Bla-blah-blah SAP. Bla-blah-blah big companies. Bla-blah-blah hack multi-million dollar systems. This is how typical SAP Talks are started. But not this time. We are really missing hardcore exploitation stuff and unusual vulnerabilities, no matter where they are. Now it's time for real HARDCORE!
In our presentation, we will tell (and show) how by using a chain of minor vulnerabilities in different SAP services we can take complete control of an affected system. Have you ever heard that a denial of service vulnerability can be used for remote command execution? No, we are not talking about memory corruption. It's about how unexploitablea denial of service vulnerabilities can be exploited together with some minor issues to attack system in a way which you have never imagined.
You'll see the way from Anonymous to SAP_ALL, enjoy!
4. 4
About ERPScan
• The only 360-degree SAP security solution: ERPScan Security
Monitoring Suite for SAP
• Leader by the number of vulnerabilities in SAP and Oracle (500+)
• 100+ presentations key security conferences worldwide
• 30+ awards and nominations
• Research team: 20 experts with experience in different areas of
security
• Headquarters Amsterdam (EU), offices in USA, Australia,
Denmark
4
5. 5
About what?
• No blah-blah-blah about how important it is to spend time and
money on SAP security (critically important)
• No blah-blah-blah about best practices
• No Junk Hacking
Just a little story how we got yet another RCE in SAP
5
28. 28
SEEK AND DESTROY
• Disp+work – here the complete ABAP is processed
• Gwrd – SAP gateway
• Icman (icm) – SAP Web Application Server
• Jstart – SAP AS Java Instance
• Sapstart – SAP starter
• Igswd_mt – SAP IGS (Internet Graphics Service )
• Igsmux_mt – SAP IGS
• Igspw_mt – SAP IGS
34. 34
Reverse engineering of SAPSTARTSRV
IsTrustedInternalConnect()
– Hardcoded user names
• “{2D4A6FB8-37F1-43d7-88BE-AD279C89DCD7}”
User name for requests with a temporary local logon tickets.
• “{221BA44F-F88E-4166-BB2B-E2541910B86A}”
UNDOCUMENTED HARDCODED USER NAME
40. 40
Shared memory
SHM - Shared Memory is an efficient
means of passing data between
programs. One program will create a
memory portion which other
processes (if permitted) can access.
46. 46
Shared memory
• JsfCheckShmKeyString()
What is this key?
• password for authentication on SAPSTARTSRV
• Is this key static?
• Can we guess key (if not static)?
• Can we brut this key?
47. 47
Shared memory
• JsfCheckShmKeyString()
• Is this key static?
• No
– Rng_PseudoRandomInit
– Rng_PseudoRandom
– Rng_CompleteUpdate
– Key len 36 bytes
• Can we guess this key (if not static)?
• Can we brut this key?
48. 48
Shared memory
• JsfCheckShmKeyString()
• Is this key static?
• No
– Rng_PseudoRandomInit
– Rng_PseudoRandom
– Rng_CompleteUpdate
– Key len 36 bytes
• Can we guess this key (if not static)? - No
• Can we brut this key?
49. 49
Shared memory
• JsfCheckShmKeyString()
• Is this key static?
• No
– Rng_PseudoRandomInit
– Rng_PseudoRandom
– Rng_CompleteUpdate
– Key len 36 bytes
• Can we guess this key (if not static)? - No
• Can we brut this key? - No
61. 61
• JsfCheckShmKeyString()
– Read raw (binary) key from shm memory
– Convert key to readable format
– Add ‘x’ to end and ‘x’ to begin of key ☺ (why?)
– Check key with user input
– Return result
74. 74
Random ShmKey …
• After restart
– Jstart started
– “Random” ShmKeyStrting indeed random
75. 75
Random ShmKey …
• After restart
– Jstart started
– “Random” ShmKeyStrting indeed random
– This key is NOT working
“xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx”
107. 107
ICM
• ICM in the SAP NetWeaver Application Server.
The ICM is a component of the SAP NetWeaver
Application Server. It is implemented as a
separate process, which is started and monitored
by the ABAP dispatcher.
• One of core component of SAP
108. 108
ICM
– Binary name icman.exe
– Size 5.7M
– IDA db ~ 100M
– One of core components of SAP => thoroughly
audited
119. 119
Solutions…
• ICM DoS:
– SAP note 2256185 (Dmitry Yudin)
• Jstart DoS:
– SAP note 2259547 (Dmitry Yudin)
• MC auth bypass:
– SAP note 2259547 (Dmitry Chastuhin, Dmitry Yudin)
120. 120
Conclusion
• Don’t give up. If you can't exploit vulnerability
using one issue try to find another way to trigger
it
• Holistic approach + correlation (code, SOD,
vulnerabilities)
• Probably a lot of vulnerabilities still do exist on a
binary level of different SAP services
• Have fun!
121. 121121
About
228 Hamilton Avenue, Fl. 3,
Palo Alto, CA. 94301
USA HQ
Luna ArenA 238 Herikerbergweg,
1101 CM Amsterdam
EU HQ
www.erpscan.com
info@erpscan.com
@_chipik @ret5et