Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
10
CVSSv2

CVE-2020-6207

Published: 10/03/2020 Updated: 17/06/2021
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Sap

Vulnerability Summary

SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

sap solution manager 7.20

Exploits

Exploit DB: SAP Solution Manager 7.2 Remote Command Execution
This Metasploit module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet of SAP Solution Manager (SolMan) running version 72 The vulnerability occurs due to missing authentication checks when submitting a SOAP request to the /EemAdminService/EemAdmin page to get information about connected SMDAgents allowing an attacker to send ...
Exploit DB: SAP Solution Manager remote unauthorized OS commands execution
This module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of SAP Solution Manager (SolMan) running version 72 The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected ...
Exploit DB: SAP Solution Manager remote unauthorized OS commands execution
This module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of SAP Solution Manager (SolMan) running version 72 The vulnerability occurs due to missing authentication checks when submitting a SOAP request to the /EemAdminService/EemAdmin page to get information about connected ...

Metasploit Modules

SAP Solution Manager remote unauthorized OS commands execution

This module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting SOAP requests to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF), and execute OS commands on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. Successful exploitation of the vulnerability enables unauthenticated remote attackers to achieve SSRF and execute OS commands from the agent connected to SolMan as a user from which the SMDAgent service starts, usually the daaadm.

msf > use auxiliary/admin/sap/cve_2020_6207_solman_rce
msf auxiliary(cve_2020_6207_solman_rce) > show actions
    ...actions...
msf auxiliary(cve_2020_6207_solman_rce) > set ACTION < action-name >
msf auxiliary(cve_2020_6207_solman_rce) > show options
    ...show and set options...
msf auxiliary(cve_2020_6207_solman_rce) > run
SAP Solution Manager remote unauthorized OS commands execution

This module exploits the CVE-2020-6207 vulnerability within the SAP EEM servlet (tc~smd~agent~application~eem) of SAP Solution Manager (SolMan) running version 7.2. The vulnerability occurs due to missing authentication checks when submitting a SOAP request to the /EemAdminService/EemAdmin page to get information about connected SMDAgents, send HTTP request (SSRF) and execute OS command on connected SMDAgent. Works stable in connected SMDAgent with Java version 1.8. Successful exploitation will allow unauthenticated remote attackers to get reverse shell from connected to the SolMan agent as the user under which it runs SMDAgent service, usually daaadm.

msf > use exploit/multi/sap/cve_2020_6207_solman_rs
msf exploit(cve_2020_6207_solman_rs) > show targets
    ...targets...
msf exploit(cve_2020_6207_solman_rs) > set TARGET < target-id >
msf exploit(cve_2020_6207_solman_rs) > show options
    ...show and set options...
msf exploit(cve_2020_6207_solman_rs) > exploit

Github Repositories

https://github.com/chipik/SAP_EEM_CVE-2020-6207

PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager)

PoC for CVE-2020-6207 (Missing Authentication Check in SAP Solution Manager) This script allows to check and exploit missing authentication checks in SAP EEM servlet (tc~smd~agent~application~eem) that lead to RCE on SAP SMDAgents connected to SAP Solution Manager Original finding: Pablo Artuso Yvan 'iggy' G Paper: An Unauthenticated Journey to Root :Pwning Your Co

https://github.com/xiaoha-bb/vulmap

漏洞资产情报收集

漏洞情报收集 MySQL客户端jdbc反序列化漏洞 CVE-2021-22986 XStream多个高危漏洞 sudo本地权限提升漏洞(CVE-2021-3156) 深信服SSL-VPN代码注入 微软2021年3月补丁日漏洞通告 VMware多个高危漏洞通告 SAP Solution Manager EemAdmin 远程代码执行漏洞(CVE-2020-6207) JumpServer 远程命令执行漏洞 资产收集 资产收集-

Recent Articles

SAP: It takes exploit devs about 72 hours to turn one of our security patches into a weapon against customers
The Register • Thomas Claburn in San Francisco • 06 Apr 2021

So please don't delay in applying updates, says, well, everyone Beware the IDEs of March: Microsoft's latest monthly fixes land after frantic Exchange Server updates

SAP and security analysts Onapsis say cyber-criminals are pretty quick to analyze the enterprise software outfit's patches and develop exploits to get into vulnerable systems. In a joint report issued by the two organizations, Mariano Nunez, CEO of Onapsis, cited "conclusive evidence that cyberattackers are actively targeting and exploiting unsecured SAP applications," and warned time was of the essence, reporting "SAP vulnerabilities being weaponized in less than 72 hours since the release of p...

Read more...

References

CWE-306https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305https://launchpad.support.sap.com/#/notes/2890213http://packetstormsecurity.com/files/161993/SAP-Solution-Manager-7.2-Remote-Command-Execution.htmlhttp://seclists.org/fulldisclosure/2021/Apr/4http://packetstormsecurity.com/files/162083/SAP-SMD-Agent-Unauthenticated-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2021/Jun/34http://packetstormsecurity.com/files/163168/SAP-Solution-Manager-7.20-Missing-Authorization.htmlhttps://nvd.nist.govhttps://github.com/chipik/SAP_EEM_CVE-2020-6207https://packetstormsecurity.com/files/161993/SAP-Solution-Manager-7.2-Remote-Command-Execution.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-2907hardcodedinjectCVE-2024-20359CVE-2024-2467CVE-2024-4077CVE-2024-22391cameraCVE-2024-20353
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook