SAP NetWeaver SOAP RFC SXPG_CALL_SYSTEM Command Execution

Added: 06/03/2013
OSVDB: 93537

Background

SAP NetWeaver is a technology platform for building and integrating SAP business applications. Remote Function Call (RFC) is the standard SAP interface for communication between SAP systems. Transaction SM69 is used to create and maintain external operating system commands.

Problem

SAP NetWeaver 7.02 and earlier contains a flaw in the SAP SOAP RFC service SXPG_CALL_SYSTEM command when configured with transaction SM69. This may allow a remote authenticated attacker to manipulate certain parameters related to the command and execute other, arbitrary commands.

Resolution

Obtain an update at the SAP Customer Portal (login required).

References

http://www.osvdb.org/show/osvdb/93537

Limitations

This exploit has been tested against SAP NetWeaver 7.02 SP06 on Windows Server 2003 SP2 English (DEP OptOut), Windows Server 2008 SP2 (DEP OptOut), and SUSE Linux Enterprise Server 11 (x86_64) SP1.

Valid credentials (user name and password) to the application's web interface (with privileges to use the SAP SOAP RFC) and a valid client ID must be provided to the exploit script.

The Perl module MIME::Base64 is required to run the exploit.

Wget utility tool must be installed on the target on Linux.

IPv6 is only fully supported for the exploit on Windows targets.

Platforms

Windows
Linux

Back to exploit index