This document describes how the author was able to gain remote code execution on SAP systems by exploiting vulnerabilities they discovered. They began by looking at various SAP binaries like DISP+WORK.EXE but found them too large and complex to analyze. They then turned their attention to SAPSTARTSRV, which handles requests to the SAP Management Console. By reverse engineering this binary, they found it used a hardcoded "random" shared memory key for authentication that could be easily guessed. This allowed executing commands via a Python script. To achieve remote code execution, they then exploited crashes in the JSTART and ICMAN processes that would restart vulnerable services on the target system.

1. 1
Getting access to the SAP server
via SAP Management Console
Dmitry Chastuhin, Dmitry Yudin

2. 2
About us
Business application
security expert
Yet another security
researcher
ERPScan

3. 3
About us
Security researcher
Reverse engineer
ERPScan

4. 4
About ERPScan
• The only 360-degree SAP security solution: ERPScan Security
Monitoring Suite for SAP
• Leader by the number of vulnerabilities in SAP and Oracle (500+)
• 100+ presentations key security conferences worldwide
• 30+ awards and nominations
• Research team: 20 experts with experience in different areas of
security
• Headquarters Amsterdam (EU), offices in USA, Australia,
Denmark
4

5. 5
About what?
• No blah-blah-blah about how important it is to spend time and
money on SAP security (critically important)
• No blah-blah-blah about best practices
• No Junk Hacking
Just a little story how we got yet another RCE in SAP
5

6. 6
SAP
6

7. 7
Target
• SAP and WEB?
– XSS, CSRF, double blind self clickjacking, whatever
• SAP and ABAP/JAVA?
– RFC, servlets, ABAP code, transactions
• SAP and additional services?
– Log Viewer, SDM, notepad, archives
Try to implement some reverse engineering to core binary file
7

8. 8
DISP+WORK.EXE
dw - disp+work - Dispatcher & Workprocess - "The complete
Kernel" - Here the complete ABAP is processed ...
8

9. 9
DISP+WORK.EXE
Binary has a considerable size: ≈ 51 M
9

10. 10
DISP+WORK.EXE
Binary has a considerable size: ≈ 51 M
Ida db size: ≈ 133 M
10

11. 11
DISP+WORK.EXE
Binary has a considerable size: ≈ 51 M
Ida db size: ≈ 133 M
Difficult debug network communication
11

12. 12
DISP+WORK.EXE
Difficulties with debug network communication
Even a child can process request: difficult guess the pid of process
12

13. 13
DISP+WORK.EXE

14. 14

15. 15
Instance profile cfg
rdisp/TRACE = 2
rdisp/TRACE_RESOLUTION = 2
rdisp/TRACE_LOGGING = on
rdisp/TRACE_HIDE_SEC_DATA = off
rdisp/TRACE_COMPS = 2
enque/TRACE = 2
alert/TRACE = 2
service/trace = 2
rdisp/configurable_wp_no = 0
rdisp/wp_max_no = 0
rdisp/wp_no_dia = 1
rdisp/wp_no_btc = 0
rdisp/wp_no_vb = 0
rdisp/wp_no_vb2 = 0
rdisp/wp_no_spo = 0
15

16. 16
Instance profile cfg
rdisp/TRACE = 2
rdisp/TRACE_RESOLUTION = 2
rdisp/TRACE_LOGGING = on
rdisp/TRACE_HIDE_SEC_DATA = off
rdisp/TRACE_COMPS = 2
enque/TRACE = 2
alert/TRACE = 2
service/trace = 2
rdisp/configurable_wp_no = 0
rdisp/wp_max_no = 0
rdisp/wp_no_dia = 1
rdisp/wp_no_btc = 0
rdisp/wp_no_vb = 0
rdisp/wp_no_vb2 = 0
rdisp/wp_no_spo = 0
16
Number of configurable work processes

17. 17

18. 18
Actually it can be processed by one worker. 

19. 19
By only one worker 
But …

20. 20
DISP+WORK.EXE
Where is jstart???
20

21. 21
Before …

22. 22
After …
Yoo-hoo, JSTART?!?? …

23. 23
DISP+WORK.EXE
JSTART
23

24. 24
Reverse engineering of DISP+WORK.EXE
GOAL

25. 25
Reverse engineering of DISP+WORK.EXE
• But
– It’s too difficult
– It’s too big
– I’m too lazy
– RCE takes too much time

26. 26
Reverse engineering of DISP+WORK.EXE
• But
– It’s too difficult
– It’s too big
– I’m too lazy
– RCE takes too much time (maybe)

27. 27
SEEK AND DESTROY
How about some new
targets?

