Summary: In this long-read post, we dive deep into the workings of CVE-2022-41203, a recently discovered vulnerability in SAP BusinessObjects Business Intelligence (BI) platform. This vulnerability can allow an attacker with low privileges to intercept and manipulate serialized object streams compromising the Confidentiality, Integrity, and Availability (CIA) of the system. The post includes code snippets with a focus on the exploit method, links to original references for further details, and a comprehensive analysis of the impact of this vulnerability on affected systems.
The Root of the Problem: Untrusted Deserialization in SAP BusinessObjects BI Platform
The vulnerability lies within the way SAP BusinessObjects BI Platform handles serialized objects in some of its workflows (Central Management Console and BI LaunchPad). An attacker who can authenticate with low privileges can intercept a serialized object in the parameters, substitute it with a malicious serialized object, and thus exploit the deserialization of untrusted data. To understand the impact, let's first examine how deserialization works and how it can be exploited.
Understanding Deserialization
Deserialization is the process of converting a series of bytes (in this case, a serialized object) back into a usable object state. In Java, for example, it is commonly performed using the ObjectInputStream class:
ObjectInputStream ois = new ObjectInputStream(inputStream);
Object deserializedObject = ois.readObject();
The issue here is that if an untrusted serialized object is encountered during the deserialization process, it could lead to the execution of unintended code that may compromise the system's security.
Exploiting Untrusted Deserialization: CVE-2022-41203
To exploit the vulnerability in SAP BusinessObjects BI Platform, an attacker can take the following steps:
1. Authenticate with low privileges into the system (e.g., using valid credentials or exploiting another vulnerability that grants access).
2. Intercept the communication between the SAP BusinessObjects BI Platform and the client (e.g., using a man-in-the-middle technique or using a tool like Burp Suite).
3. Locate a serialized object (a base64-encoded string representation of a Java object) embedded in the transmitted data.
4. Craft a malicious serialized object to replace the original one, e.g., using a tool such as ysoserial:
java -jar ysoserial.jar CommonsCollections6 "touch /tmp/malicious_file" > exploit.bin
5. Encode the malicious serialized object in base64 format and replace the original serialized object in the intercepted communication.
6. Monitor the affected system for signs of successful exploitation, such as the creation of the /tmp/malicious_file.
Impact and Implications
By exploiting CVE-2022-41203, an attacker can compromise the confidentiality, integrity, and availability of an affected SAP BusinessObjects BI Platform:
Original References and Further Reading
For more technical details, original PoCs, and mitigation measures, please refer to the following resources:
- SAP Security Note 3010232 (SAP login required) - Official security note providing details on the vulnerability, affected components, and how to apply the necessary patch.
- Common Vulnerabilities and Exposures (CVE) database: CVE-2022-41203 - A concise technical description of the vulnerability.
- ysoserial - A tool for creating Java serialized objects with embedded malicious payloads.
- Burp Suite - A popular, powerful web application security testing tool that can aid in intercepting and manipulating server-client communications.
In conclusion, the SAP BusinessObjects BI Platform vulnerability CVE-2022-41203 showcases the potential risk of deserializing untrusted data in your applications. An attacker with low privileges could exploit this vulnerability and potentially compromise the confidentiality, integrity, and availability of the system. Keep your systems up-to-date and apply the necessary security patches to mitigate this risk.
Timeline
Published on: 11/08/2022 22:15:00 UTC
Last modified on: 11/09/2022 15:56:00 UTC