SAP BUGS: The Phantom Security
SAP NetWeaver platform is the most popular software solution for ERP and automatization of business processes. SAP NetWeaver consists of 2 modules: AS ABAP and AS JAVA. SAP NetWeaver AS ABAP and AS JAVA can work both independently and on one platform.
For these modules, developers can create their own programs to resolve custom corporative goals. For SAP NetWeaver AS ABAP or AS JAVA, the SAP company released a lot of modules written in ABAP or JAVA languages: applications for automatization, CRM, SRM, and others.
The full attack scenario is:
-
An attacker uses the directory traversal vulnerability to read administrator password from system config file
-
After that, he/she decrypts this password and logins to SAP CRM portal
-
Then, the attacker uses another directory traversal vulnerability and change SAP log file path to the web application root path
-
Finally, using special request, he/she can inject the log file JS RCE code and call it anonymously from a remote web server.
In this talk, we will show how attackers can get full access to the SAP NetWeaver platform by using a simple chain of web vulnerabilities.
Outline
- SAP NetWeaver
- What is it?
- Where is it used?
- Architecture
- SAP NetWeaver AS JAVA
- SAP NetWeaver AS JAVA Redwood
- What is it?
- Directory traversal in Redwood
- Demo of vulnerability reproducing.
- SAP NetWeaver AS JAVA CRM
- What is it?
- Directory traversal in CRM
- RCE via log injection
- Privileges escalation
- Demo of vulnerabilities reproducing.
- Demo of vulnerabilities chain (get full access to SAP)
- Conclusion