28. 28
SEEK AND DESTROY
• Disp+work – here the complete ABAP is processed
• Gwrd – SAP gateway
• Icman (icm) – SAP Web Application Server
• Jstart – SAP AS Java Instance
• Sapstart – SAP starter
• Igswd_mt – SAP IGS (Internet Graphics Service )
• Igsmux_mt – SAP IGS
• Igspw_mt – SAP IGS

29. 29

30. 30
SAPSTARTSRV
• HOW ABOUT SAPSTARTSRV

31. 31
SAPSTARTSRV
• SAP Management Console

32. 32
SAPSTARTSRV
• ≈ 15M
• LISTEN tcp 0 0.0.0.0:5NN13
• SOAP
– SAPControl:OSExecute 
• But 
– We need authentication

33. 33
Reverse engineering of SAPSTARTSRV
• IsTrustedInternalConnect()
– JsfOpenShm()
– JsfCheckShmKeyString()
– JsfCloseShm()

34. 34
Reverse engineering of SAPSTARTSRV
IsTrustedInternalConnect()
– Hardcoded user names
• “{2D4A6FB8-37F1-43d7-88BE-AD279C89DCD7}”
User name for requests with a temporary local logon tickets.
• “{221BA44F-F88E-4166-BB2B-E2541910B86A}”
UNDOCUMENTED HARDCODED USER NAME

35. 35
Reverse engineering of SAPSTARTSRV
IsTrustedInternalConnect()
How about a hardcoded password?

36. 36
Reverse engineering of SAPSTARTSRV
IsTrustedInternalConnect()
How about a hardcoded password?

37. 37
SHM
• IsTrustedInternalConnect()
– JsfOpenShm()
– JsfCheckShmKeyString()
– JsfCloseShm()

38. 38
SHM
• IsTrustedInternalConnect()
– JsfOpenShm()
– JsfCheckShmKeyString()
– JsfCloseShm()

39. 39
SHM
What is SHM?

40. 40
Shared memory
SHM - Shared Memory is an efficient
means of passing data between
programs. One program will create a
memory portion which other
processes (if permitted) can access.

41. 41
Shared memory
•IsTrustedInternalConnect()
–JsfOpenShm()
–JsfCheckShmKeyString()
–JsfCloseShm()

42. 42
Shared memory
•IsTrustedInternalConnect()
–JsfOpenShm() - ok
–JsfCheckShmKeyString()
–JsfCloseShm()

43. 43
Shared memory
•IsTrustedInternalConnect()
–JsfOpenShm() - ok
–JsfCheckShmKeyString()
–JsfCloseShm() - ok

44. 44
Shared memory
• IsTrustedInternalConnect()
–JsfOpenShm() - ok
–JsfCheckShmKeyString() - ???
–JsfCloseShm() - ok

45. 45
Shared memory
• JsfCheckShmKeyString()
–What is this key?
–Is this key static?
–Can we guess this key (if not
static)?
–Can we brut this key?

46. 46
Shared memory
• JsfCheckShmKeyString()
What is this key?
• password for authentication on SAPSTARTSRV
– Is this key static?
– Can we guess key (if not static)?
– Can we brut this key?

47. 47
Shared memory
• JsfCheckShmKeyString()
– Is this key static?
• No
– Rng_PseudoRandomInit
– Rng_PseudoRandom
– Rng_CompleteUpdate
– Key len 36 bytes
– Can we guess this key (if not static)?
– Can we brut this key?

48. 48
Shared memory
• JsfCheckShmKeyString()
– Is this key static?
• No
– Rng_PseudoRandomInit
– Rng_PseudoRandom
– Rng_CompleteUpdate
– Key len 36 bytes
– Can we guess this key (if not static)? - No
– Can we brut this key?

