Your crown jewels online: Further Attacks to SAP Web Applications
Mariano Nunez Di Croce
Introduction to SAP
Largest provider of business management solutions in the world
- 140,000 implementations
- > 90,000 customers
- 120 countries
SAP runs the most critical business process of many companies –> Hence the crown jewels of a company
This talk covers threats to the core and standard SAP applications and doesn’t attempt to cover issues in custom designed applications.
What SAP Security used to be
Traditionally SAP security has come down to segregation of duties. This however offers a false sense of security. SoD are necessary, but are not nearly enough to secure systems of this complexity.
For somebody to exploit segregation of duties the attacker needs access to your SAP system, and a valid account. There are however many issues lower in the stack that could result in non-users exploiting SAP systems.
In 2011 so far, there have been around 700 SAP Security Notes released
The different SAP Web Application Servers
Not uncommon to find multiple internet technologies in use. SAP systems are nowadays often found on the internet
SAP Internet Transaction Server (ITS)
Released in 1996. SAPs first approach to enable internet access to SAP systems
SAP Internet Communication Manager (ICM)
No more middleware == direct access from the internet
ICM Web Server requests are handled by the ICF
SAP Enterprise Portal
Latest technology from SAP
Provide a unique access point to the organizations SAP and non-SAP systems through the Web
Attackers Dream
External attackers are less likely to be caught, but lack the required access to systems.
By putting SAP systems on the internet you’re offering the best of both worlds.
Access to SAP infrastructure from a remote location
Identification
through server banners
Hard if it’s running through a reverse proxy
Otherwise various information visible to users through the server headers
through error messages
ITS is prone to very helpful error messages. If you request a resource that doesn’t exist it responds with a lot of useful information.
ICM also exposes the SAP SID information and system numbers
Enterprise Portal provides HTML comments with useful information
Attacks to the ICM
Dangerous ICF Services
There are over 1500 standard ICF services on a typical SAP ECC install
When requesting a service the SAP system will check if it’s public or private.
Private services require authentication (this is the case for most services)
The Info Service
Public ICF service
/sap/public/info
Provides an XML SOAP response with lots of useful info
An explosive combination
Most services need authentication.
After authentication the SAP system checks for authorization to run the service
Issues:
- As most services are not setup with an authorization value, these checks are not made
- Standard SAP users are therefore a serious issue for SAP systems
- Attacker can control the mandant remotely
Result:
- The attacker has fair chances of accessing sensitive business functionality through the ICM server
SOAP RFC Service
The RFC protocol is used to call an ABAP function module
As RFC is blocked at the firewall this can’t be done directly.
The SOAP RFC Service offers the ability to perform this same call through an SOAP interface, bypassing the RFC block on the firewall
< LIVE DEMO >
Multiple function calls can be made include logging off all active users, spamming messages to all users, through to shell on the remote server…
Shell access involved injection commands into an RFC request.
Attacks to secured enterprise portals
Authentication is handled by the Java engine
Many organisation have Web Access Management solutions in place (such as SSO) to improve security or make it easier for corporate users.
There are various vendors offering the ability to integrate their solutions
This integration uses the Header Variables Login module
What happens in an attacker can connect directly to the portal? Can he pretend to the be the authentication proxy?
Attack:
- Attacker removes the cookies from a request with no username/password
- Adds a header called REMOTE_USER: Administrator (or any other desired user)
- It just lets him in!
< LIVE DEMO >
Found and noted in 2006 on the SAP forums… not fixed!
SAPPortalShell
Enables post exploitation for SAP Portal (much like PHP, JSP, etc…)
In order to use it, he needs to gain admin access to the portal and deploy the shell in the same way you would with JMX, etc…
Further Attacks
- Verb tampering attacks –> Work on SAP!
- Invoker Servlet Detour attacks
- Lots more unpatched things
Conclusions
- Lots of SAP systems are online, even if owners think they’re not
- Attackers chance of being caught are reduced a lot when the system is online
- Many different kinds of web tech
- Security of SAP getting better, slowly
- Always use a reverse proxy in front of your SAP system if it HAS to be on the internet
Links :
- Your crown jewels online: Further Attacks to SAP Web Applications –> Overview
- Attacks to SAP Web Applications (Blackhat DC 2011 Slides) –> PDF
- SAP REMOTE_USER info –> Link
Cатсн²² (in)sесuяitу / ChrisJohnRiley 