top 10 most interesting sap vulnerabilities and …...top 10 vulnerabilities 2011-2012 1....
TRANSCRIPT
![Page 1: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/1.jpg)
Top 10 most interesting SAP vulnerabilities and attacks Alexander Polyakov. CTO at ERPScan July 6, 2012 at Just4meeting
![Page 2: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/2.jpg)
Me
Business application security expert
![Page 3: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/3.jpg)
What is SAP ?
Shut up
And
Pay
![Page 4: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/4.jpg)
Really
• The most popular business application
• More than 120000 customers
• 74% of Forbes 500
![Page 5: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/5.jpg)
Agenda
• Intro
• SAP security history
• SAP on the Internet
• Most popular SAP issues (OLD)
• Top 10 latest interesting attacks (NEW)
• DEMOs
• Conclusion
![Page 6: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/6.jpg)
3 areas of SAP Security
Business logic security (SOD) Prevents attacks or mistakes made by insiders
Solution: GRC ABAP Code security Prevents attacks or mistakes made by
developers Solution: Code audit
Application platform security
Prevents unauthorized access both within the corporate network and from remote
attackers Solution?
2002
2008
2010
![Page 7: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/7.jpg)
Talks about SAP security
0
5
10
15
20
25
30
35
2006 2007 2008 2009 2010 2011 2012
Most popular: • BlackHat • HITB • Troopers • RSA • Source • DeepSec • etc.
![Page 8: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/8.jpg)
SAP Security notes
0
100
200
300
400
500
600
700
800
900
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012
By june, 2012, more than 2300 notes
![Page 9: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/9.jpg)
SAP vulnerabilities by type
0 50 100 150 200 250 300 350
12 -SQL Inj
11 - BOF
10 - Denial of service
9 - Remote Code Execution
8 - Verb tampering
7 - Code injection vulnerability
6 - Hard-coded credentials
5 - Unauthorized usage of application functionality
4 - Information Disclosure
3 - Missing Auth check
2 - XSS/Unauthorised modification of stored content
1 - Directory Traversal
Stats from :
• 1Q 2012 • 1Q 2010 • 4Q 2009
![Page 10: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/10.jpg)
Top problems by OWASP-EAS
• EASAI-1 Lack of patch management • EASAI-2 Default Passwords for application access • EASAI-3 SOD conflicts • EASAI-4 Unnecessary Enabled Application features • EASAI-5 Open Remote management interfaces • EASAI-6 lack of password lockout/complexity checks • EASAI-7 Insecure options • EASAI-8 Unencrypted communications • EASAI-9 Insecure trust relations • EASAI-10 Guest access
![Page 11: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/11.jpg)
Top problems by BIZEC
• BIZEC TEC-01: Vulnerable Software in Use
• BIZEC TEC-02: Standard Users with Default Passwords
• BIZEC TEC-03: Unsecured SAP Gateway
• BIZEC TEC-04: Unsecured SAP/Oracle authentication
• BIZEC TEC-05: Insecure RFC interfaces
• BIZEC TEC-06: Insufficient Security Audit Logging
• BIZEC TEC-07: Unsecured SAP Message Server
• BIZEC TEC-08: Dangerous SAP Web Applications
• BIZEC TEC-09: Unprotected Access to Administration Services
• BIZEC TEC-10: Insecure Network Environment
• BIZEC TEC-11: Unencrypted Communications
![Page 12: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/12.jpg)
Business Risks
Espionage • Stealing financial information • Stealing corporate secrets • Stealing suppliers and customers list • Stealing HR data
Sabotage • Denial of service • Modification of financial reports • Access to technology network (SCADA) by trust relations
Fraud • False transactions • Modification of master data • e.t.c.
