(very) Short introduction to SAP security
Bruno Morisson <email@example.com>
Consultant and Partner @ INTEGRITY
Leading Consulting and Penetration Testing engagements
Breaking things, and ﬁnding how to ﬁx them
OSCP, CISSP-ISSMP, CISA, ISO27001LA
Currently doing the MSc in Information Security @ Royal Holloway,
University of London.
Organizing BSidesLisbon 2013
What is SAP ?
SAP, started in 1972 by ﬁve former IBM employees in Mannheim, Germany,
states that it is the world's largest inter-enterprise software company
and the world's fourth-largest independent software supplier, overall.
The original name for SAP was German: Systeme, Anwendungen, Produkte,
German for "Systems Applications and Products." The original SAP idea was
to provide customers with the ability to interact with a common corporate
database for a comprehensive range of applications. Gradually, the
applications have been assembled and today many corporations, including
IBM and Microsoft, are using SAP products to run their own
Standing on the shoulders of giants
Chris John Riley - SAP (in)Security
David Hartley (nmonkee) - SAP Slappin’
Mariano di Croce - The SAProuter
Alexander Polyakov - Breaking SAP portal
So I sneezed...
SAP Security Note 1816536 / CVE-2013-3319
SAP Security Note 1816536
21 Aug 2012 – Reported vulnerability to vendor
23 Aug 2012 – Vendor acknowledged vulnerability
22 Oct 2012 – Vendor contact, with status update
23 Jan 2013 – Contacted vendor, requesting status update
23 Jan 2013 – Vendor replied with status update
9 Apr 2013 – Vendor releases patch
9 Jul 2013 – Advisory released
SAP Security Note 1816536
An attacker can discover information relating to used Operating
System Version, Databases Version who uses SAP Host Agent.
This information could be used to allow the attacker to specialize their
attacks against the Operating System and Databases Software.
What is SAProuter ?
SAProuter is an SAP program that acts as an intermediate station (proxy) in a
network connection between SAP Systems, or between SAP Systems and external
networks. SAProuter controls the access to your network (application level
gateway), and, as such, is a useful enhancement to an existing ﬁrewall system
Figuratively speaking, the ﬁrewall acts as an impenetrable wall around your
network. However, since particular types of connections need to penetrate this
wall, a “hole” has to be made in the ﬁrewall. SAProuter assumes the control
of this hole.
msf auxiliary(sap_router_portscanner) > show options
Module options (auxiliary/scanner/sap/sap_router_portscanner):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 1 yes The number of concurrent ports to check per host
INSTANCES 00-99 no SAP instance numbers to scan (NN in PORTS definition)
MODE SAP_PROTO yes Connection Mode: SAP_PROTO or TCP (accepted: SAP_PROTO, TCP)
PORTS 32NN yes Ports to scan (e.g. 3200-3299,5NN13)
RHOSTS 192.168.1.175 yes The target address range or CIDR identifier
SAPROUTER_HOST 192.168.1.25 yes SAPRouter address
SAPROUTER_PORT 3299 yes SAPRouter TCP port
THREADS 1 yes The number of concurrent threads