CVE-2022-22536

SAP memory pipes desynchronization vulnerability(MPI) CVE-2022-22536.

Description

• POC for CVE-2022-22536: SAP memory pipes(MPI) desynchronization vulnerability.
• create by antx at 2022-02-15.

Detail

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim’s request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.

CVE Severity

• attackComplexity: LOW
• attackVector: NETWORK
• availabilityImpact: HIGH
• confidentialityImpact: HIGH
• integrityImpact: HIGH
• privilegesRequired: NONE
• scope: CHANGED
• userInteraction: NONE
• version: 3.1
• baseScore: 10.0
• baseSeverity: CRITICAL

Affect

• SAP Web Dispatcher
  • 7.49
  • 7.53
  • 7.77
  • 7.81
  • 7.85
  • 7.22EXT
  • 7.86
  • 7.87
• SAP NetWeaver and ABAP Platform
  • KERNEL 7.22
  • 8.04
  • 7.49
  • 7.53
  • 7.77
  • 7.81
  • 7.85
  • 7.86
  • 7.87
  • KRNL64UC 8.04
  • 7.22
  • 7.22EXT
  • 7.49
  • 7.53
  • KRNL64NUC 7.22
  • 7.22EXT
  • 7.49
• SAP Content Server
  • 7.53

Scenarios supported

This tool has been tested in the following scenarios:

• Direct testing against a SAP System This tool provided realible results when used to test systems directly. This means with no HTTP(s) proxy device between the host executing the test and the target SAP system.
• SAP WEB Dispatcher as Proxy This tool provided reliable results when the SAP system under test was behind a SAP Web Dispatcher.
• Other configurations / Proxies This tool was not tested in any other environment or with any other proxy. Reliable results in any other scenario than the mentioned above are not guaranteed.

Proof of Concept

• Poc

Mitigations

• The official has published a patch for CVE-2022-22536.

Reference

• Ref-Source
  • MPI Scanner
• Ref-Article
  • ICMAD SAP Vulnerability (CVE-2022-22536) – Critical Risk
  • Communication Manager Advanced Desync (ICMAD) Vulnerabilities
• Ref-Twitter
  • Twitter<CVE-2022-22536>
• Ref-Risk
  • NVD<CVE-2022-22536>
• CVE
  • CVE-2022-22536
• Ref-Patch
  • SAP Security Patch Day - February 2022

IMPORTANT

This exploit is only intended to facilitate demonstrations of the vulnerability by researchers. I disapprove of illegal actions and take no responsibility for any malicious use of this script. The proof of concept demonstrated in this repository does not expose any hosts and was performed with permission.