![Page 13: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/13.jpg)
SAP in the Internet
• We have collected data about SAP systems in the WEB
• Have various stats by countries, applications, versions
• Information from Google, Shodan, Nmap scan
• Published in “SAP Security in figures: a global survey 2007-2011”
• Updating results at sapscan.com
MYTH: SAP systems attacks available only for insiders
![Page 14: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/14.jpg)
SAP in the Internet (web-services)
19 SAP web services can be found in internet (In Portugal)
![Page 15: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/15.jpg)
SAP in the Internet (other services)
> 5000 non-web SAP services exposed in the world
194 in Portugal
Including Dispatcher, Message server, SapHostcontrol,etc
![Page 16: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/16.jpg)
SAP in the Internet (other services)
% of companies that expose different services
0
5
10
15
20
25
30
SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server httpd
Portugal
World
![Page 17: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/17.jpg)
Top 10 vulnerabilities 2011-2012
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
NNw
NNw
NNw
NNw
NNw
![Page 18: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/18.jpg)
10 – GUI-Scripting DOS: Description
• SAP users can run scripts which automate their user functions
• A script has the same rights in SAP as the user who launched it
• Security message which is shown to user can be turned off in the registry
• Almost any user can use SAP Messages (SM02 transaction)
• It is possible to run DOS attack on any user using a simple script
New
Author: Dmitry Chastukhin (ERPScan)
![Page 19: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/19.jpg)
10 – GUI-scripting: Other attacks
Script can be uploaded using: – SAPGUI ActiveX vulnerability
– Teensy USB flash
– Any other method of client exploitation
Other attacks like changing banking accounts in LFBK also possible
![Page 20: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/20.jpg)
10 – GUI-scripting: Business risks
Sabotage – High
Ease of exploitation – Medium
Espionage – No
Fraud – No
![Page 21: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/21.jpg)
10 – GUI-scripting: Prevention
• SAP GUI Scripting Security Guide • sapgui/user_scripting = FALSE • Block registry modification on workstations
![Page 22: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/22.jpg)
9 – XML Blowup DOS: Description
• WEBRFC interface can be used to run RFC functions
• By default any user can have access
• Can execute at least RFC_PING
• SAP NetWeaver is vulnerable to malformed XML packets
• It is possible to run DOS attack on server using simple script
• It is possible to run over the Internet!
New
Author: Alexey Tyurin (ERPScan)
![Page 23: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/23.jpg)
9 – XML Blowup DOS: Business risks
Ease of exploitation – Medium
Espionage – No
Fraud – No
Sabotage – Critical
![Page 24: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/24.jpg)
9 – XML Blowup DOS: Prevention
• Disable WEBRFC • Prevent unauthorized access to WEBRFC using S_ICF • Install SAP notes 1543318 and 1469549
![Page 25: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/25.jpg)
8 – BAPI script injection/hash stealing : Description
• SAP BAPI transaction fails to properly sanitize input
• Possible to inject JavaScript code or link to a fake SMB server
• SAP GUI clients use Windows so their credentials will be transferred to attackers host.
