Risk // Compliance
7/31/2012
01:13 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Hiding SAP Attacks In Plain Sight

Black Hat presenter uses test service and server-side request forgery to root SAP deployments

As some of the biggest processors of regulated data in any large organization, business-critical applications like enterprise resource planning (ERP) applications from SAP are well within the purview of compliance auditors and malicious attackers. And yet many organizations feel that if these systems are set behind firewalls, they're safely segmented enough to not require further hardening. But as one researcher demonstrated at Black Hat USA in Las Vegas last week, business-critical application servers never process data as an island. And in those connections are opportunities for attack by hiding malicious packets within admissible ones.

Click here for more of Dark Reading's Black Hat articles.

Called server-side request forgery (SSRF), the attack technique highlighted by Alexander Polyakov, head of Russian firm ERPScan, makes it possible to execute a multichained attack on SAP applications that can be executed from the Internet while bypassing firewalls, IDS systems, and internal SAP security configurations.

First publicly detailed in 2008 at ShmooCon, SSRF has been around for a while, but this is the first time a researcher has shown how it can be used as a means to attack vulnerabilities in business-critical applications like SAP. The general principle behind SSRF is that the attacker avoids detection and blocking of malicious server requests by hiding those requests within packets normally admissible by a service running to a secured server. The malicious packet could include exploits that take advantage of vulnerabilities on the server that would be otherwise difficult to exploit due to proper network segmentation.

Such an attack method is particularly juicy for SAP and other ERP implementations. Often these systems run with numerous open vulnerabilities because of the complications of patching such complex and customized deployments. Instead, organizations often depend primarily on firewalls for protection.

"Most companies usually don't patch them and secure those systems using firewalls and DMZs," Polyakov said, explaining on its face it appears to business leaders that attackers have to bypass three or more lines of defense before they get to the vulnerability. "It looks OK until somebody finds a way to attack a secured system through trusted sources."

Polyakov demonstrated at Black Hat how, using an SSRF attack, he was able to take advantage of a critical vulnerability in XML parsing and a test service used by SAP named after the famous Dilbert cartoon character to root a secured system with a single request from the Internet.

"It was epic," Polyakov said of his discovery of the relatively unknown service he used to execute his attacks. "There's a Web service in SAP called dilbertmsg service -- I'm not kidding. It was created for testing purposes, and when you send some kind of request to it, it answers with a lot of funny Dilbert jokes. It's a test service, but it can be accessed without any authentication."

Meanwhile, Polyakov took advantage of the XML parsing vulnerability through an XML eXternal Entity (XXE) attack, which takes advantage of improper parsing to allow him to use malformed XML input in his attack. Doing so enables what he calls XXE tunneling, where it is possible for an attacker to use a vulnerable system as a tunnel to break into secured networks in order to exploit business-critical systems like process integration systems, which use XML interfaces.

"Those systems connect other business software, like Bank Processing, ERP, SCADA and even PLC devices. By compromising those systems, which usually can be accessed from the Internet, it is possible to disrupt the most valuable corporate resources," Polyakov said.

According to Polyakov, SAP recently fixed the flaw that made it possible for him to carry out the XXE tunneling attack he demonstrated at Black Hat, but organizations that fail to patch this and other flaws could be at risk of such an attack. He also stressed that this attack technique has much broader implications beyond SAP and into Oracle and other systems.

Meanwhile, his firm released a new penetration testing tool called XXEScanner that can help organizations identify SAP deployments that could be vulnerable to such SSRF attacks as the one he demonstrated.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web