SAP Enterprise Portal Hacking
The popularity of SAP NetWeaver Portal and its availability from the Internet make it an attractive target for attacks on companies of various sizes and profiles. This article discusses how a potential attacker can crack this popular SAP ERP system module and how to avoid such a threat.
Business applications represent an attractive target for computer intruders. Objectives can be very different: industrial espionage, the application of financial and reputational losses, obtaining critical information for sale. As a rule, attacks on business applications and systems are targeted and carried out by highly skilled people.
SAP NetWeaver Portal (EP) is the main entry point to the SAP ERP system for all users of the corporate network. A portal is usually used internally as a platform, where it is stored and processed as public information (including company news, employee data, etc.), as well as confidential information (internal documents, instructions and orders). In addition, the portal provides users with the necessary tools with which they can perform their daily work tasks: to hold meetings and meetings, manage users, edit documents, work with the necessary tables, etc.
')
A distinctive feature of SAP Portal is that it is associated with almost all other SAP components deployed on the company's network. Thus, the compromise of SAP Portal will lead not only to the compromise of all the information processed in it, but also to turn it into a kind of springboard for further attacks by the attacker.
Many users remain in the false belief that the SAP ERP system is not accessible from the Internet. Meanwhile, SAP Portal can often be accessed from the Internet, using, for example, a simple Google Dork
Search Engine Shodan also makes it easy to detect available SAP Portal.
The popularity of SAP NetWeaver Portal and its availability from the Internet make it an attractive target for attacks on companies of various sizes and profiles. Consider SAP Portal in more detail.
The SAP Portal architecture is shown in the figure below.
As can be seen from the diagram, the basis of the system is the Web Application Server (SAP J2EE), in the context of which the portal operates. Portal itself is a platform for the work of various modules, the main of which are iViews, applications and Web services.
The diagram shows that SAP Portal is associated with a database, as well as with many other components and SAP models.
Having a general idea of ​​the architecture of the portal, you can proceed to consider the possible vectors of attacks on it.
SAP NetWeaver J2EE is the foundation of SAP Portal, so it’s important to understand how an attacker could compromise J2EE. To do this, you need to understand some of the nuances of the work of J2EE.
Access to applications running in J2EE is determined by the developers of these applications using a descriptor file called web.xml. Below is an example of such a file descriptor.
Consider it in more detail.
Attack Verb Tampering . The most important tags in the descriptor file are:
However, authentication can be bypassed: if a user makes a request other than
For example, the CTC servlet allows you to manage users in SAP Portal: create and delete users, move them between groups. Thus, it is a suitable object for attack, because in a request to create a user it is important to send a request, and not to receive a response.
Although the CTC servlet provides authentication using the GET and POST methods, an attacker can gain administrative access to the ERP system using only two
• create a new blabla user with a blabla password
• add the created user to the Administrators group
This type of attack is called Verb Tampering. To protect the system, you must:
• Install SAP Notes: 1503579,1616259
• Check all web.xml files. This can be done using the ERPScan utility WEB.XML checker.
Invoker Servlet . Take a look at web.xml again.
Let's look at another important tag - the
However, in this case, the attacker can bypass authentication and gain access to the servlet. The fact is that, by default, the InvokerServlet mechanism is enabled in SAP, which allows you to access servlets using specially crafted links. In other words, an attacker can access the CriticalAction servlet by URI
To attack real ERP systems, an attacker can use the same CTC servlet. In addition to user management, it allows you to execute commands of the OS running SAP Portal, for example, “create user”.
The figure shows the execution of the ipconfig command on the SAP Portal server.
To protect the system, you must:
• install the SAP notes: 1467771, 1445998;
• Check all web.xml files (this can be done using the ERPScan utility WEB.XML checker ).
We now turn to the consideration of possible attacks directly to the portal.
Security Zone . Portal has a module called Security Zone. It serves as an additional tool for configuring access to portal programs (iViews). Zones are defined for each application in the
• No Safety
o Anonymous users are allowed access to portal components defined in the security zone.
• Low Safety
o The user must be at least a portal user in order to access the portal components defined in the security zone.
