diff --git a/src/network-services-pentesting/3299-pentesting-saprouter.md b/src/network-services-pentesting/3299-pentesting-saprouter.md index 4ec122c14..f3acff2dd 100644 --- a/src/network-services-pentesting/3299-pentesting-saprouter.md +++ b/src/network-services-pentesting/3299-pentesting-saprouter.md @@ -71,15 +71,75 @@ This approach underscores the importance of secure SAProuter configurations and For more detailed information on Metasploit modules and their usage, visit [Rapid7's database](http://www.rapid7.com/db). +--- + +## Recent Vulnerabilities (2022-2025) + +### CVE-2022-27668 – Improper Access Control ➜ Remote Administrative Command Execution + +In June 2022 SAP released Security Note **3158375** addressing a critical flaw (CVSS 9.8) in SAProuter (all kernels ≥ 7.22). An unauthenticated attacker can abuse permissive `saprouttab` entries to **send administration packets** (e.g. *shutdown*, *trace-level*, *connection-kill*) from a remote host, even when the router was started without the `-X` remote-admin option. + +The issue results from the possibility to build a tunnel to the router’s own loopback interface by targeting the unspecified address **0.0.0.0**. Once the tunnel is established, the attacker gains local-host privileges and can run any admin command. + +Practical exploitation can be reproduced with the **pysap** framework: + +```bash +# 1. Build a loopback tunnel through the vulnerable SAProuter +python router_portfw.py -d -p 3299 \ + -t 0.0.0.0 -r 3299 \ + -a 127.0.0.1 -l 3299 -v + +# 2. Send an admin packet (here: stop the remote router) +python router_admin.py -s -d 127.0.0.1 -p 3299 +``` + +**Affected versions** + +* Stand-alone SAProuter 7.22 / 7.53 +* Kernel 7.49, 7.77, 7.81, 7.85–7.88 (incl. KRNL64NUC/UC) + +**Fix / Mitigation** + +1. Apply the patch delivered with SAP Note **3158375**. +2. Remove wildcard (`*`) targets from `P` and `S` lines in `saprouttab`. +3. Make sure the router is started **without** the `-X` option and is **not** directly exposed to the Internet. + +--- + +## Updated Tooling & Tricks + +* **pysap** – actively maintained and provides `router_portfw.py`, `router_admin.py` & `router_trace.py` for crafting custom NI/Router packets, fuzzing ACLs or automating the CVE-2022-27668 exploit. +* **Nmap** – extend service detection by adding the custom SAProuter probe: + + ```text + Probe TCP SAProuter q|\x00\x00\x00\x00| + ports 3299 + match saprouter m|SAProuter ([\d.]+)| p/SAProuter/ v/$1/ + ``` + + Combine with NSE scripts or `--script=banner` to quickly fingerprint versions that leak the banner string (`SAProuter on ''`). +* **Metasploit** – the auxiliary modules shown above still work through a SOCKS or NI proxy created with pysap, enabling full framework integration even when the router blocks direct access. + +--- + +## Hardening & Detection Checklist + +* Filter port **3299/TCP** on the perimeter firewall – allow traffic only from trusted SAP support networks. +* Keep SAProuter **fully patched**; verify with `saprouter -v` and compare against the latest kernel patch level. +* Use **strict, host-specific** entries in `saprouttab`; avoid `*` wildcards and deny `P`/`S` rules that target arbitrary hosts or ports. +* Start the service with **`-S ` + SNC** to enforce encryption and mutual authentication. +* Disable remote administration (`-X`) and, if possible, bind the listener to `127.0.0.1` while using an external reverse proxy for required traffic. +* Monitor the **dev_rout** log for suspicious `ROUTER_ADM` packets or unexpected `NI_ROUTE` requests to `0.0.0.0`. + +--- + ## **References** - [https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/](https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/) +- [https://sec-consult.com/vulnerability-lab/advisory/improper-access-control-in-sap-saprouter/](https://sec-consult.com/vulnerability-lab/advisory/improper-access-control-in-sap-saprouter/) ## Shodan - `port:3299 !HTTP Network packet too big` {{#include ../banners/hacktricks-training.md}} - - -