A Python script that can be used to check if a SAP system is affected by CVE-2022-22536

Overview

Vulnerability assessment for CVE-2022-22536

This repository contains a Python script that can be used to check if a SAP system is affected by CVE-2022-22536, a critical vulnerability rated with CVSSv3 Score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). This vulnerability was discovered by the Onapsis Research Labs, which closely collaborated with SAP to develop and release a patch on February 8, 2022. Onapsis would like to thank the SAP Product Security Response Team (PSRT) for their collaboration and timely response. The two teams worked tirelessly to ensure that a timely fix was available to all SAP customers as soon as possible.

Considering the number of potential vulnerable internet-facing SAP systems and the sensitivity of the data and processes typically supported by these systems, Onapsis decided to develop and release this open-source tool as quickly as possible. The goal is to help the information security and administration teams at all SAP customers protect their mission-critical applications by enabling them to assess their exposure and evaluate whether their SAP are affected by this vulnerability. This tool can:

  • Perform a best-effort, black-box scan of your SAP application(s) to quickly assess if they may be vulnerable to CVE-2022-22536.

This tool cannot:

  • Guarantee with 100% accuracy whether your SAP applications are vulnerable or not.

There are, however, several known limitations of this tool and its usage should not be considered a guarantee that SAP applications are not affected by CVE-2022-22536. Several conditions can affect the state of the assessed applications, resulting in false positives and/or false negatives.

How to use this tool

Testing for SAP Systems affected by CVE-2022-22536

To test if your SAP ABAP or SAP JAVA systems are affected follow these steps:

  1. Clone this repository

  2. In the src you'll find a Python script called ICMAD_scanner.py.

  3. You can execute it running python ICMAD_scanner.py -H -P

  4. You can use python ICMAD_scanner.py -h to check for other options. The script supports systems using HTTP(s).

Scenarios supported

This tool has been tested in the following scenarios:

Direct testing against a SAP System

This tool provided realible results when used to test systems directly. This means with no HTTP(s) proxy device between the host executing the test and the target SAP system.

SAP WEB Dispatcher as Proxy

This tool provided reliable results when the SAP system under test was behind a SAP Web Dispatcher.

Other configurations / Proxies

This tool was not tested in any other environment or with any other proxy. Reliable results in any other scenario than the mentioned above are not guaranteed.

Additional Resources

For additional information about CVE-2022-22536 vulnerability, the potential business impact, the affected versions and other data points, please review the Threat Report and information available here: Onapsis and SAP Partner to Discover and Patch Critical ICMAD Vulnerabilities

The following SAP Notes provide additional information around patch and mitigations:

  • 3123396 - [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher
  • 3137885 - Workaround for security SAP note 3123396
  • 3138881 - wdisp/additional_conn_close workaround for security SAP note 3123396
You might also like...
Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.

PrintNightmare Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket. Installtion $ pip3 install impacket

ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell)
ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF-GetWebShell)

ProxyLogon For Python3 ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF-GetWebShell) usage: python ProxyLogon.py --host=exchang

聚合Github上已有的Poc或者Exp,CVE信息来自CVE官网。Auto Collect Poc Or CVE from Github by CVE ID.

PocOrExp in Github 聚合Github上已有的Poc或者Exp,CVE信息来自CVE官网 注意:只通过通用的CVE号聚合,因此对于MS17-010等Windows编号漏洞以及著名的有绰号的漏洞,还是自己检索一下比较好 Usage python3 exp.py -h usage: ex

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Known issues it will not work outside kali , i will update it

Exploiting CVE-2021-42278 and CVE-2021-42287

noPac Exploiting CVE-2021-42278 and CVE-2021-42287 原项目noPac在实现上可能有点问题,导致在本地没有打通,于是参考sam-the-admin项目进行修改。 使用 pip3 install -r requirements.txt # GetShel

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

About Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Changed from sam-the-admin. Usage SAM THE ADMIN CVE-202

Details,PoC and patches for CVE-2021-45383 & CVE-2021-45384

CVE-2021-45383 & CVE-2021-45384 There are several network-layer vulnerabilities in the official server of Minecraft: Bedrock Edition (aka Bedrock Serv

Proof of concept to check if hosts are vulnerable to CVE-2021-41773

CVE-2021-41773 PoC Proof of concept to check if hosts are vulnerable to CVE-2021-41773. Description (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CV

Mass Check Vulnerable Log4j CVE-2021-44228
Mass Check Vulnerable Log4j CVE-2021-44228

Log4j-CVE-2021-44228 Mass Check Vulnerable Log4j CVE-2021-44228 Introduction Actually I just checked via Vulnerable Application from https://github.co

Comments
  • remove non-required post from the Host HTTP-header

    remove non-required post from the Host HTTP-header

    In the HTTP-header Host ports are not required, even if you use HTTPS/TLS.

