Skip to Content
0
Jun 04, 2020 at 11:15 AM

Issue with version 13.0.23.2819 in SAP Crystal Report Viewer.

171 Views

We have an issue with version 13.0.23.2819 when penetration testing done for arbitrary code execution via unsafe deserialization in SAP crystal report viewer.Can you please suggest is this resolved in new version 13.0.26.3348.

The vulnerability exists due to a vulnerability discovered in SAP’s Crystal Reports Viewer, which uses the IosFormatter library to unsafely deserialize the contents of viewerState (which is contained within the URL-encoded value of the _CRYSTALSTATEcrViewer parameter).

An example of unsafe deserialization (similar to what was found within Crystal Reports) would use code like the following:

losFormatter formatter = new LosFormatter();

object result = losFormatter.Deserialize(userInputBase64String);

To reproduce this finding:

1. Download the ysoserial.net project from Github, unzip the archive, and locate the ysoserial.exe binary.

2. Generate a payload to spawn calc.exe with the following command (copy the output which should be a base64 string)

ysoserial.exe -f losFormatter -g TypeConfuseDelegate -o raw -c "calc.exe"

3.Modify the contents of the viewerState JSON key with the payload

Can you please suggest on this issue as soon as possible.