CVE-2022-22536
SAP memory pipes desynchronization vulnerability(MPI) CVE-2022-22536.
Description
- POC for CVE-2022-22536: SAP memory pipes(MPI) desynchronization vulnerability.
- create by antx at 2022-02-15.
Detail
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim’s request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
CVE Severity
- attackComplexity: LOW
- attackVector: NETWORK
- availabilityImpact: HIGH
- confidentialityImpact: HIGH
- integrityImpact: HIGH
- privilegesRequired: NONE
- scope: CHANGED
- userInteraction: NONE
- version: 3.1
- baseScore: 10.0
- baseSeverity: CRITICAL
Affect
- SAP Web Dispatcher
- 7.49
- 7.53
- 7.77
- 7.81
- 7.85
- 7.22EXT
- 7.86
- 7.87
- SAP NetWeaver and ABAP Platform
- KERNEL 7.22
- 8.04
- 7.49
- 7.53
- 7.77
- 7.81
- 7.85
- 7.86
- 7.87
- KRNL64UC 8.04
- 7.22
- 7.22EXT
- 7.49
- 7.53
- KRNL64NUC 7.22
- 7.22EXT
- 7.49
- SAP Content Server
- 7.53
Scenarios supported
This tool has been tested in the following scenarios:
- Direct testing against a SAP System This tool provided realible results when used to test systems directly. This means with no HTTP(s) proxy device between the host executing the test and the target SAP system.
- SAP WEB Dispatcher as Proxy This tool provided reliable results when the SAP system under test was behind a SAP Web Dispatcher.
- Other configurations / Proxies This tool was not tested in any other environment or with any other proxy. Reliable results in any other scenario than the mentioned above are not guaranteed.
Proof of Concept
Mitigations
- The official has published a patch for CVE-2022-22536.
Reference
- Ref-Source
- Ref-Article
- Ref-Twitter
- Ref-Risk
- CVE
- Ref-Patch
IMPORTANT
This exploit is only intended to facilitate demonstrations of the vulnerability by researchers. I disapprove of illegal actions and take no responsibility for any malicious use of this script. The proof of concept demonstrated in this repository does not expose any hosts and was performed with permission.