CVE-2015-2074
📋 TL;DR
This vulnerability allows remote attackers to write arbitrary files to the SAP BusinessObjects Edge 4.0 File Repository Server via a full pathname in CORBA requests. Attackers can potentially overwrite critical system files or deploy malicious content. Organizations running SAP BusinessObjects Edge 4.0 with the FRS CORBA listener exposed are affected.
💻 Affected Systems
- SAP BusinessObjects Edge
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through file overwrites leading to remote code execution, data destruction, or persistent backdoor installation.
Likely Case
Unauthorized file writes allowing data manipulation, configuration changes, or denial of service through critical file corruption.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized access to the CORBA listener.
🎯 Exploit Status
Public exploit code and detailed technical analysis available. Attack requires network access to the CORBA listener port.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Note 2018681 patch
Vendor Advisory: https://launchpad.support.sap.com/#/notes/2018681
Restart Required: Yes
Instructions:
1. Download SAP Note 2018681 patch from SAP Support Portal. 2. Apply the patch following SAP's deployment procedures. 3. Restart the File Repository Server service. 4. Verify the patch is applied correctly.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to the CORBA listener port (default 6400) to only trusted hosts.
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP" port protocol="tcp" port="6400" accept'
netsh advfirewall firewall add rule name="Block FRS CORBA" dir=in action=block protocol=TCP localport=6400
Service Disablement
allDisable the CORBA listener if not required for business operations.
systemctl stop sapfrs
sc stop "SAP BusinessObjects FRS"
🧯 If You Can't Patch
- Implement strict network access controls to limit CORBA listener exposure to only necessary systems.
- Monitor file system writes in the BusinessObjects installation directory for unauthorized modifications.
🔍 How to Verify
Check if Vulnerable:
Check if SAP BusinessObjects Edge 4.0 is running without SAP Note 2018681 applied and if port 6400 (or configured CORBA port) is accessible.Check Version:
Check SAP system information or consult SAP administration tools for patch status of Note 2018681.Verify Fix Applied:
Verify SAP Note 2018681 is applied in the system and test that file writes via full pathnames in CORBA requests are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations in FRS logs
- CORBA requests with full pathnames in audit logs
- Failed authentication attempts to FRS service
Network Indicators:
- Unexpected connections to CORBA listener port (default 6400)
- CORBA traffic containing file path manipulation patterns
SIEM Query:
source="sap_frs.log" AND ("file write" OR "path traversal") OR dest_port=6400 AND protocol="CORBA"🔗 References
- http://packetstormsecurity.com/files/130521/SAP-Business-Objects-Unauthorized-File-Repository-Server-Write.html
- http://seclists.org/fulldisclosure/2015/Feb/93
- http://www.securityfocus.com/archive/1/archive/1/534749/100/0/threaded
- http://www.securityfocus.com/bid/72776
- http://packetstormsecurity.com/files/130521/SAP-Business-Objects-Unauthorized-File-Repository-Server-Write.html
- http://seclists.org/fulldisclosure/2015/Feb/93
- http://www.securityfocus.com/archive/1/archive/1/534749/100/0/threaded
- http://www.securityfocus.com/bid/72776
