CVE-2022-22536 - SAP memory pipes(MPI) desynchronization vulnerability CVE-2022-22536

Overview

CVE-2022-22536

SAP memory pipes desynchronization vulnerability(MPI) CVE-2022-22536.


Description

  • POC for CVE-2022-22536: SAP memory pipes(MPI) desynchronization vulnerability.
  • create by antx at 2022-02-15.

Detail

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim’s request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.


CVE Severity

  • attackComplexity: LOW
  • attackVector: NETWORK
  • availabilityImpact: HIGH
  • confidentialityImpact: HIGH
  • integrityImpact: HIGH
  • privilegesRequired: NONE
  • scope: CHANGED
  • userInteraction: NONE
  • version: 3.1
  • baseScore: 10.0
  • baseSeverity: CRITICAL

Affect

  • SAP Web Dispatcher
    • 7.49
    • 7.53
    • 7.77
    • 7.81
    • 7.85
    • 7.22EXT
    • 7.86
    • 7.87
  • SAP NetWeaver and ABAP Platform
    • KERNEL 7.22
    • 8.04
    • 7.49
    • 7.53
    • 7.77
    • 7.81
    • 7.85
    • 7.86
    • 7.87
    • KRNL64UC 8.04
    • 7.22
    • 7.22EXT
    • 7.49
    • 7.53
    • KRNL64NUC 7.22
    • 7.22EXT
    • 7.49
  • SAP Content Server
    • 7.53

Scenarios supported

This tool has been tested in the following scenarios:

  • Direct testing against a SAP System This tool provided realible results when used to test systems directly. This means with no HTTP(s) proxy device between the host executing the test and the target SAP system.
  • SAP WEB Dispatcher as Proxy This tool provided reliable results when the SAP system under test was behind a SAP Web Dispatcher.
  • Other configurations / Proxies This tool was not tested in any other environment or with any other proxy. Reliable results in any other scenario than the mentioned above are not guaranteed.

Proof of Concept


Mitigations

  • The official has published a patch for CVE-2022-22536.

Reference

IMPORTANT

This exploit is only intended to facilitate demonstrations of the vulnerability by researchers. I disapprove of illegal actions and take no responsibility for any malicious use of this script. The proof of concept demonstrated in this repository does not expose any hosts and was performed with permission.

You might also like...
CVE-2022-21907 - Windows HTTP协议栈远程代码执行漏洞 CVE-2022-21907

CVE-2022-21907 Description POC for CVE-2022-21907: Windows HTTP协议栈远程代码执行漏洞 creat

Cve-2022-23131 - Cve-2022-23131 zabbix-saml-bypass-exp
Cve-2022-23131 - Cve-2022-23131 zabbix-saml-bypass-exp

cve-2022-23131 cve-2022-23131 zabbix-saml-bypass-exp replace [zbx_signed_session

DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)
DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)

dnspooq DNSpooq PoC - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) For educational purposes only Requirements Docker compo

the metasploit script(POC/EXP) about CVE-2021-22005 VMware vCenter Server contains an arbitrary file upload vulnerability
the metasploit script(POC/EXP) about CVE-2021-22005 VMware vCenter Server contains an arbitrary file upload vulnerability

CVE-2021-22005-metasploit the metasploit script(POC/EXP) about CVE-2021-22005 VMware vCenter Server contains an arbitrary file upload vulnerability pr

Exploit for CVE-2017-17562 vulnerability, that allows RCE on GoAhead ( v3.6.5) if the CGI is enabled and a CGI program is dynamically linked.

GoAhead RCE Exploit Exploit for CVE-2017-17562 vulnerability, that allows RCE on GoAhead ( v3.6.5) if the CGI is enabled and a CGI program is dynamic

 Simple Python 3 script to detect the
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

log4j-detect Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading The script

This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).
This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).

CVE-2021-43798 – Grafana Exploit About This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798

Simple Python 3 script to detect the
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading

log4j-detect Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithreading The script

Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.
Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.

