SAP Hacked at Black Hat (Again)
Updated · Jul 27, 2012
LAS VEGAS — SAP applications could potentially be at risk from an emerging type of exploit known as Server Side Request Forgery (SSRF). That’s the message coming from security researcher Alexander Polyakov at this week’s Black Hat security research conference.
Polyakov has brought attention to SAP security before, having first taken aim at the company during a landmark 2011 Black Hat session. He has reason to look for SAP vulnerabilities as his company, ERPscan, sells tools for improving SAP system security. The SSRF angle is a new one, as it can enable an attacker to remotely exploit a system without the need for user authentication.
How the SSRF Exploit Works
In many types of server communications, there is one packet (packet A) going to a service (service A), Polyakov explained. What happens in some cases is that Service A then can initiate a new packet (packet b) to a new server (server b). In SSRF, an attacker is able to manipulate some fields of packet b from packet A.
“The idea is to use the minimum rights in one application to send something that can make impact on the other system,” Polyakov said. “The attack is very dangerous as it looks legitimate.”
Polyakov located one potential SSRF in the SAP Netweaver server.
“It is possible to scan the internal network from the Internet without access authorization,” Polyakov said. “But you can only find information if the port is open or not, so you can’t control anything.”
That said, it’s still a vulnerability. Polyakov said ERPscan has disclosed the issue to SAP and is working with the German software giant on a potential fix.
Another SAP Vulnerability
Another more dangerous exploit comes by way of a different SSRF vulnerability in SAP Netweaver. The exploit is in the dilbertmsg Web service that is used to send messages in the system.
“By tunneling over Gopher we can bypass SAP security restrictions and exploit the system,” Polyakov said.
Gopher is an old Internet protocol that predates the modern HTTP Web that is the ubiquitous form of Internet access today. As it turns out, there is an XML parser on the SAP server that supports both http and gopher. “So in the parser it has a Gopher client,” Polyakov said.
Polyakov’s company has developed a tool called XXE Scanner that can help identify potential SSRF risks in SAP systems. His company worked with SAP to fix the Gopher vulnerability, he said.
“Server Side Request Forgery attacks are very dangerous,” Polyakov said. “Gopher is just one example, and we only really looked at the SAP JavaEE engine.”
Polyakov warned that other enterprise applications that use the same Java component, named the Oracle Java Virtual Machine, could also potentially be at risk from a similar type of Gopher exploit.
Read more about SAP ERP here.