Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: J2EE

DEEPSEC: Your crown jewels online: Further Attacks to SAP Web Applications

Your crown jewels online: Further Attacks to SAP Web Applications

Mariano Nunez Di Croce

Introduction to SAP

Largest provider of business management solutions in the world

  • 140,000 implementations
  • > 90,000 customers
  • 120 countries
SAP runs the most critical business process of many companies –> Hence the crown jewels of a company
This talk covers threats to the core and standard SAP applications and doesn’t attempt to cover issues in custom designed applications.

What SAP Security used to be

Traditionally SAP security has come down to segregation of duties. This however offers a false sense of security. SoD are necessary, but are not nearly enough to secure systems of this complexity.
For somebody to exploit segregation of duties the attacker needs access to your SAP system, and a valid account. There are however many issues lower in the stack that could result in non-users exploiting SAP systems.
In 2011 so far, there have been around 700 SAP Security Notes released

The different SAP Web Application Servers

Not uncommon to find multiple internet technologies in use. SAP systems are nowadays often found on the internet

SAP Internet Transaction Server (ITS)

Released in 1996. SAPs first approach to enable internet access to SAP systems

SAP Internet Communication Manager (ICM)

No more middleware == direct access from the internet

ICM Web Server requests are handled by the ICF

SAP Enterprise Portal

Latest technology from SAP

Provide a unique access point to the organizations SAP and non-SAP systems through the Web

Attackers Dream

External attackers are less likely to be caught, but lack the required access to systems.

By putting SAP systems on the internet you’re offering the best of both worlds.

Access to SAP infrastructure from a remote location


through server banners

Hard if it’s running through a reverse proxy

Otherwise various information visible to users through the server headers

through error messages

ITS is prone to very helpful error messages. If you request a resource that doesn’t exist it responds with a lot of useful information.
ICM also exposes the SAP SID information and system numbers
Enterprise Portal provides HTML comments with useful information

Attacks to the ICM

Dangerous ICF Services

There are over 1500 standard ICF services on a typical SAP ECC install
When requesting a service the SAP system will check if it’s public or private.
Private services require authentication (this is the case for most services)

The Info Service

Public ICF service
Provides an XML SOAP response with lots of useful info

An explosive combination

Most services need authentication.
After authentication the SAP system checks for authorization to run the service
  • As most services are not setup with an authorization value, these checks are not made
  • Standard SAP users are therefore a serious issue for SAP systems
  • Attacker can control the mandant remotely
  • The attacker has fair chances of accessing sensitive business functionality through the ICM server

SOAP RFC Service

The RFC protocol is used to call an ABAP function module
As RFC is blocked at the firewall this can’t be done directly.
The SOAP RFC Service offers the ability to perform this same call through an SOAP interface, bypassing the RFC block on the firewall
Multiple function calls can be made include logging off all active users, spamming messages to all users, through to shell on the remote server…
Shell access involved injection commands into an RFC request.

Attacks to secured enterprise portals

Authentication is handled by the Java engine
Many organisation have Web Access Management solutions in place (such as SSO) to improve security or make it easier for corporate users.
There are various vendors offering the ability to integrate their solutions
This integration uses the Header Variables Login module
What happens in an attacker can connect directly to the portal? Can he pretend to the be the authentication proxy?
  • Attacker removes the cookies from a request with no username/password
  • Adds a header called REMOTE_USER: Administrator (or any other desired user)
  • It just lets him in!
Found and noted in 2006 on the SAP forums… not fixed!


Enables post exploitation for SAP Portal (much like PHP, JSP, etc…)
In order to use it, he needs to gain admin access to the portal and deploy the shell in the same way you would with JMX, etc…

Further Attacks

  • Verb tampering attacks –> Work on SAP!
  • Invoker Servlet Detour attacks
  • Lots more unpatched things


  • Lots of SAP systems are online, even if owners think they’re not
  • Attackers chance of being caught are reduced a lot when the system is online
  • Many different kinds of web tech
  • Security of SAP getting better, slowly
  • Always use a reverse proxy in front of your SAP system if it HAS to be on the internet

Links :

  • Your crown jewels online: Further Attacks to SAP Web Applications –> Overview
  • Attacks to SAP Web Applications (Blackhat DC 2011 Slides) –> PDF
  • SAP REMOTE_USER info –> Link

{BruCON} Attacking SAP’s J2EE Engine

Attacking SAP’s J2EE Engine

Alexander Polyakov and Dmitriy Chastuhin

Nowadays SAP NetWeaver platform is the most widespread platform for developing enterprise business applications. It’s becoming popular security topic but still not covered well.

This talk will be focused on one of the black holes called SAP J2EE engine. Some of the critical SAP products like SAP Portal, SAP Mobile, SAP XI and many other applications lay on J2EE engine which is apart from ABAP engine is less discussed but also critical.

