You may as well just pop the script (mirrored here: https://gist.github.com/nneonneo/9caabf7c9d2f94711bce005e144...) into your own AI of choice and tweak the analysis to your liking.
(Note the giveaway "likely via argparse in Python" and similar constructs; the script obviously does use argparse so there's no need for hedging)
`metadataupload` takes a .zip file as POST input. This endpoint can be trivially reached on any SAP instance without authentication. The .zip file can contain a .properties file, which is deserialized into a java.util.Properties instance.
Since they're using Java deserialization, it is possible to deserialize arbitrary objects. The actual exploit uses a payload generated by ysoserial (https://github.com/frohoff/ysoserial) to either execute a command directly or drop a file on the filesystem. The basic idea behind a deserialization attack is to construct an object graph such that, when deserialized, functions that run normally as part of the deserialization process end up calling arbitrary code.
Deserialization attacks are well-known in the Java world, and are very common thanks to the fact that the serializer is both easy to use and baked into the language. With a large enough codebase (or the right dependencies) you're practically guaranteed to have enough serializable types to string together an RCE.
As an example, one of the classes used in this exploit is org.apache.xalan.xsltc.trax.TemplatesImpl (https://xalan.apache.org/xalan-j/apidocs/org/apache/xalan/xs...). This class contains a serializable array of Java .class bytecodes which will be dynamically loaded if the `newTransformer` method is called; note that merely loading a Java `.class` will be enough to run arbitrary code via static constructors. Other serializable classes are used to get the `newTransformer` method to be called on the object during deserialization.
The OP post is full of nonsensical and outright incorrect fluff. This is a straightforward deserialization-to-RCE bug; the RCE is what's being used to upload arbitrary files.
But i know that HN does not have an appreciation for SAP anyhow.
jmclnx•4mo ago
In recent years, we got patches (OSS Notes) almost daily.
dylan604•4mo ago
bayesnet•4mo ago
Arwill•4mo ago
jmclnx•4mo ago
But in most cases, the functions you need to call to write data to disk are usually closed off to developers due to "security". If you have access to the database (almost impossible to get), the data for the important tables are spread throughout multiple tables with names that look like names created from /dev/urandom.
Arwill•4mo ago
Some of the cryptic table names date back to R/2, sure, but they are the de-facto standard data model for those business data. If you have business systems communicating, for example product, business partner or financial data, it will have a mark on it of how those data are handled by SAP.
But then there are CDS views (for some time now) that have long descriptive names, and metadata to help you make database queries. You are not meant to read or write database tables directly (as of some time).
jmclnx•4mo ago
Also, SE16 did and may still have security issues. That was the reason for it being disabled for 99% of the users.