CVE-2022-22536][Twitter<CVE-2022-22536>]]
    - Ref-Risk
        - [[https://nvd.nist.gov/vuln/detail/CVE-2022-22536][NVD<CVE-2022-22536>]]
    - CVE
        - [[https://vulners.com/cve/CVE-2022-22536][CVE-2022-22536]]
    - Ref-Patch
        - [[https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022][SAP Security Patch Day - February 2022]]

* IMPORTANT
    This exploit is only intended to facilitate demonstrations of the vulnerability by researchers. I disapprove of illegal actions and take no responsibility for any malicious use of this script. The proof of concept demonstrated in this repository does not expose any hosts and was performed with permission.