  • SAP J2EE Architecture
  • Simple Attacks
  • Searching for EPIC hole round 1
  • Searching for EPIC hole round 2
  • Searching for EPIC hole round 3 – Crushing blow
  • Defense
  • Tool Demo
74% of the Forbes 500 companies run SAP. More than 120,000 customers

ABAP Engine:

  • Used for automation of business processes like ERP, PLM, CRM, SRM

J2EE engine: 

  • Integration, collaboration, and management
    • SAP Portal
    • SAP PI
    • SAP XI
    • SAP Mobile Infrastructure
    • SAP Solutions Manager

Too much concentration in ABAP security, while J2EE engine issues give as much if not more access and business impact.

J2EE Architecture

Access to J2EE using HTTP or the P4 protocol

Remote Control of SAP Systems

  • Visual Admin (Client/Server tool) –> http://server:port/useradmin
  • NWA (Web-based console)
  • J2EE Telnet (limited)
  • Declarative authentication
    • WEB-XML Based
  • Programmatic authentication
    • Directly against the User Management Engine (UME)

The issues covered will be based on declarative authentication.

WEB.XML is located in the WEB-INF directory of the application root

Access methods are based on permitted methods and locations of the application logic

User accounts can be stored in a number of places including Databases, LDAP or ABAP

By default most SAP protocols are unencrypted (meaning username:passwords can be sniffed)

Hacking Netweaver J2EE

P4 Protocol:

  • Used by Visual Administrator tool (port 50104)
  • Communication unencrypted
  • Password encrypted on logon
  • Tool available for decryption (from DSecRG)
Password is only masking and not a hash… changes with the length of the password
The key is static and potentially stored on the server. Value of encrypted password depends on the previous symbol
Code analysis shows that the mask value is predefined and is not much harder than a Caesar cipher.
When reported to SAP… they said just use SSL! To late to patch it…

Information disclosure bugs

Throw various direct URL access calls it’s possible to view version information, internal server details, and more.
By calling the BufferOverview JSP it’s possible to port scan internally and external systems through the SAP system.
/meSync/SatFileReceiver –> Username and Version disclosure (Mobile Engine 2.1)

Cross-Site Scripting

Variety of XSS flaws… not interesting… so many patched, so many not patched yet!

SMBRelay on SAP

A Windows vulnerability, but how can you use it in the context of SAP!


  • You can get shell with administrator rights
  • Server OS updates on SAP are rare
  • You can relay to another node of the cluster
  • You can relay from DEV to TST (usually the same password)
Patches from Microsoft are only affective for reflective attacks. By using another node you can bypass this protection.

CSRF + SMBrelay = CSSR

CSRF can be used to bypass protections that are now in place on MMR from SAP

CSRF Protection

SAP incorporates 2 methods of protection.

Find a place that doesn’t use session handling like an API or SOAP interface!

SPML is a good example. With the correct permissions you can add users, create/modify objects.

Attacking SPML

  • Create HTML that will perform an xmlhttprequest to SPML
  • Find an XSS in SAP
  • Wait for admin to click it
Can’t be made public… but SAP documents tell you how to do it! –> SAP Identity Manager

Invoker Servlet auth bypass

Published by SAP in their security recommendations

Restricted through the WEB.XML auth-constraints

However by using the invoker you can use a direct call

/servlet/com.sap.admin.Critical.Action –> Doesn’t match the /admin auth-constraint!

Verb Tampering

A pretty old vulnerability!

Security controls to prevent verb tampering are in place… but WEB.XML is too specific

Protections are implemented on the GET method alone, so just use HEAD! No restrictions

Depends on the backend code… if HEAD is accepted as a GET then everything will work fine. Any request where you don’t need to see the response (i.e. create user) will work.

Application dependent –> Example: SAP 6.40 has about 40 vulnerable applications included!

Searching for EPIC hole round 1

Possible to overwrite any file in the OS with trash values


Searching for EPIC hole round 2

Same vulnerability, but using the SMBRelay attack

Searching for EPIC hole round 3

Unauthorised group assignment

Secret interface for managing J2EE

  • No Documentation
  • Available from the internet
  • Most commands need username:password
By using this interface it’s possible to add any user to the system and then logon to the SAP Portal using the new credentials.
Second a second request adding this new user to the administrators group.
This vulnerability is now patched, but no exploit-code is available currently (3 month waiting period for patching)
This isn’t a single vulnerability but a whole class that could have a wide-reaching effect.
DSecRG have released WEB.XML checker to check for these possible vulnerabilities in SAP and custom applications
Checks for a variety of possible bugs including the verb tampering and invoker vulnerabilities

Links :