There has been a lot of attention in the news recently about vulnerabilities in SAProuter and how these vulnerabilities could be leveraged. The news spun out of a report that a piece of malware was actively learning about SAP systems known to any PC the malware infected. We wrote about this malware and the possible implications in a recent blog post; but the summary is it seems that the professional bad guy community is starting to take an interest in SAP.
So what is the SAProuter? It is a lot like the name suggests; an application produced by SAP which facilitates, logs (if enabled) and filters communications and network connections between different SAP systems, or between a SAP system and other networks or resources. However it is not a gateway/firewall technology; it only filters communications if the clients are configured to send their communication to the router; and not directly to the end point.
Because of this it should be used in conjunction with a firewall; or else a user who the SAProuter is configured to deny access to a specific backend SAP system could simply manually reconfigure their SAP client to attempt to connect directly with the sensitive SAP systems and start interacting with them directly; bypassing all the ACLs and controls in the SAProuter. A firewall is required to block those direct connections and only allow users to access SAP systems via SAProuter; thus allowing the SAProuter’s rules to be enforced (and connections to be logged).
We all know it, it is nothing new, the level of security in an organization is equivalent to the weaklist link of the chain.
On this blog post we are going to study how an attacker can compromise an SAP system by taking advantage of a simple database vulnerability.
To give more context about this vulnerability, first we need to start defining what is “Oracle Fail Safe Backup” and what is its relationship with SAP.
According to Oracle’s site:
Oracle Fail Safe it is a high availability software, integrated with Microsoft Failover Cluster, that provides a fast, easy, and accurate way to configure and verify Windows clusters and to automatically fail over Oracle databases and applications.
In the event of a system failure, Oracle Fail Safe works with Microsoft Failover Cluster to restart Oracle databases and applications on a surviving cluster node.
In the last posts we have already presented a variety of approaches for SAP security assessment. Today we will address a more complex path an attacker might follow. In order to understand what is going on we must first dive deeper in some SAP concepts and components.
The SAP Gateway is a component present in every SAP Instance. As we discussed in a previous post It is responsible for managing RFC connections between the SAP Instance where it is running and other instances or with external servers (such as government regulation agencies, payment processors, SWIFT connectors, etc.). All RFC calls go through the SAP Gateway.
In order to receive connections and potentially communicate with an SAP Instance, an external server must register itself with the SAP Gateway (becoming what we will call an external registered server). Once registered, communication between the SAP instance and the external server will flow smoothly over the SAP RFC protocol.
The SAP Management Console (SAP MC) is the centralized system management component. It allows you to monitor and control each SAP instance, display log and trace files, profiles and other parameters. You can also monitor system alerts and deep information about memory usage and processes in the system (e.g. Java VM® garbage collection and heap memory).
In this post, we will be running bizploit modules, if you are not familiar with the bizploit framework, consider reading this introductory post.
MC Assessment #1: Getting Password Policies
As seen in the figure below it is possible to run the
mcParameterValue exploit in order to retrieve all profile parameters. Keep in mind that, to figure out the vulnerability id, you should list all the exploits under the exploit option and check the Exploitable Vulnerabilities column for the
mcParameterValue row. We’ll use this module in order to discover the SAP password policies being used.
Getting all profile parameters with Bizploit.
In order to look for the Password Policy parameters among the 1600 profile parameters we need to find those starting with
login/. We open the file saved by Bizploit and the parameters can be found there. Below we list some of the retrieved Password Policy parameters:
In the previous post we discovered the SAP Services listening on each one of the open ports. Now we can execute Bizploit plug-ins to assess the security of these SAP services.
Let’s have a look at the Discovery and Vulnassess plug-ins available in Bizploit.
Discovery and Vulnassess Plug-ins
Bizploit displays several columns for each plug-in: Plug-in name, Status (enabled or not), Conf (reading ’yes’ if the plug-in is configurable) and Description.
We could enable all Bizploit modules to perform a full vulnerability assessment, but for the purpose of this post we will only enable those plug-ins which will be useful to illustrate the attacks described in upcoming posts.
This blog post will be the first of a series where we will focus on bizploit. We have already used it in previous posts while assessing the security of the SAPRouter.
Onapsis Bizploit is well known as the first open source ERP Penetration Testing framework, based on the Sapyto project. It allows us to discover, explore and perform the vulnerability and exploitation phases of specialized ERP Penetration Tests. Currently, Bizploit is shipped with many plug-ins to assess the security of ERP Platforms.
In our previous post, we were able to understand the topology and configuration in place, useful whenever you want to analyze how secure a SAProuter implementation is. In this article, we’ll check if our SAProuter is secure or whether it would be possible for an attacker to retrieve information and connect to our internal network.
Using SAPRouter Agents
We have already retrieved useful information from the SAProuter, which is potentially connected to an untrusted network. But that’s not all of it. If the SAProuter is mis-configured, then it would be possible for a remote attacker to access the internal network and connect to arbitrary systems and services, even beyond standard SAP protocols.
The SAProuter has a special feature that enables it to route arbitrary protocols, which is called “native routing”. Refer to our SAProuter SAP Security In-Depth publication, specifically section 3.3, for further information on this topic.
Hello there, my name is Nahuel D. Sanchez and I work as a Security Researcher at the Onapsis Research Labs.
The idea behind this post is to uncover and understand the options we have while performing a security assessment of the company’s SAProuter implementation using the open source ERP Penetration Testing framework, Onapsis Bizploit.
For more information about vulnerabilities affecting the SAProuter, attacks and countermeasures, you should have a look at our SAP Security In Depth publication “Securing the Gate to the Kingdom: Auditing the SAProuter”.
Before we dig into the interesting stuff, it’s necessary to review some basic concepts. If you’re already familiar with the SAProuter, you can jump straight to the “Security Assessment Techniques” section.