Author: Dmitry Chastukhin (ERPScan)
![Page 26: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/26.jpg)
8 – BAPI script injection/hash stealing: Demo
New
![Page 27: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/27.jpg)
8 – BAPI script injection/hash stealing: Business risks
Ease of exploitation – Low
Sabotage – High
Espionage – High
Fraud – High
![Page 28: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/28.jpg)
7 – SAP GUI bad encryption: Description
• SAP FrontEnd can save encrypted passwords in shortcuts
• Shortcuts stored in .sap file
• This password uses byte-XOR algorithm with “secret” key
• Key has the same value for every installation of SAP GUI
• Any password can be decrypted in less than second
Author: Alexey Sintsov (ERPScan)
New
![Page 29: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/29.jpg)
7 – SAP GUI bad encryption: Demo
![Page 30: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/30.jpg)
7 – SAP GUI bad encryption: Business risks
Sabotage – Medium
Fraud – High
Espionage – High
Ease of exploitation – Medium
![Page 31: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/31.jpg)
Disable password storage in GUI
7 – SAP GUI bad encryption: Prevention
![Page 32: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/32.jpg)
6 – Remote port scan/SSRF: Description
• It is possible to scan internal network from the Internet • Authentication is not required • SAP NetWeaver J2EE engine is vulnerable
/ipcpricing/ui/BufferOverview.jsp? server=172.16.0.13
& port=31337
& password=
& dispatcher=
& targetClient=
& view=
Author: Alexander Polyakov (ERPScan)
![Page 33: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/33.jpg)
6 – Remote port scan/SSRF: Demo
Host is not alive
Port closed
HTTP port
SAP port
![Page 34: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/34.jpg)
6 – Remote port scan/SSRF: Business risks
Espionage – Medium
Fraud – No
Ease of exploitation – High
Sabotage – Low
![Page 35: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/35.jpg)
• Disable unnecessary applications • Install SAP notes: 1548548, 1545883, 1503856, 948851, 1545883
6 – Remote port scan/SSRF: Prevention
![Page 36: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/36.jpg)
5 – MMC JSESSIONID stealing: Description
Can be authenticated as an existing user remotely
• Remote management of SAP Platform
• By default, many commands go without auth
• Exploits implemented in Metasploit (by ChrisJohnRiley)
• Most of the bugs are information disclosure
• It is possible to find information about JSESSIONID
• Only if trace is ON
1) Original bug by ChrisJohnRiley 2) JSESSIONID by Alexey Sintsov and
Alexey Tyurin (ERPScan)
New
![Page 37: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/37.jpg)
5 – MMC JSESSIONID stealing: Business risks
Espionage – Critical
Sabotage – Medium
Fraud – High
Ease of exploitation – Medium
![Page 38: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/38.jpg)
5 – MMC JSESSIONID stealing: Prevention
Don’t use TRACE_LEVEL = 3 on production systems or delete traces
http://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm
![Page 39: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/39.jpg)
4 – RCE in TH_GREP: Description
• RCE vulnerability in RFC module TH_GREP
• Found by Joris van de Vis
• SAP was not properly patched (1433101)
• We have discovered that the patch can be bypassed in Windows
Original bug by Joris van de Vis (erp-sec)
Bypass by Alexey Tyurin (ERPScan)
![Page 40: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/40.jpg)
4 – RCE in TH_GREP: Details
elseif opsys = 'Windows NT'.
concatenate '/c:"' string '"' filename into grep_params in character mode.
else. /*if linux*/
/* 185 */ replace all occurrences of '''' in local_string with '''"''"'''. /* 186 */ concatenate '''' local_string '''' filename into grep_params /* 187*/ in character mode. /* 188*/ endif.
/* 188*/
![Page 41: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/41.jpg)
4 – RCE in TH_GREP: Demo #1
![Page 42: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/42.jpg)
4 - RCE in TH_GREP: More details
4 ways to execute vulnerable program:
• Using transaction "Se37“
• Using transaction “SM51“ (thanks to Felix Granados)
• Using remote RFC call "TH_GREP"
• Using SOAP RFC call "TH_GREP" via web
![Page 43: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/43.jpg)
4 – RCE in TH_GREP: Demo #2
![Page 44: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/44.jpg)
4 – RCE in TH_GREP: Business risks
Sabotage – Medium
Fraud – High
Espionage – High
Ease of exploitation – medium
![Page 45: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/45.jpg)
4 – RFC in TH_GREP: Prevention
• Install SAP notes 1580017, 1433101 • Prevent access to critical transactions and RFC functions • Check the ABAP code of your Z-transactions for similar vulnerabilities
