SEC Consult SA-20170912-0 :: Email verification bypass in SAP E-Recruiting Sep 12 2017 01:23PM
SEC Consult Vulnerability Lab (research sec-consult com)
SEC Consult Vulnerability Lab Security Advisory < 20170912-0 >
title: Email verification bypass
product: SAP E-Recruiting
vulnerable version: 605, 606, 616, 617
fixed version: see SAP security note number 2507798
impact: medium
homepage: https://www.sap.com
found: 2017-07-12
by: Marc Nimmerrichter (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich



Vendor description:
"SAP E-Recruiting" has recruitment and succession planning instruments that
will help your company find new employees, employ them in positions that suit
their capabilities, promote their professional development, and retain them in
the long term.
As well as enabling you to handle your companyâ??s applicant tracking activities,
"SAP E-Recruiting" ensures that you drive up-to-date human resources management,
by proactively maintaining contact with applicants, potential candidates, and
consequently, with your employees.


Business recommendation:
Email address verification during the applicant registration can be bypassed.
Businesses using the vulnerable component are advised to estimate the impact of
insufficient email address verification on their business processes and react
accordingly. It is recommended to install a patched version as soon as possible.

Vulnerability overview/description:
When an external applicant registers to the E-Recruiting application, he/she
receives a link by email to confirm access to the provided email address.
However, this measure can be bypassed and attackers can register and confirm
email addresses that they do not have access to.

An attacker could register email addresses not belonging to him/her. This could
have a business impact, because business processes might rely on a verified
email address. Furthermore, since an email address can be registered only once,
an attacker could prevent other legitimate users from registering to the
E-Recruiting application.

Proof of concept:
The email verification link contains the "param" HTTP GET parameter with base64
encoded data. When decoded, this data contains the parameters
"candidate_hrobject" and "corr_act_guid". candidate_hrobject is an incremental
user ID. corr_act_guid is a random value that needs to be provided during the
email verification. However, this value is not bound to the current
registration, which means that the value of a previous registration can be
reused. Since candidate_hrobject is incremental, it can be guessed by an
attacker. An attacker who wants to register with an email address not belonging
to him/her, could simply do the following:

1. Register with his own email address
2. Directly afterwards register with someone else's email address
3. Read the current value of candidate_hrobject in the confirmation
link from the first registration
4. Increment this value by 1
5. Send the new value in the HTTP GET request, use the corr_act_guidparameter
from the first registration
6. If this did not work: go back to step 4 to try the next ID
(maybe other people registered in between the two registrations)

This attack works because there is no per-registration nonce in the
confirmation link.

Vulnerable / tested versions:
The vulnerability was found in the following release of E-Recruiting (ERECRUIT):
Release: 617

According to the vendor, the following versions are affected:
Release: 605, 606, 616, 617

Vendor contact timeline:
2017-07-12: Contacted vendor via encrypted email with vulnerability description
and Responsible Disclosure Policy attached at secure (at) sap (dot) com [email concealed]
2017-07-13: Vendor confirmed the receipt of the email
2017-07-25: Vendor confirmed the vulnerability
2017-07-31: Contacted vendor to ask for patch release date and versions affected
2017-08-01: Vendor stated they are working on the fix and requested "adequate
time". Link to SAP Responsible Disclosure Policy was provided.
2017-08-01: Discussing release date, requested planned patch release date and
versions affected.
2017-08-02: Vendor stated that the patch cannot be published until 2017-08-31
and requested more time before advisory publication.
2017-08-23: Contacted vendor to request current patch status, planned patch
release date and versions affected.
2017-08-24: Vendor stated that the patch is planned to be published on
2017-08-24: Contacted vendor to request versions affected.
2017-08-28: Vendor provided versions affected.
2017-08-29: Defined 2017-09-12 as the actual advisory publication date.
2017-08-30: Vendor confirms advisory publication date.
2017-09-07: Contacted vendor to confirm patch release date and to request number
of fixed release / patch.
2017-09-07: Vendor provided security note number for the patch.
2017-09-12: Public release of advisory.

A patched version of SAP E-Recruiting should be installed, as the vendor
has rated this vulnerability with CVSS 6.5 base score.

Please refer to SAP Security Note 2507798 for further information.


