SAP Netweaver 7.40 Bypass a restriction or similar Vulnerability
27 Feb. 2017
SAP Netweaver 7.4 allows remote authenticated users to bypass an intended Unified Connectivity (UCON) access control list and execute arbitrary Remote Function Modules (RFM) by leveraging a connection created from earlier execution of an anonymous RFM included in a Communication Assembly, aka SAP Security Note 2139366.
By exploiting this vulnerability, an attacker could bypass protections implemented in the SAP systems, potentially
executing arbitrary business processes.
An authenticated user could execute Remote Function Modules (RFM) which are filtered by the Unified Connectivity (UCON)
access control list. Those RFMs are in the final phase of UCON implementation and not included in a Communication
Assembly (CA). That means that no user (regardless its privileges) should be able to execute those RFMs.
The user needs to remotely execute an anonymous RFM included in a Communication Assembly (enabled by UCON), and by
leveraging the same connection execute a second RFM which is filtered (not included in a Communication Assembly).
As result, the user will be able to execute a RFM that was originally filtered by UCON, completely bypassing the access