Attacking SAP’s J2EE Engine
Alexander Polyakov and Dmitriy Chastuhin
Nowadays SAP NetWeaver platform is the most widespread platform for developing enterprise business applications. It’s becoming popular security topic but still not covered well.
This talk will be focused on one of the black holes called SAP J2EE engine. Some of the critical SAP products like SAP Portal, SAP Mobile, SAP XI and many other applications lay on J2EE engine which is apart from ABAP engine is less discussed but also critical.
- SAP J2EE Architecture
- Simple Attacks
- Searching for EPIC hole round 1
- Searching for EPIC hole round 2
- Searching for EPIC hole round 3 – Crushing blow
- Tool Demo
74% of the Forbes 500 companies run SAP. More than 120,000 customers
- Used for automation of business processes like ERP, PLM, CRM, SRM
- Integration, collaboration, and management
- SAP Portal
- SAP PI
- SAP XI
- SAP Mobile Infrastructure
- SAP Solutions Manager
Too much concentration in ABAP security, while J2EE engine issues give as much if not more access and business impact.
Access to J2EE using HTTP or the P4 protocol
Remote Control of SAP Systems
- Visual Admin (Client/Server tool) –> http://server:port/useradmin
- NWA (Web-based console)
- J2EE Telnet (limited)
- Declarative authentication
- Programmatic authentication
- Directly against the User Management Engine (UME)
The issues covered will be based on declarative authentication.
WEB.XML is located in the WEB-INF directory of the application root
Access methods are based on permitted methods and locations of the application logic
User accounts can be stored in a number of places including Databases, LDAP or ABAP
By default most SAP protocols are unencrypted (meaning username:passwords can be sniffed)
Hacking Netweaver J2EE
- Used by Visual Administrator tool (port 50104)
- Communication unencrypted
- Password encrypted on logon
- Tool available for decryption (from DSecRG)
Password is only masking and not a hash… changes with the length of the password
The key is static and potentially stored on the server. Value of encrypted password depends on the previous symbol
Code analysis shows that the mask value is predefined and is not much harder than a Caesar cipher.
When reported to SAP… they said just use SSL! To late to patch it…
Information disclosure bugs
Throw various direct URL access calls it’s possible to view version information, internal server details, and more.
By calling the BufferOverview JSP it’s possible to port scan internally and external systems through the SAP system.
/meSync/SatFileReceiver –> Username and Version disclosure (Mobile Engine 2.1)
Variety of XSS flaws… not interesting… so many patched, so many not patched yet!
SMBRelay on SAP
A Windows vulnerability, but how can you use it in the context of SAP!
- You can get shell with administrator rights
- Server OS updates on SAP are rare
- You can relay to another node of the cluster
- You can relay from DEV to TST (usually the same password)
Patches from Microsoft are only affective for reflective attacks. By using another node you can bypass this protection.
CSRF + SMBrelay = CSSR
CSRF can be used to bypass protections that are now in place on MMR from SAP
SAP incorporates 2 methods of protection.
Find a place that doesn’t use session handling like an API or SOAP interface!
SPML is a good example. With the correct permissions you can add users, create/modify objects.
- Create HTML that will perform an xmlhttprequest to SPML
- Find an XSS in SAP
- Wait for admin to click it
Can’t be made public… but SAP documents tell you how to do it! –> SAP Identity Manager
Invoker Servlet auth bypass
Published by SAP in their security recommendations
Restricted through the WEB.XML auth-constraints
However by using the invoker you can use a direct call
/servlet/com.sap.admin.Critical.Action –> Doesn’t match the /admin auth-constraint!
A pretty old vulnerability!
Security controls to prevent verb tampering are in place… but WEB.XML is too specific
Protections are implemented on the GET method alone, so just use HEAD! No restrictions
Depends on the backend code… if HEAD is accepted as a GET then everything will work fine. Any request where you don’t need to see the response (i.e. create user) will work.
Application dependent –> Example: SAP 6.40 has about 40 vulnerable applications included!
Searching for EPIC hole round 1
Possible to overwrite any file in the OS with trash values
Searching for EPIC hole round 2
Same vulnerability, but using the SMBRelay attack
Searching for EPIC hole round 3
Unauthorised group assignment
Secret interface for managing J2EE
- No Documentation
- Available from the internet
- Most commands need username:password
By using this interface it’s possible to add any user to the system and then logon to the SAP Portal using the new credentials.
Second a second request adding this new user to the administrators group.
This vulnerability is now patched, but no exploit-code is available currently (3 month waiting period for patching)
This isn’t a single vulnerability but a whole class that could have a wide-reaching effect.
DSecRG have released WEB.XML checker to check for these possible vulnerabilities in SAP and custom applications
Checks for a variety of possible bugs including the verb tampering and invoker vulnerabilities