SAP memory pipes desynchronization vulnerability(MPI) CVE-2022-22536.
- POC for CVE-2022-22536: SAP memory pipes(MPI) desynchronization vulnerability.
- create by antx at 2022-02-15.
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim’s request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
- attackComplexity: LOW
- attackVector: NETWORK
- availabilityImpact: HIGH
- confidentialityImpact: HIGH
- integrityImpact: HIGH
- privilegesRequired: NONE
- scope: CHANGED
- userInteraction: NONE
- version: 3.1
- baseScore: 10.0
- baseSeverity: CRITICAL
- SAP Web Dispatcher
- 7.49
- 7.53
- 7.77
- 7.81
- 7.85
- 7.22EXT
- 7.86
- 7.87
- SAP NetWeaver and ABAP Platform
- KERNEL 7.22
- 8.04
- 7.49
- 7.53
- 7.77
- 7.81
- 7.85
- 7.86
- 7.87
- KRNL64UC 8.04
- 7.22
- 7.22EXT
- 7.49
- 7.53
- KRNL64NUC 7.22
- 7.22EXT
- 7.49
- SAP Content Server
- 7.53
This tool has been tested in the following scenarios:
- Direct testing against a SAP System This tool provided realible results when used to test systems directly. This means with no HTTP(s) proxy device between the host executing the test and the target SAP system.
- SAP WEB Dispatcher as Proxy This tool provided reliable results when the SAP system under test was behind a SAP Web Dispatcher.
- Other configurations / Proxies This tool was not tested in any other environment or with any other proxy. Reliable results in any other scenario than the mentioned above are not guaranteed.
- The official has published a patch for CVE-2022-22536.
- Ref-Source
- Ref-Article
- Ref-Twitter
- Ref-Risk
- CVE
- Ref-Patch
This exploit is only intended to facilitate demonstrations of the vulnerability by researchers. I disapprove of illegal actions and take no responsibility for any malicious use of this script. The proof of concept demonstrated in this repository does not expose any hosts and was performed with permission.