How Does HTTP Response Smuggling Work 

Research from the Onapsis Research Labs over the past year in HTTP Response Smuggling led to the discovery of a set of critical vulnerabilities affecting SAP applications actively using the SAP Internet Communication Manager (ICM), referred to as ICMAD (Internet Communication Manager Advanced Desync). The Onapsis Research Labs identified three critical vulnerabilities in a memory handling mechanism which can lead to full system compromise, if exploited by an attacker. Leveraging the most critical vulnerability (CVSSv3 10.0) is simple, requires no previous authentication, no preconditions are necessary, and the payload can be sent through HTTP(S). Unpatched SAP NetWeaver applications (JAVA/ABAP) reachable through HTTP(S) are vulnerable to it, as well as any application sitting behind SAP Web Dispatcher, such as S/4HANA. Onapsis and SAP recommend SAP customers apply the patches as soon as possible.

Using the new HTTP Response Smuggling techniques presented by Onapsis in 2021, attackers could control responses sent by the SAP application and persist the attack. This means that with a single request, an attacker would be able to steal every victim session and credentials in plain text and modify the behavior of the applications. The business impact here can potentially range from simply hijacking user identities or stealing user’s confidential information to a complete takeover of a critical SAP application, leading to security events that could disrupt business operations or potentially expose an organization to greater risk. 

 

To exploit the vulnerability, an attacker can use the HTTP Response Smuggling techniques, which allow a client to send a request which will be forwarded by the proxy as one request but split into two at the ICM. For that reason, it is possible to desynchronize the communication between the proxy and the ICM and thereby use HTTP smuggling to hijack a victim’s sessions.

By injecting a malicious payload into the ICM queue, it is possible to control the prefix of the victim’s requests (i.e., HTTP Request Smuggling). This can be leveraged by an attacker to hijack user sessions and credentials and completely take over the SAP application.

What’s more important, through the use of HTTP Response Smuggling techniques and the characteristics of the aforementioned vulnerability, it is also possible for attackers to poison the proxy’s Web Cache and the ICM response queue. This can be accomplished successfully using a single request. In this case, the attack could persist, and all SAP users would be compromised. With one indistinguishable HTTP request, a malicious user can obtain the credentials and client session of arbitrary victim users.

To poison the Web Cache of a proxy, an attacker would send two pipelined (concatenated) requests — the first one containing the malicious payload that will be stored in the cache and the second one with the URL to be poisoned. 

 

This will cause the ICM to return two responses from the malicious payload — the first one with a 2xx/3xx status code and the second with a malicious JavaScript that will be stored as the response of the targeted URL.

 

Finally, when a victim requests the system for the same URL, which was chosen arbitrarily by the attacker, the malicious response will be returned by the proxy. An attacker could replace every SAP web page with malicious JavaScript.

The Onapsis Research Labs were able to validate that attackers can reliably exploit this issue, which proves that an unauthenticated user can compromise the system if any proxy is present between the ICM and the clients.

To learn more about the ICMAD vulnerabilities and the research behind it, take a look at our threat report.

Resources on ICMAD SAP Vulnerabilities

• For a deeper dive into the ICMAD vulnerabilities, download our threat report.
• Watch Now: Onapsis and SAP Executive Briefing on Mitigating the ICMAD SAP Vulnerabilities
• Onapsis Research Labs created a free vulnerability scanning tool that will allow SAP customers to scan for applications across their SAP landscape that are affected by the ICMAD vulnerabilities.
• If you are not an Onapsis customer, or need more information or assistance to respond to this situation, request a security briefing here.