4. 4
About ERPScan
• The only 360-degree SAP security solution: ERPScan Security
Monitoring Suite for SAP
• Leader by the number of vulnerabilities in SAP and Oracle (500+)
• 100+ presentations key security conferences worldwide
• 30+ awards and nominations
• Research team: 20 experts with experience in different areas of
security
• Headquarters Amsterdam (EU), offices in USA, Australia,
Denmark
4
5. 5
About what?
• No blah-blah-blah about how important it is to spend time and
money on SAP security (critically important)
• No blah-blah-blah about best practices
• No Junk Hacking
Just a little story how we got yet another RCE in SAP
5
28. 28
SEEK AND DESTROY
• Disp+work – here the complete ABAP is processed
• Gwrd – SAP gateway
• Icman (icm) – SAP Web Application Server
• Jstart – SAP AS Java Instance
• Sapstart – SAP starter
• Igswd_mt – SAP IGS (Internet Graphics Service )
• Igsmux_mt – SAP IGS
• Igspw_mt – SAP IGS
34. 34
Reverse engineering of SAPSTARTSRV
IsTrustedInternalConnect()
– Hardcoded user names
• “{2D4A6FB8-37F1-43d7-88BE-AD279C89DCD7}”
User name for requests with a temporary local logon tickets.
• “{221BA44F-F88E-4166-BB2B-E2541910B86A}”
UNDOCUMENTED HARDCODED USER NAME
40. 40
Shared memory
SHM - Shared Memory is an efficient
means of passing data between
programs. One program will create a
memory portion which other
processes (if permitted) can access.
46. 46
Shared memory
• JsfCheckShmKeyString()
What is this key?
• password for authentication on SAPSTARTSRV
– Is this key static?
– Can we guess key (if not static)?
– Can we brut this key?
47. 47
Shared memory
• JsfCheckShmKeyString()
– Is this key static?
• No
– Rng_PseudoRandomInit
– Rng_PseudoRandom
– Rng_CompleteUpdate
– Key len 36 bytes
– Can we guess this key (if not static)?
– Can we brut this key?
48. 48
Shared memory
• JsfCheckShmKeyString()
– Is this key static?
• No
– Rng_PseudoRandomInit
– Rng_PseudoRandom
– Rng_CompleteUpdate
– Key len 36 bytes
– Can we guess this key (if not static)? - No
– Can we brut this key?
49. 49
Shared memory
• JsfCheckShmKeyString()
– Is this key static?
• No
– Rng_PseudoRandomInit
– Rng_PseudoRandom
– Rng_CompleteUpdate
– Key len 36 bytes
– Can we guess this key (if not static)? - No
– Can we brut this key? - No
61. 61
• JsfCheckShmKeyString()
– Read raw (binary) key from shm memory
– Convert key to readable format
– Add ‘x’ to end and ‘x’ to begin of key (why?)
– Check key with user input
– Return result
74. 74
Random ShmKey …
• After restart
– Jstart started
– “Random” ShmKeyStrting indeed random
75. 75
Random ShmKey …
• After restart
– Jstart started
– “Random” ShmKeyStrting indeed random
– This key is NOT working
“xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx”
107. 107
ICM
• ICM in the SAP NetWeaver Application Server.
The ICM is a component of the SAP NetWeaver
Application Server. It is implemented as a
separate process, which is started and monitored
by the ABAP dispatcher.
• One of core component of SAP
108. 108
ICM
– Binary name icman.exe
– Size 5.7M
– IDA db ~ 100M
– One of core components of SAP => heavily audited
119. 119
Solutions…
• ICM DoS:
– SAP note 2256185 (Dmitry Yudin)
• Jstart DoS:
– SAP note 2259547 (Dmitry Yudin)
• MC auth bypass:
– SAP note 2259547 (Dmitry Chastuhin, Dmitry Yudin)
120. 120
Conclusion
• Don’t give up. If you can't exploit vulnerability
using one issue try to find another way to trigger
it
• Holistic approach + correlation (code, SOD,
vulnerabilities)
• Probably a lot of vulnerabilities still do exist on a
binary level of different SAP services
• Have fun!
121. 121121
About
228 Hamilton Avenue, Fl. 3,
Palo Alto, CA. 94301
USA HQ
Luna ArenA 238 Herikerbergweg,
1101 CM Amsterdam
EU HQ
www.erpscan.com
info@erpscan.com
@_chipik @ret5et