How Does HTTP Response Smuggling Work

As of August 19, 2022, CISA added the ICMAD vulnerability CVE-2022-22536 to its catalog.

Research from the Onapsis Research Labs over the past year in HTTP Response Smuggling led to the discovery of a set of critical vulnerabilities affecting SAP applications actively using the SAP Internet Communication Manager (ICM), referred to as ICMAD (Internet Communication Manager Advanced Desync). The Onapsis Research Labs identified three critical vulnerabilities in a memory handling mechanism which can lead to full system compromise, if exploited by an attacker. Leveraging the most critical vulnerability (CVSSv3 10.0) is simple, requires no previous authentication, no preconditions are necessary, and the payload can be sent through HTTP(S). Unpatched SAP NetWeaver applications (JAVA/ABAP) reachable through HTTP(S) are vulnerable to it, as well as any application sitting behind SAP Web Dispatcher, such as S/4HANA. Onapsis and SAP recommend SAP customers apply the patches as soon as possible.

Using the new HTTP Response Smuggling techniques presented by Onapsis in 2021, attackers could control responses sent by the SAP application and persist the attack. This means that with a single request, an attacker would be able to steal every victim session and credentials in plain text and modify the behavior of the applications. The business impact here can potentially range from simply hijacking user identities or stealing user’s confidential information to a complete takeover of a critical SAP application, leading to security events that could disrupt business operations or potentially expose an organization to greater risk. 

Download the Report: Onapsis and SAP Partner to Discover and Patch Critical ICMAD Vulnerabilities

To exploit the vulnerability, an attacker can use the HTTP Response Smuggling techniques, which allow a client to send a request which will be forwarded by the proxy as one request but split into two at the ICM. For that reason, it is possible to desynchronize the communication between the proxy and the ICM and thereby use HTTP smuggling to hijack a victim’s sessions.

By injecting a malicious payload into the ICM queue, it is possible to control the prefix of the victim’s requests (i.e., HTTP Request Smuggling). This can be leveraged by an attacker to hijack user sessions and credentials and completely take over the SAP application.

What’s more important, through the use of HTTP Response Smuggling techniques and the characteristics of the aforementioned vulnerability, it is also possible for attackers to poison the proxy’s Web Cache and the ICM response queue. This can be accomplished successfully using a single request. In this case, the attack could persist, and all SAP users would be compromised. With one indistinguishable HTTP request, a malicious user can obtain the credentials and client session of arbitrary victim users.

To poison the Web Cache of a proxy, an attacker would send two pipelined (concatenated) requests — the first one containing the malicious payload that will be stored in the cache and the second one with the URL to be poisoned. 

ICMAD 1

This will cause the ICM to return two responses from the malicious payload — the first one with a 2xx/3xx status code and the second with a malicious JavaScript that will be stored as the response of the targeted URL.

ICMAD 2

Finally, when a victim requests the system for the same URL, which was chosen arbitrarily by the attacker, the malicious response will be returned by the proxy. An attacker could replace every SAP web page with malicious JavaScript.

ICMAD 3

The Onapsis Research Labs were able to validate that attackers can reliably exploit this issue, which proves that an unauthenticated user can compromise the system if any proxy is present between the ICM and the clients.

To learn more about the ICMAD vulnerabilities and the research behind it, take a look at our threat report.

Resources on ICMAD SAP Vulnerabilities