How to exploit the stored XSS vulnerability of SAP Afaria In the MDM Mobile Terminal Management System

How to exploit the stored XSS vulnerability of SAP Afaria In the MDM Mobile Terminal Management System

 

Here, we will demonstrate how to analyze vulnerabilities in SAP Afaria, a world-renowned MDM mobile terminal management software, and how attackers can exploit these vulnerabilities to launch attacks.

FreeBuf Encyclopedia: What is MDM?

In short, MDM helps enterprises manage employees' mobile terminals (such as smartphones, tablets, or tablets, that is to say, it can help enterprises strengthen the storage and security management of enterprise data on these devices. The administrator needs to install an app on the managed mobile terminal. The administrator can manage these mobile terminals through the system, including obtaining the running track and downloading specified applications, manage the network or other settings of a device.

Afaria is also widely used around the world. We have 140 Afaria servers on the Internet. The distribution is as follows,

 

 

As shown on the above map, the current number is the largest in the United States and China.

Stored XSS vulnerabilities discovered

When studying SAP Afaria, we found an interesting vulnerability. Next we will analyze the vulnerability utilization step by step.

First, on Afaria, the Administrator manages the devices (such as some policy settings or terminal information queries). The Administrator enters the management page through a browser and then makes other settings. On the network management console, the system administrator can obtain a list of all connected devices, create new mobile device configurations, download applications, and control devices.

So what happens when an unknown device is connected to a system server?

Next, let's take a look at what we will see if we try to connect the new device to the server without the appropriate permissions (and user accounts.

 

 

The result we get is: first, of course, the server does not allow us to connect. However, our device information is displayed in the device list of the management system. The status is Not approved. This means that attackers can inject some data anonymously to the Management Console. We first imagine the possibility of JS injection, because this server did not filter the information before the display device IMEI.

This looks like a stored XSS vulnerability. This vulnerability also seems interesting because it limits the IMEI segment to 15 characters. This restriction does not seem to allow injection of a JavaScript script? However, from the attacker's point of view, some js payload and annotation information can also be sent as multiple connection requests.

This is very dangerous for the entire system, especially for managers. Of course, ordinary afaria users cannot use these features. However, user data injection is still possible.

Try to inject

We assume that attackers inject the following JavaScript code.

alert('Hello Afaria! U so secure!');

Then, we detect that the terminal will send a request with an IMEI value to the server.

/*zzzzzz*/a00="alert";/**/a01="('Hel";/**/a02="lo Af";/**/a03="aria!";/**/a04=" U so";/**/a05=" secu";/**/a06="re!')";/**/a07=";";/*zzzz*/zzz=a00+a01+/**/a02+a03+a04+/**/a05+a06+a07+/**/'';/*zzzzzzzzz*/eval(zzz);/*zzzzzzz*/

Have you observed that the request information detected above has/**/in each query, which is used to mark the annotation information in js Code. In this way, some unnecessary html tags are not deleted.

Result of the attempt

The web server creates an HTML webpage on the Management Panel. All the character fragments are aggregated to a js script and executed during administrator operations. It also allows attackers to obtain data from the Afaria Management Panel and control all device terminals connected to the server.

The following shows how to inject the previous JS code in the IMEI region section in the source code of the web console.

 

SAP Afaria stored XSS vulnerability: Summary

This vulnerability has been fixed. Installing SAP Note 2152669 can solve this problem.

This problem is essentially very serious because it can be remotely exploited without authorization. In terms of quantity, we can see 140 servers on the Internet. Once successful, attackers can control all terminal devices of an enterprise and perform some sensitive operations, such as erasing data, locking smart phones, and even forcing terminals to download malicious programs with backdoors, to obtain user data. If attackers are commercial spies, they may also steal core data files within the enterprise.