• Medium Safety
o The user must have a specific role on the portal that has been granted access to the portal components defined in the security zone.
• High Safety
o The user must have a role on the portal with high administrative rights, which is granted the right to access the portal components defined in the security zone.
Developers should carefully consider the Safety Levels task, since, if a user accesses, for example, an iView at a direct URL:
A number of critical applications were found in SAP Portal with
Xss . SAP Portal is a web application, so it has all the typical vulnerabilities for web applications. One of these is crossite scripting (XSS). However, unlike classic vectors for such attacks, when attacking a portal, an attacker can use Portal features — for example, EPCF technology, which allows access to user data through a special JavaScript API.
An example of such a "malicious" load:
To protect the system, you must:
• set the SAP Note: 1656549.
Directory traversal . This is another classic attack on Web applications. However, there is also a specificity here - for example, going beyond the limits of the directory is not performed by traditional symbols
To protect the system, you must:
• Set the SAP Note: 1630293.
XML External Entity . This is a classic attack on XML transport of web applications. XML is one of the main transports in SAP NetWeaver Portal, so a potential attacker might try to compromise the system through it - in particular, get administrative access to SAP Portal.
SAP has a special password store, SAP Security Storage, located in the SecStore.properties file. Passwords are encrypted, but the decryption key is located in the same directory as the passwords (in the SecStore.key file). Thus, if an attacker can read these files, he can decrypt passwords and gain administrative access to the portal.
This attack is carried out in several stages:
• finding a vulnerability that allows you to read SAP-Portal server files;
• reading the SecStore.properties file with encrypted passwords;
• reading the SecStore.key file with keys for decrypting passwords;
• decrypt the administrative password and gain access to SAP Portal.
As a vulnerability that allows you to read files from the SAP Portal server, you can use the previously described. This can be Directory Traversal, Command Execution.
Separately, I would like to demonstrate the implementation of external XML-modules (XXE). Here is a typical request to the portal in the sniffer.
As you can see, the
It is in it that we will try to implement a request that will return the contents of the
The figure shows how you can read files from the SAP Portal server using the XXE vulnerability.
After successfully reading the files, they can be decrypted using the ERPScan SecStore descriptor utility.
To do this, run
Disclosure . Together with SAP Portal comes a lot of services that can be used by attackers to obtain information when planning attacks on the system. However, other vectors of events are also possible - for example, using the portal as a springboard for further actions. Many documents are stored here, and with the help of a simple internal search engine and queries like a
The popularity of SAP NetWeaver Portal - one of the modules of the SAP ERP system - made it the most attractive target for attackers seeking to gain access to corporate information. That is why attention to its security is required from both the system administrators and developers, and even ordinary users.
Business applications represent an attractive target for computer intruders. Objectives can be very different: industrial espionage, the application of financial and reputational losses, obtaining critical information for sale. As a rule, attacks on business applications and systems are targeted and carried out by highly skilled people.
SAP NetWeaver Portal (EP) is the main entry point to the SAP ERP system for all users of the corporate network. A portal is usually used internally as a platform, where it is stored and processed as public information (including company news, employee data, etc.), as well as confidential information (internal documents, instructions and orders). In addition, the portal provides users with the necessary tools with which they can perform their daily work tasks: to hold meetings and meetings, manage users, edit documents, work with the necessary tables, etc.
')
A distinctive feature of SAP Portal is that it is associated with almost all other SAP components deployed on the company's network. Thus, the compromise of SAP Portal will lead not only to the compromise of all the information processed in it, but also to turn it into a kind of springboard for further attacks by the attacker.
Many users remain in the false belief that the SAP ERP system is not accessible from the Internet. Meanwhile, SAP Portal can often be accessed from the Internet, using, for example, a simple Google Dork
inurl:/irj/portal , where you can find a large number of SAP inurl:/irj/portal available for connection:Search Engine Shodan also makes it easy to detect available SAP Portal.
The popularity of SAP NetWeaver Portal and its availability from the Internet make it an attractive target for attacks on companies of various sizes and profiles. Consider SAP Portal in more detail.
SAP NETWEAVER PORTAL ARCHITECTURE
The SAP Portal architecture is shown in the figure below.