Advisory URL:


SEC Consult Vulnerability Lab

SEC Consult
Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Marc Nimmerrichter / @2017

0? *?H?÷
 `?He0? *?H?÷
 ? 0?¯0?? à#Ë?S?­anzTgk!0
 0o1 0 USE10U
 AddTrust AB1&0$U AddTrust External TTP Network1"0 UAddTrust External CA Root0
200530104838Z0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0?"0
ÓJ¶ ?n¥=Ùº»þ¡?©.CRC|¯2PȦOZéØÏ?%?{?è0dæ¤øV?ý*$3?¬Dåi?£FKÂ3Ôé@?°±¬?@¹
µ?:?*S£Û= a<U?ÙNv%!)ú£|qvOîá_éûT?ÛÃ{5R·?Þ"=,0-1Y½R7°3i-CëúÖ¥ñ?wgQ?Ùî'ë¼¥8v?¤©
00U 0DU=0;09 7 5?3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
 ?*n¬UÁ:«?ÅØíÍUóªka+À #?Åfjo±õ´µw^aß}þ³¤??üû[jr
Á?â?ûZBj#!éeÇõÕ»~ê?? bêÑ:,YÅ?3ò8?å¶ézyöJ&ú|?û?0?a0?I +?þ%³`??5T«´0
 0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0
200229235959Z0?W1 0 UAT1
0 U270010UNiederoesterreich10U Wr. Neustadt10U Komarigasse 14/11.0,U
%SEC Consult Unternehmensberatung GmbH1I0GU @Issued through SEC Consult Unternehmensberatung GmbH E-PKI Manag10U Corporate Secure Email1&0$USEC Consult Vulnerability Lab1'0% *?H?÷
 research (at) sec-consult (dot) com0 [email concealed]?"0
?çââ³×p¼¬ÉÓ#ëäoú=1X ÏsÍldhmþ·}jµ?ýySüx??¡%Vl´9«ÖHÍO½Ë Z|¢ò?q4äËg?7ò?ù?t¥Á±å1Pzò¦<*WÒj,?%x?? ä??F ¼ÜpF/*ÛЩk*TÅöb²??ÖӏñÏZ?QP´?wH;qf¢?r5·ÉyhXcü(#1~ ôYS"YÐ`U
?øô¤rP1u^ËØP.ëë?f}SÅäÖ[Hd¥ ¢áorà­ ÔB?{u·@J·²¨°×®6vL±
h:?i -V£?ËLBóa£?à0?Ü0U#0??ak?ᢠªOìgñ£÷´?Áì0U
G?gx.§~¢Òü¥El?%0Uÿ 0 Uÿ00U%0++0FU ?0=0; +²10+0)+https://secure.comodo.net/CPS0]UV0T0R P
omodoca.com0#U0research (at) sec-consult (dot) com0 [email concealed]
ðH§Àz7!]J ºæû¼]¨µX i?òÉ£­©cwSÀ/?­?ÓOÑ:þ Úøw?P[óü¹ÁÒ&©ã?ü-6?L5Y?ù6àòÀõ$Äð?z¼.È?ïNþ±ñ?øK×ÈV ® ¯ä@nÞ9ó¹Rk«*Ò¶èDÞÞ
{Ë­à¦]FϨújRO^pº=õ ?æ?18!??¤q µa=c@2ÞTC?ïþ´4?~-?ø¿À?Hÿ¹¨r.ÁØ ØXW?YÊÆ?á:??ZÔûµ4àÒ2CSq3»?`Û?I?Ö²Ë3gj?ù»º x1?A0?=0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0
 `?He ?a0 *?H?÷
 1  *?H?÷
0 *?H?÷
170912132309Z0/ *?H?÷
 1" ¢°^wt¡¯QÅ?©?`aÂÃ^h@½'Ãh½þbu÷20l *?H?÷
 1_0]0  `?He*0  `?He0
(0Á +?71³0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0Ã *?H?÷
  1³ °0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0
e>*}4÷G?½ÍÒwp k¡ _?¬`?.twIÓë\E^ÇA?f-$ÞåQ¹X".£è?? bxÒAf06£ÈÁ´âÆc¢ÒåÉ7?ð°Ø?]^a5XWP?a

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus