SAP Crystal Reports Sensitive Information Disclosure (CVE-2019-0285)

SAP Crystal Reports Sensitive Information Disclosure (CVE-2019-0285)

Hello,

In August 2018 I have discovered a High/Critical risk Sensitive information disclosure issue in Crystal Reports tracked as CVE-2019-0285 (CVSS Base Score: 9.8). The vulnerability could allow an attacker to access details such as Database Credentials, system data, debugging information, and other information.

SAP verified the vulnerability and announced the final patch on April 2019. 

Proof-of-Concept:

1- Intercept the "Export" report HTTP request.

2- Copy the "__CRYSTALSTATE" + <crystal report user control> Viewer name parameter value.

3- You will find a base64 value in "viewerstate" attribute. 

4- Decode the value then you will get database information such as: database name, credentials, Internal Path disclosure and some debugging information. 

Score: 9.8

Vector: AV: N / AC: L / PR: N / UI: N / S: U / C: H / I: H / A: H

Attack source category network

Complexity of attack conditions Low

Required privilege level for attack Unnecessary

User interaction Unnecessary

Expected scope of impact No change

Impact on confidentiality High

Impact on completeness High

Impact on availability High