As can be seen from the diagram, the basis of the system is the Web Application Server (SAP J2EE), in the context of which the portal operates. Portal itself is a platform for the work of various modules, the main of which are iViews, applications and Web services.
The diagram shows that SAP Portal is associated with a database, as well as with many other components and SAP models.
Having a general idea of ​​the architecture of the portal, you can proceed to consider the possible vectors of attacks on it.
ATTACK ON SAP NETWEAVER J2EE
SAP NetWeaver J2EE is the foundation of SAP Portal, so it’s important to understand how an attacker could compromise J2EE. To do this, you need to understand some of the nuances of the work of J2EE.
Access to applications running in J2EE is determined by the developers of these applications using a descriptor file called web.xml. Below is an example of such a file descriptor.
<servlet> <servlet-name>CriticalAction</servlet-name> <servlet-class>com.sap.admin.Critical.Action</servlet-class> </servlet> <servlet-mapping> <servlet-name>CriticalAction</</servlet-name> <url-pattern>/admin/critical</url-pattern> </servlet-mapping <security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>administrator</role-name> </auth-constraint> </security-constraint> Consider it in more detail.
Attack Verb Tampering . The most important tags in the descriptor file are:
servlet-name , which defines the name of the servlet; http-method , specifying the HTTP method to access the servlet; role-name that indicates the required role to access the servlet. Thus, to access the CriticalAction servlet, the user must send a GET request and at the same time have administrative rights.However, authentication can be bypassed: if a user makes a request other than
GET , his user role will not be checked. Developers, as a rule, restrict access to the application for the GET and POST methods, but sometimes forget about the HEAD method. The latter is similar to GET , except for one difference - the server response contains only a header. Thus, if the attacker finds an application that does not require confirmation from the server to work, he can try to use this error.For example, the CTC servlet allows you to manage users in SAP Portal: create and delete users, move them between groups. Thus, it is a suitable object for attack, because in a request to create a user it is important to send a request, and not to receive a response.
Although the CTC servlet provides authentication using the GET and POST methods, an attacker can gain administrative access to the ERP system using only two
HEAD requests to the SAP Portal:• create a new blabla user with a blabla password
HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;CREATEUSER;USERNAME=blabla,PASSWORD=blabla • add the created user to the Administrators group
HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;ADD_USER_TO_GROUP;USERNAME=blabla,GROUPNAME=Administrators This type of attack is called Verb Tampering. To protect the system, you must:
• Install SAP Notes: 1503579,1616259
• Check all web.xml files. This can be done using the ERPScan utility WEB.XML checker.
Invoker Servlet . Take a look at web.xml again.
<servlet> <servlet-name>CriticalAction</servlet-name> <servlet-class>com.sap.admin.Critical.Action</servlet-class> </servlet> <servlet-mapping> <servlet-name>CriticalAction</</servlet-name> <url-pattern>/admin/critical</url-pattern> </servlet-mapping <security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>HEAD</http-method> </web-resource-collection> <auth-constraint> <role-name>administrator</role-name> </auth-constraint> </security-constraint> Let's look at another important tag - the
url-pattern , which describes the URI by which access to the servlet will be granted. Thus, by sending a GET request to the URI /admin/critical/CriticalAction , the user will gain access to the CriticalAction servlet if he has the role of administrator.However, in this case, the attacker can bypass authentication and gain access to the servlet. The fact is that, by default, the InvokerServlet mechanism is enabled in SAP, which allows you to access servlets using specially crafted links. In other words, an attacker can access the CriticalAction servlet by URI
/servlet/com.sap.admin.Critical.Action and gain access, not the name of any role, since this URI does not match the one specified in the url-pattern.To attack real ERP systems, an attacker can use the same CTC servlet. In addition to user management, it allows you to execute commands of the OS running SAP Portal, for example, “create user”.
/ctc/servlet/ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=[] The figure shows the execution of the ipconfig command on the SAP Portal server.
To protect the system, you must:
• install the SAP notes: 1467771, 1445998;
• Check all web.xml files (this can be done using the ERPScan utility WEB.XML checker ).