![Page 46: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/46.jpg)
3 - ABAP Kernel BOF: Description
• Presented by Andreas Wiegenstein at BlackHat EU 2011
• Buffer overflow in SAP kernel function C_SAPGPARAM
• When NAME field is more than 108 chars
• Can be exploited by calling an FM which uses C_SAPGPARAM
• Example of report – RSPO_R_SAPGPARAM Author: (VirtualForge)
![Page 47: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/47.jpg)
3 – ABAP Kernel BOF: Business risks
Espionage – Critical
Ease of exploitation – Medium
Fraud – Critical
Sabotage – Critical
![Page 48: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/48.jpg)
3 – ABAP Kernel BOF: Prevention
• Install SAP notes: - 1493516 – Correcting buffer overflow in ABAP system call - 1487330 – Potential remote code execution in SAP Kernel • Prevent access to critical transactions and RFC functions • Check the ABAP code of your Z-transactions for critical calls
![Page 49: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/49.jpg)
2 – Invoker Servlet: Description
Can be used for auth bypass
• Rapidly calls servlets by their class name
• Published by SAP in their security guides
• Possible to call any servlet from the application
• Even if it is not declared in WEB.XML
![Page 50: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/50.jpg)
2 - Invoker Servlet: Details
<servlet>
<servlet-name>CriticalAction</servlet-name>
<servlet-class>com.sap.admin.Critical.Action</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CriticalAction</</servlet-name>
<url-pattern>/admin/critical</url-pattern>
</servlet-mapping
<security-constraint>
<web-resource-collection>
<web-resource-name>Restrictedaccess</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
Author: Dmitry Chastukhin (ERPScan)
What if we call /servlet/com.sap.admin.Critical.Action
![Page 51: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/51.jpg)
2 – Invoker servlet: Business risks
Ease of use – Very easy!
Espionage – High
Sabotage – High
Fraud – High
![Page 52: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/52.jpg)
2 - Invoker servlet: Prevention
• Update to the latest patch 1467771, 1445998 • “EnableInvokerServletGlobally” must be “false” • Check all WEB.XML files by ERPScan WEBXML checker
![Page 53: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/53.jpg)
1 – VERB Tampering
![Page 54: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/54.jpg)
1st Place – Verb Tampering
<security-constraint>
<web-resource-collection>
<web-resource-name>Restrictedaccess</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
What if we use HEAD instead of GET ?
Author: Alexander Polyakov (ERPScan)
![Page 55: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/55.jpg)
1st Place – Verb tampering: Details
• CTC - interface for managing J2EE engine • Can be accessed remotely • Can run user management actions:
– Add users – Add to groups – Run OS commands – Start/Stop J2EE
Remotely without authentication!
![Page 56: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/56.jpg)
1 – Verb tampering: Demo
![Page 57: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/57.jpg)
1 – Verb tampering: More details
If patched, can be bypassed by the Invoker servlet!
![Page 58: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/58.jpg)
1 – Verb tampering: Business risks
Espionage – Critical
Sabotage – Critical
Fraud – Critical
Ease of use – Very easy!
![Page 59: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/59.jpg)
1st Place – Verb tampering: Prevention
• Install SAP notes 1503579,1616259 • Install other SAP notes about Verb Tampering • Scan applications by ERPScan WEB.XML checker • Disable the applications that are not necessary
![Page 60: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/60.jpg)
Conclusion
It is possible to be protected from almost all those kinds of issues and we are working hard with SAP to make it secure
SAP Guides
It’s all in your hands
Regular Security assessments
ABAP Code review
Monitoring technical security
Segregation of Duties
![Page 61: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/61.jpg)
Future work
Many of the researched things cannot be disclosed now because of our good relationship with SAP Security Response Team, whom I would like to thank for cooperation. However, if you want to see new demos and 0-days, follow us at @erpscan and attend the future presentations:
“SSRF vs Business-critical applications”
• BlackHat USA in 26 July (Las Vegas, USA)
• RSA China in 28 August (China)
![Page 62: Top 10 most interesting SAP vulnerabilities and …...Top 10 vulnerabilities 2011-2012 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet](https://reader033.vdocuments.net/reader033/viewer/2022050206/5f59b133074e846eb33c0758/html5/thumbnails/62.jpg)
Greetz to our crew who helped: Dmitriy Evdokimov, Alexey Sintsov, Alexey Tyurin,
Pavel Kuzmin, Evgeniy Neelov.