Vulnerabilities / Threats
4/15/2010
03:56 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

SAP, Other ERP Applications At Risk Of Targeted Attacks

Black Hat Europe researcher demonstrates techniques for inserting 'backdoors' into popular enterprise resource planning apps that aren't properly secured

Backdoor Trojans and rootkits that let attackers gain a foothold and remain entrenched in a compromised system aren't just for Windows PCs anymore -- SAP and other enterprise resource planning (ERP) applications are also susceptible to this form of attack.

Click here for more of Dark Reading's Black Hat articles.
A researcher at Black Hat Europe in Barcelona this week demonstrated techniques for inserting into SAP applications backdoors that provide attackers a way to gain control of them. Mariano Nunez Di Croce, director of research and development at Onapsis, says an attacker would initially exploit weak database protections or vulnerabilities in the underlying operating system, for instance, to gain access to the SAP apps and data.

The hacks don't exploit any new or existing vulnerabilities in SAP. Once the system is compromised, the attacker would grab the necessary elevated privileges to insert the stealthy backdoor code and remain under the radar to pilfer sensitive information. With the backdoor presence, the attacker could modify a victim company's electronic payments to a vendor, for example. "So every automated payment to that vendor would go to the attacker's [bank] account [instead]," Nunez Di Croce says.

But most organizations today don't consider SAP or other ERP apps a big target for attackers, Nunez Di Croce says. "They think of SAP security as segregation of duties, and management of user name and profiles," he says. "But it's much more than that."

ERP systems, which are tied in with a database platform and often contain multiple interfaces to other apps, run sensitive business processes, such as financial, sales, production, expenditures, billing, and payroll, so any such targeted attacks would be damaging financially and production-wise, Nunez Di Croce says. "This is very sensitive data the applications handle. They are running the most important business processes in the company," he says.

Nunez Di Croce will release a free tool in the next week for detecting the presence of SAP backdoors called Onapsis Integrity Analyzer for SAP. The tool checks for changes or modifications in the application's database and flags any suspicious activity that needs to be addressed. Onapsis is also developing a commercial product that performs vulnerability assessments and penetration testing on SAP applications, Nunez Di Croce says.

In one demo at Black Hat, Nunez Di Croce showed how an attacker could capitalize on unsecured integration settings between the SAP app and another application running on the system to then take over the SAP app with elevated user privileges. "The attacker then could install a hidden login account" that he could use to come and go, without the real system administrator even noticing it, he says.

He also showed how an attacker could exploit the underlying database to insert a backdoor. The attack connects directly to the production database so the attacker can modify code in the SAP production system, he says. A third demo showed how an attacker could bypass security settings to modify the SAP app's authentication. "Someone could modify the login program so that the next time someone logs into the SAP application, a backdoor sends the user name and password to a remote Web server," Nunez Di Croce says.

The bad news is that even if an SAP or ERP backdoor is discovered, it's difficult to limit the attacker's access and activity. "It's difficult to prevent him from doing anything if he has full control: He's like a full [systems] administrator. How can you stop him from creating a new user or new privileges?" Nunez Di Croce says.

The best bet is to minimize risk by using automated controls and performing regular security assessments of the SAP applications, as well as penetration tests, he says. "You want to minimize the [chance of an] initial compromise," Nunez Di Croce says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1032
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party inf...

CVE-2012-1417
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

CVE-2012-1506
Published: 2014-09-17
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from th...

CVE-2012-1507
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index...

CVE-2012-2583
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

Best of the Web
Dark Reading Radio