We now turn to the consideration of possible attacks directly to the portal.
DIRECT ATTACKS ON THE PORTAL
Security Zone . Portal has a module called Security Zone. It serves as an additional tool for configuring access to portal programs (iViews). Zones are defined for each application in the
portalapps.xml file descriptor and have a critical parameter such as Safety Level. He is responsible for the level of access to the application. Safety Level provides four levels of safety:• No Safety
o Anonymous users are allowed access to portal components defined in the security zone.
• Low Safety
o The user must be at least a portal user in order to access the portal components defined in the security zone.
• Medium Safety
o The user must have a specific role on the portal that has been granted access to the portal components defined in the security zone.
• High Safety
o The user must have a role on the portal with high administrative rights, which is granted the right to access the portal components defined in the security zone.
Developers should carefully consider the Safety Levels task, since, if a user accesses, for example, an iView at a direct URL:
/irj/servlet/prt/portal/prtroot/<iView_ID> , access to the application will be checked only by the results of the Safety check. Level.A number of critical applications were found in SAP Portal with
Safety Level= No Safety . To protect the system, you must check the settings of the Safety Level applications.Xss . SAP Portal is a web application, so it has all the typical vulnerabilities for web applications. One of these is crossite scripting (XSS). However, unlike classic vectors for such attacks, when attacking a portal, an attacker can use Portal features — for example, EPCF technology, which allows access to user data through a special JavaScript API.
An example of such a "malicious" load:
<SCRIPT> alert(EPCM.loadClientData("urn:com.sap.myObjects", "person"); </SCRIPT> To protect the system, you must:
• set the SAP Note: 1656549.
Directory traversal . This is another classic attack on Web applications. However, there is also a specificity here - for example, going beyond the limits of the directory is not performed by traditional symbols
/../ , but !252f..!252f , as in this vulnerability: /irj/servlet/prt/portal/prteventname/nav/prteventdata/root!3d!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f..!252f../prtroot/com.sap.portal.support.browse.default To protect the system, you must:
• Set the SAP Note: 1630293.
XML External Entity . This is a classic attack on XML transport of web applications. XML is one of the main transports in SAP NetWeaver Portal, so a potential attacker might try to compromise the system through it - in particular, get administrative access to SAP Portal.
SAP has a special password store, SAP Security Storage, located in the SecStore.properties file. Passwords are encrypted, but the decryption key is located in the same directory as the passwords (in the SecStore.key file). Thus, if an attacker can read these files, he can decrypt passwords and gain administrative access to the portal.
This attack is carried out in several stages:
• finding a vulnerability that allows you to read SAP-Portal server files;
• reading the SecStore.properties file with encrypted passwords;
• reading the SecStore.key file with keys for decrypting passwords;
• decrypt the administrative password and gain access to SAP Portal.
As a vulnerability that allows you to read files from the SAP Portal server, you can use the previously described. This can be Directory Traversal, Command Execution.
Separately, I would like to demonstrate the implementation of external XML-modules (XXE). Here is a typical request to the portal in the sniffer.
As you can see, the
POST request contains a huge number of parameters. If you look closely, one of them contains XML.It is in it that we will try to implement a request that will return the contents of the
SecStore.properties and SecStore.key .The figure shows how you can read files from the SAP Portal server using the XXE vulnerability.
After successfully reading the files, they can be decrypted using the ERPScan SecStore descriptor utility.
To do this, run
SecStore_Cr.jar in the same directory where the password files and key received from the server are located, specify the SID of the system. As a result, the utility will display the decoded passwords and other service information.Disclosure . Together with SAP Portal comes a lot of services that can be used by attackers to obtain information when planning attacks on the system. However, other vectors of events are also possible - for example, using the portal as a springboard for further actions. Many documents are stored here, and with the help of a simple internal search engine and queries like a
secret or password , an attacker can find out a large amount of confidential information.FINDINGS
The popularity of SAP NetWeaver Portal - one of the modules of the SAP ERP system - made it the most attractive target for attackers seeking to gain access to corporate information. That is why attention to its security is required from both the system administrators and developers, and even ordinary users.
Source: https://habr.com/ru/post/204148/
All Articles