49. 49
Shared memory
• JsfCheckShmKeyString()
– Is this key static?
• No
– Rng_PseudoRandomInit
– Rng_PseudoRandom
– Rng_CompleteUpdate
– Key len 36 bytes
– Can we guess this key (if not static)? - No
– Can we brut this key? - No

50. 50
Shared memory
• JsfCheckShmKeyString()

51. 51
ShmKey …
BUT

52. 52
ShmKey …

53. 53
ShmKey …
… if we try to debug a little

54. 54
authBypassOSExec_poc.py

55. 55
DEMO 1

56. 56
ShmKey …
• “Random” ShmKeyStrting is
– “xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx”

57. 57
ShmKey …
• “Random” ShmKeyStrting is
– “xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx”

58. 58
ShmKey …
• “Random” ShmKeyStrting is
– “xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx”

59. 59
Random ShmKey …
AWESOME

60. 60
ShmKey …
Why?
“xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx”

61. 61
• JsfCheckShmKeyString()
– Read raw (binary) key from shm memory
– Convert key to readable format
– Add ‘x’ to end and ‘x’ to begin of key  (why?)
– Check key with user input
– Return result

62. 62

63. 63
In our case
xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx
is a printable presentation of raw key
Hex dump:
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00

64. 64

65. 65
In our case
xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx
is a printable presentation of raw key
Hex dump:
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00
Some shared memory problems?

66. 66
Random ShmKey …
Do you remember …

67. 67
Random ShmKey …
Do you remember …
profile cfg …

68. 68
Random ShmKey …
Do you remember …
profile cfg …
jstart – what never started …

69. 69
Instance profile cfg
rdisp/TRACE = 1337
rdisp/TRACE_RESOLUTION = 1337
rdisp/TRACE_LOGGING = on
rdisp/TRACE_HIDE_SEC_DATA = off
rdisp/TRACE_COMPS = 7
enque/TRACE = 7
alert/TRACE = 7
service/trace = 7
rdisp/configurable_wp_no = 0
rdisp/wp_max_no = 0
rdisp/wp_no_dia = 1
rdisp/wp_no_btc = 0
rdisp/wp_no_vb = 0
rdisp/wp_no_vb2 = 0
rdisp/wp_no_spo = 0
69

70. 70
Instance profile cfg
#rdisp/TRACE = 1337
#rdisp/TRACE_RESOLUTION = 1337
#rdisp/TRACE_LOGGING = on
#rdisp/TRACE_HIDE_SEC_DATA = off
#rdisp/TRACE_COMPS = 7
#enque/TRACE = 7
#alert/TRACE = 7
#service/trace = 7
#rdisp/configurable_wp_no = 0
#rdisp/wp_max_no = 0
#rdisp/wp_no_dia = 1
#rdisp/wp_no_btc = 0
#rdisp/wp_no_vb = 0
#rdisp/wp_no_vb2 = 0
#rdisp/wp_no_spo = 0
70

71. 71
Instance profile cfg
#rdisp/TRACE = 1337
#rdisp/TRACE_RESOLUTION = 1337
#rdisp/TRACE_LOGGING = on
#rdisp/TRACE_HIDE_SEC_DATA = off
#rdisp/TRACE_COMPS = 7
#enque/TRACE = 7
#alert/TRACE = 7
#service/trace = 7 + RESTART SYSTEM
#rdisp/configurable_wp_no = 0
#rdisp/wp_max_no = 0
#rdisp/wp_no_dia = 1
#rdisp/wp_no_btc = 0
#rdisp/wp_no_vb = 0
#rdisp/wp_no_vb2 = 0
#rdisp/wp_no_spo = 0
71

72. 72
Random ShmKey …
• After restart

73. 73
Random ShmKey …
• After restart
– Jstart started

74. 74
Random ShmKey …
• After restart
– Jstart started
– “Random” ShmKeyStrting indeed random

75. 75
Random ShmKey …
• After restart
– Jstart started
– “Random” ShmKeyStrting indeed random
– This key is NOT working
“xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAx”

76. 76
Random ShmKey …

77. 77
HOW CONVERT THIS BUG TO REMOTE RCE WITHOUT LOCAL PF
MODIFICATION?

