Cатсн²² (in)sесuяitу / ChrisJohnRiley

It’s been a tough few months, not only with Christmas, new years and the inevitable travelling that brings, but also dealing with what I can only assume is one of the worst written and conceived programs I’ve ever had to install (more about that in another post though!). I can only guess this is how SAP deter security researchers… by making it a weeks work just to get a single SAP test instance up and working 😉

Anyway, where was I. Oh yeah. Although the basic premise of my research was quick to formulate, I’ve had to invest a lot of the time (more than I care to admit) in fighting to the death setting up a couple of test SAP servers (SuSE Linux and Windows-based) to fully test what was possible and what wasn’t through the SAP Management Console. It’s been an interesting journey!

The auxiliary modules  I’m releasing today are based on an information disclosure bug I noticed while conducting some SAP research back in November 2010. During the time it took me to write-up and release these modules, the main issue was also discovered and reported by researchers at Onapsis (a company known for it’s SAP security research). I know it’s not unusual for multiple researchers to find the same issue at the same time, so I guess I’ll just need to be faster next time 😉

I see no ethical issue in releasing the information gathering modules that take advantage of this bug, as quite honestly, anybody with an SAP system and tcpdump could find this in a few minutes seconds. I’ve not looked further into the Onapsis DoS condition mentioned in Onapsis-2011-002, but will add it to the list of things to look at in the next phase of my research.

Although the Onapsis advisory only mentions Information Disclosure and a single DoS condition, I think there is more gold here to be found here, so keep an eye out for some further SAP Management Console modules in the future. I’ve already got a few ideas what’s coming next. It’s just getting the time to implement these ideas in Metasploit.

Auxiliary Modules:

• auxiliary/scanner/sap/sap_mgmt_con_version
• auxiliary/scanner/sap/sap_mgmt_con_startprofile
• auxiliary/scanner/sap/sap_mgmt_con_instanceproperties
• auxiliary/scanner/sap/sap_mgmt_con_getenv
• auxiliary/scanner/sap/sap_mgmt_con_abaplog
• auxiliary/scanner/sap/sap_mgmt_con_listlogfiles
• auxiliary/scanner/sap/sap_mgmt_con_getlogfiles
• auxiliary/scanner/sap/sap_mgmt_con_extractusers

Note: To use these modules with your current Metasploit install, place them into your ~/.msf3/modules folder (retaining the directory structure above… e.g. auxiliary/scanner/sap).

You can find out more detailed information about the modules and download copies of the .rb files (they are not currently available in the Metasploit SVN) by following the below links, or viewing them through the Tools/Scripts Menu.

Demo Video:

Note:

These are my first Metasploit modules, so as a non ruby programmer (and non programmer in general) please excuse the odd bad practice when it comes to coding. Any feedback (good or bad) is always gratefully received!

Links:

• Tools/Scripts: Metasploit Modules
• Onapsis-2011-001: SAP Management Console Unauthenticated Service Restart (Registration Required)
• Onapsis-2011-002: SAP Management Console Information Disclosure (Registration Required)
• SAP Note 1439348 (Account Required)
• Security Tracker Discussion of the issue

updated [10.01.11] – Reworded my sleep deprived version for something that actually makes sense!