    A Host header field must be sent in all HTTP/1.1 request messages. A 400 (Bad Request) status code may be sent to any HTTP/1.1 request message that lacks or contains more than one Host header field. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host

    HTTP gateways/reverse proxies which evaluate Host-Headers to choose the correct "route" may not forward you to the actual service which causes the PoC fail with an IndexError:

    DEBUG - Crafting socket
    DEBUG - Setting SSL context with verify mode False
    /home/user/tools/onapsis_icmad_scanner/src/./ICMAD_scanner.py:37: DeprecationWarning: ssl.SSLContext() without protocol argument is deprecated.
    context = ssl.SSLContext()
    /home/user/tools/onapsis_icmad_scanner/src/./ICMAD_scanner.py:37: DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
    context = ssl.SSLContext()
    DEBUG - Wraping socket with SSL
    DEBUG - Connection established my-host:443
    DEBUG - Validating resource /sap/admin/public/default.html?aaa
    DEBUG - Payload sent
    Traceback (most recent call last):
    File "/home/user/tools/onapsis_icmad_scanner/src/./ICMAD_scanner.py", line 220, in <module>
    main()
    File "/home/user/tools/onapsis_icmad_scanner/src/./ICMAD_scanner.py", line 196, in main
    resource = _validate_resource_and_cache(args.host, args.port,
    File "/home/user/tools/onapsis_icmad_scanner/src/./ICMAD_scanner.py", line 129, in _validate_resource_and_cache
    resp['responses'][0]['status_code'])
    IndexError: list index out of range
    

    Could you consider to remove the port in line 118 if it isn't critical for the PoC to actually trigger the vulnerability?

    opened by xeaon 0
Owner
Onapsis Inc.
Onapsis open source projects
Onapsis Inc.
PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager)

PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager) This script allows to check and exploit missing authentication checks in

chipik 82 Nov 9, 2022
A script to search, scrape and scan for Apache Log4j CVE-2021-44228 affected files using Google dorks

Log4j dork scanner This is an auto script to search, scrape and scan for Apache Log4j CVE-2021-44228 affected files using Google dorks. Installation:

Jagar 5 Dec 27, 2022
ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)

ExProlog ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065) Usage: exprolog.py [OPTIONS] ExProlog -

Herwono W. Wijaya 130 Dec 15, 2022
Scan all java processes on your host to check weather it's affected by log4j2 remote code execution

Log4j2 Vulnerability Local Scanner (CVE-2021-45046) Log4j 漏洞本地检测脚本,扫描主机上所有java进程,检测是否引入了有漏洞的log4j-core jar包,是否可能遭到远程代码执行攻击(CVE-2021-45046)。上传扫描报告到指定的服

null 86 Dec 9, 2022
CVE-2022-21907 - Windows HTTP协议栈远程代码执行漏洞 CVE-2022-21907

CVE-2022-21907 Description POC for CVE-2022-21907: Windows HTTP协议栈远程代码执行漏洞 creat

antx 365 Nov 30, 2022
Cve-2022-23131 - Cve-2022-23131 zabbix-saml-bypass-exp

cve-2022-23131 cve-2022-23131 zabbix-saml-bypass-exp replace [zbx_signed_session

东方有鱼名为咸 135 Dec 14, 2022
Exploit and Check Script for CVE 2022-1388

F5-CVE-2022-1388-Exploit Exploit and Check Script for CVE 2022-1388 Usage Check against single host python3 CVE-2022-1388.py -v true -u target_url At

Andy Gill 52 Dec 22, 2022
DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)

dnspooq DNSpooq PoC - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) For educational purposes only Requirements Docker compo

Teppei Fukuda 80 Nov 28, 2022
CVE-2022-22965 - CVE-2010-1622 redux

CVE-2022-22965 - vulnerable app and PoC Trial & error $ docker rm -f rce; docker build -t rce:latest . && docker run -d -p 8080:8080 --name rce rce:la

Duarte Duarte 20 Aug 25, 2022
This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

null 26 Dec 26, 2022