An interesting XXE in SAP.
Hello Folks!
Let me introduce myself to the community. I’m Zain Sabahat, a Security Researcher and Bug Bounty Hunter from Pakistan. Since I have learned a lot of stuff from reading write-ups I have decided to play my role in giving back to the community. I will be disclosing some of my best findings in a series of write-ups.
Today I will be disclosing about an XXE — XML External Entity vulnerability I discovered in SAP’s subdomain https://store.sap.com
During my recon, I came across a store subdomain. When I opened https://store.sap.com it redirected me to the https://store.sap.com/sap/cpa/ui/resources/store/html/StoreFront.html During the loading of that page, a set of GET and POST requests were passed. One of the POST request to “/sap/cpa/api/getSolutions” endpoint caught my attention.
I manipulated the POST data to :
<!DOCTYPE foo [<!ENTITY xxe SYSTEM “Zain Here”> ]><SolutionListRequest><Facets><FacetType><Code/><Value/></FacetType></Facets><ListingType>2</ListingType><CountryCode>US</CountryCode><RetrieveAllDetailsIndicator>1</RetrieveAllDetailsIndicator><RetrieveFacetsIndicator/><RowCount>24&xxe;</RowCount><RowIndex>1</RowIndex><SearchText/><SolutionGroup/><SolutionTypeIndicator/><CategoryID/><RecommenderPageIndicator/><ResellerID/><ShoppingCartID/><CompanyID/><EndCustomerAddressID/><UserRoleCode/></SolutionListRequest>
in order to check if it was vulnerable to XXE or not.
When I saw my name printed out in response I got very happy and decided to exploit it further. I crafted the POST request in order to print out the contents of “/etc/passwd/” file.
Timeline:
Jun 26, 2017 — Reported to SAP.
Jul 17, 2017 — Triaged.
Feb 13, 2018 — Fixed.
April 10, 2018 — Added to Hall Of Fame.
It took them almost a year to fix because that bug was in their internal component which was hard to replace.
Thanks for reading! Stay tuned for more write-ups!