SAP NetWeaver Visual Composer Missing Authorization Vulnerability Allowing Unauthenticated File Uploads

A vulnerability exists in the SAP NetWeaver Visual Composer component, specifically in versions 7.1x and above, within the 'developmentserver' application. The issue arises from a missing authorization check in the Metadata Uploader, allowing unauthenticated users to upload potentially malicious executable files. This vulnerability could lead to a full system compromise, as the uploaded files can be executed on the host system.

Impact

Exploitation of this vulnerability allows for full remote command execution on the affected system. Threat actors can upload malicious files, such as webshells, which were observed during the initial exploitation phase. These webshells enable persistent access and command execution with the same privileges as the SAP application server user, potentially leading to further exploitation, such as deploying ransomware.

Reproduction

The vulnerability can be reproduced by sending HTTP requests to the '/developmentserver/metadatauploader' endpoint without authentication. This can be done using various HTTP methods, such as POST, HEAD, or GET. The requests must include the 'CONTENTTYPE' parameter set to 'MODEL' and the 'CLIENT' parameter set to '1'. The 'Content-Type' of the request should be 'application/octet-stream', and the body of the request must contain the file payload intended for upload.

Remediation

SAP has released a patch for this vulnerability in 'SAP Security Note #3594142'. This patch should be applied to all affected systems. For systems that cannot be patched, SAP recommends using one of the workaround options detailed in 'SAP Note #3593336'.