On July 13, 2020, SAP software released a patch impacting the SAP NetWeaver Application Server Java versions 7.5 and earlier. The vulnerability dubbed RECON (Remotely Exploitable Code on NetWeaver) Specifically targets SAP NetWeaver Java while Advanced Business Application Programming (ABAP) stack systems remain unaffected. This vulnerability is operating system (OS) and database independent, meaning regardless of which version of SAP database (SYBASE, HANA, etc) or OS (SUSE, AIX, etc) is being used, this component will still be vulnerable.
Because most organizations don’t include software such as SAP within their vulnerability and patch management programs, businesses should manually validate that these services are, indeed, patched. Depending on an organization’s network segmentation controls, further lateral movement from the compromised system may be possible.
There are two vulnerabilities associated with RECON, CVE-2020-6286 and CVE-2020-6287. The first public POC that can be downloaded from Dimitry Chastuhin, the same author who published the popular 10K Blaze SAP exploit:
https://github.com/chipik/SAP_RECON
This exploit has recently been improved upon and currently waiting to be merged into Metasploit. This version can successfully add an administrative user:
https://github.com/rapid7/metasploit-framework/pull/13895
To confirm this vulnerability is present on your SAP system follow the below steps:
1) In your web-browser visit the below URLS and note what error message you receive:
http://<sapurl>/CTCWebService/CTCWebServiceBean
http://<sapurl>/CTCWebService/CTCWebServiceBean?wsdl
2) If the first URL results in a 405 error message (see below) while the second URL results in a 200 HTTP response code (see below) indicating a successful request, the server is most likely vulnerable.
405 Error Message from /CTCWebService/CTCWebServiceBean
HTTP 200 Response from /CTCWebService/CTCWebServiceBean?wsdl
If both those conditions are true, the system is potentially vulnerable to RECON and we recommend patching immediately using the latest patches provided by SAP (see below):
https://launchpad.support.sap.com/#/notes/2939665
If for some reason patching is not possible, a workaround for this issue is to disable the below service:
• tc~lm~ctc~cul~startup_app
This service is generally not needed post-setup and disabling it does not require application downtime. Consider also blocking all aliases associated with the CTC web service from within the NetWeaver Administrator (NWA) portal (https://help.sap.com/viewer/d2632e256fb34b5a86749be3cd503e44/4.0.01.1/en-US/0c7ae43bad984883997c86e1f2efad00.html) as well as disabling the following APIs under Java HTTP Application Aliases:
• CTC/core
• CTCWebService
• ctcprotocol
The above steps would need to be taken on each node of the application server.
Check back to this blog for updates on potential impacts, proof of concept code, and threat intelligence related to SAP RECON.
RSM will discuss it as part of an upcoming red team village talk called ERPwnage at DEFCON 28 https://redteamvillage.io/day1.html
CVE-References:
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6286
https://launchpad.support.sap.com/#/notes/2939665
https://github.com/rapid7/metasploit-framework/pull/13895