78. 78
HOW ABOUT JSTART …

79. 79

80. 80
HOW ABOUT JSTART …
Plan A:
Run
authBypassOSExec_poc.py (with “magic key”)

81. 81
HOW ABOUT JSTART …
Plan A:
Run
authBypassOSExec_poc.py (with “magic key”)
try to kill jstart

82. 82
HOW ABOUT JSTART …
Plan A:
Run
authBypassOSExec_poc.py (with “magic key”)
try to kill jstart (now only local)

83. 83
HOW ABOUT JSTART …
Plan A:
Run
authBypassOSExec_poc.py (with “magic key”)
try to kill jstart (now only local)
$ killall –r jstart -9

84. 84
• AND

85. 85

86. 86
PLAN B
• Ok, time for plan B

87. 87
PLAN B
• Plan B

88. 88
PLAN B
• ICMAN …

89. 89
PLAN B

90. 90
PLAN B
Q:
How do you think it killed both jstart and icman at the same
time?

91. 91
PLAN B
A:

92. 92
PLAN B

93. 93
PLAN B
• ICMAN
$ authBypassOSExec_poc.py
$ killall -r icman -r jstart -9

94. 94
DEMO 2

95. 95
REMOTE RCE
• PLAN
– Run authBypassOSExec_poc.py (with a magic key)

96. 96
REMOTE RCE
• PLAN
– Run authBypassOSExec_poc.py (with magic key)
– Find remote DoS for jstart

97. 97
REMOTE RCE
• PLAN
– Run authBypassOSExec_poc.py (with magic key)
– Find remote DoS for jstart
– Find remote DoS for icman

98. 98
JSTART
JSTART – Application server for Java

99. 99
JSTART
• DoS after ≈ 3 days

100. 100
JSTART DoS
• DoS after ≈ 3 days
• Possible race condition

101. 101
JSTART DoS
• DoS after ≈ 3 days
• Possible race condition
• Jstart restart after a crash

102. 102
JSTART DoS
• DoS after ≈ 3 days
• Possible race condition
• Jstart restart after a crash
• EASY TARGET ^_^

103. 103
JSTART DoS
Multiply request:
"x00x00x00x1cNI_RTERRx00yx04x00x00ASDx00x00x00x04DAAAAAAA“

104. 104
ICM
• ICM …

105. 105
ICM
•ICM …

106. 106
ICM
•ICM…

107. 107
ICM
• ICM in the SAP NetWeaver Application Server.
The ICM is a component of the SAP NetWeaver
Application Server. It is implemented as a
separate process, which is started and monitored
by the ABAP dispatcher.
• One of core component of SAP

108. 108
ICM
– Binary name icman.exe
– Size 5.7M
– IDA db ~ 100M
– One of core components of SAP => heavily audited

109. 109
ICM
• ICM (icman) … cve details

110. 110
ICM
• ICM (icman) … cve details
Last DoS found in 2014 …

111. 111
ICM
• ICM (icman) … cve details
Last DoS found in 2014 …
via unknown vectors

112. 112
ICM DoS
• DoS after …
Not so easy ...

113. 113
ICM DoS
After

114. 114
ICM DoS
≈ 35 days

115. 115
ICM DoS
≈ 35 days + some weekends

116. 116
ICM DoS
• Multiple requests :
'get / HTTP/1.0rnhost:rncookie: ;x0c%srnrn' % ("x0c" * 0x1b58)
• icman restart after a crash

117. 117
PROBLEMS …
• Race conditions …
• If We kill jstart before icman => NO RCE
• Small gap for a magic key between jstart and
icman start

118. 118
Video 3 - RCE

119. 119
Solutions…
• ICM DoS:
– SAP note 2256185 (Dmitry Yudin)
• Jstart DoS:
– SAP note 2259547 (Dmitry Yudin)
• MC auth bypass:
– SAP note 2259547 (Dmitry Chastuhin, Dmitry Yudin)

120. 120
Conclusion
• Don’t give up. If you can't exploit vulnerability
using one issue try to find another way to trigger
it
• Holistic approach + correlation (code, SOD,
vulnerabilities)
• Probably a lot of vulnerabilities still do exist on a
binary level of different SAP services
• Have fun!

121. 121121
About
228 Hamilton Avenue, Fl. 3,
Palo Alto, CA. 94301
USA HQ
Luna ArenA 238 Herikerbergweg,
1101 CM Amsterdam
EU HQ
www.erpscan.com
info@erpscan.com
@_chipik @ret5et