We all know it, it is nothing new, the level of security in an organization is equivalent to the weaklist link of the chain.
On this blog post we are going to study how an attacker can compromise an SAP system by taking advantage of a simple database vulnerability.
To give more context about this vulnerability, first we need to start defining what is “Oracle Fail Safe Backup” and what is its relationship with SAP.
According to Oracle’s site:
Oracle Fail Safe it is a high availability software, integrated with Microsoft Failover Cluster, that provides a fast, easy, and accurate way to configure and verify Windows clusters and to automatically fail over Oracle databases and applications.
In the event of a system failure, Oracle Fail Safe works with Microsoft Failover Cluster to restart Oracle databases and applications on a surviving cluster node.
In previous posts we performed security assessments on the Management Console.
For the upcoming assessments we will need a tool to connect with the underlying databases. SQL*Plus is an Oracle utility with a basic command-line interface which allows us to connect with Oracle databases and execute queries in a simple fashion. Notice that you will have to download the Instant Client Package – Basic, and then download the Instant Client Package – SQL*Plus.
This way of performing arbitrary queries only works for SAP implementations with Oracle databases (which is the most common configuration in SAP Systems). As seen in a previous post, our sample SAP ecosystem has an Oracle database so we can perform this assessment. If there is an SAP system running on an Oracle database, an eventual attacker is most likely to succeed since it’s based on a default and mandatory trust relationship between the SAP System and the Oracle database.