We are providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account. The script enables security teams to identify external-facing AWS assets by running the exploit on them, and thus be able to map them and quickly patch them

Comments
  •  An error has been caught in function 'dia', process 'MainProcess'

    An error has been caught in function 'dia', process 'MainProcess'

    Upon running the poc script I'm getting the following error

    2022-07-24 12:21:57.834 | DEBUG | main:craft_socket:41 - Crafting socket 2022-07-24 12:21:57.835 | ERROR | main:dia:152 - An error has been caught in function 'dia', process 'MainProcess' (1268529), thread 'MainThread' (140169305309184): Traceback (most recent call last):

    File "/root/Tools/CVE-2022-22536/CVE-2022-22536.py", line 172, in poc.dia(host, port, secure=False, cert_verify=False) │ │ │ └ 8000 │ │ └ 'https://target.sap.target.com' │ └ <function POC.dia at 0x7f7bb4ad4820> └ <main.POC object at 0x7f7bb4adc490>

    File "/root/Tools/CVE-2022-22536/CVE-2022-22536.py", line 152, in dia resource = self.validate_resource_and_cache(host, port, secure=secure, cert_verify=cert_verify) │ │ │ │ │ └ False │ │ │ │ └ False │ │ │ └ 8000 │ │ └ 'https://target.sap.target.com' │ └ <function POC.validate_resource_and_cache at 0x7f7bb4abfa30> └ <main.POC object at 0x7f7bb4adc490>

    File "/root/Tools/CVE-2022-22536/CVE-2022-22536.py", line 97, in validate_resource_and_cache s.connect((host, port)) │ │ │ └ 8000 │ │ └ 'https://target.sap.target.com' │ └ <method 'connect' of '_socket.socket' objects> └ <socket.socket fd=3, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('0.0.0.0', 0)>

    socket.gaierror: [Errno -2] Name or service not known 2022-07-24 12:21:57.841 | ERROR | main:dia:160 - No valid resource test found, is not possible to test

    opened by amykr777 0
  • Fixes the TypeError in self.send_payload call

    Fixes the TypeError in self.send_payload call

    The function has two parameters (socket and payload), but from the code four parameters are provided (host and port). TypeError: send_payload() takes from 2 to 3 positional arguments but 5 were given

    opened by Vest 0
Owner
antx
RCT(Reading, Coding and Trading)
antx
PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager)

PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager) This script allows to check and exploit missing authentication checks in

chipik 82 Nov 9, 2022
IP Denial of Service Vulnerability ")A proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability ")

CVE-2021-24086 This is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patc

Carry 1 Nov 25, 2021
ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)

ExProlog ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065) Usage: exprolog.py [OPTIONS] ExProlog -

Herwono W. Wijaya 130 Dec 15, 2022
Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells

About create a target list or select one target, scans then exploits, done! Vulnnr is a Vulnerability Scanner & Auto Exploiter You can use this tool t

Nano 108 Dec 4, 2021
Aiminsun 165 Dec 21, 2022
This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

null 26 Dec 26, 2022
CVE-2022-21907 Vulnerability PoC

CVE-2022-21907 Description POC for CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability. create by antx at 2022-01-17, just some sm

Michele 16 Dec 18, 2022
CVE-2022-23046 - SQL Injection Vulnerability on PhpIPAM v1.4.4

CVE-2022-23046 PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL s

null 2 Feb 15, 2022
HTTP Protocol Stack Remote Code Execution Vulnerability CVE-2022-21907

CVE-2022-21907 Description POC for CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability. create by antx at 2022-01-17. Detail HTTP

赛欧思网络安全研究实验室 365 Nov 30, 2022
😭 WSOB is a python tool created to exploit the new vulnerability on WSO2 assigned as CVE-2022-29464.

?? WSOB (CVE-2022-29464) ?? WSOB is a python tool created to exploit the new vulnerability on WSO2 assigned as CVE-2022-29464. CVE-2022-29464 details:

0p 25 Oct 14, 2022