More than 400,000 organizations, including 90% of Fortune 500 companies, rely on SAP's software to keep their business up and running. At the core of every SAP deployment is the Internet Communication Manager (ICM), the piece of software in charge of handling all HTTP requests and responses.
This talk will demonstrate how to leverage two memory corruption vulnerabilities found in SAP's proprietary HTTP Server, using high-level protocol exploitation techniques. Both techniques, CVE-2022-22536 and CVE-2022-22532, were remotely exploitable and could be used by unauthenticated attackers to completely compromise any SAP installation on the planet.
First, by escalating an error in the HTTP request-handling process, this presentation will show how to desynchronize ICM data buffers and hijack every user's account with advanced HTTP Smuggling. Furthermore, as the primitives of this vulnerability do not rely on parsing errors, a new technique will be introduced to take over a system, even in an "impossible to exploit" scenario - without a proxy! This will include a demo of the first desync botnet, using nothing more than JavaScript and Response Smuggling concepts.
Next, this talk will examine a Use After Free vulnerability in the shared memory buffers used for Inter-Process Communication. By exploiting an incorrect deallocation, it was possible to tamper messages belonging to other TCP connections and take control of all responses using Cache Poisoning and Response Splitting theory.
Finally, as the affected buffers are also used to contain Out Of Bounds data, a method to corrupt address pointers and obtain Remote Code Execution will be explained.
The Internet Communication Manager Advanced Desync (ICMAD) vulnerabilities were addressed by the US Cybersecurity and Infrastructure Security Agency, as well as CERTs from all over the world, proving the tremendous impact they had on enterprise security.