Hiding SAP Attacks In Plain Sight

Black Hat presenter uses test service and server-side request forgery to root SAP deployments
As some of the biggest processors of regulated data in any large organization, business-critical applications like enterprise resource planning (ERP) applications from SAP are well within the purview of compliance auditors and malicious attackers. And yet many organizations feel that if these systems are set behind firewalls, they're safely segmented enough to not require further hardening. But as one researcher demonstrated at Black Hat USA in Las Vegas last week, business-critical application servers never process data as an island. And in those connections are opportunities for attack by hiding malicious packets within admissible ones.

Click here for more of Dark Reading's Black Hat articles.

Called server-side request forgery (SSRF), the attack technique highlighted by Alexander Polyakov, head of Russian firm ERPScan, makes it possible to execute a multichained attack on SAP applications that can be executed from the Internet while bypassing firewalls, IDS systems, and internal SAP security configurations.

First publicly detailed in 2008 at ShmooCon, SSRF has been around for a while, but this is the first time a researcher has shown how it can be used as a means to attack vulnerabilities in business-critical applications like SAP. The general principle behind SSRF is that the attacker avoids detection and blocking of malicious server requests by hiding those requests within packets normally admissible by a service running to a secured server. The malicious packet could include exploits that take advantage of vulnerabilities on the server that would be otherwise difficult to exploit due to proper network segmentation.

Such an attack method is particularly juicy for SAP and other ERP implementations. Often these systems run with numerous open vulnerabilities because of the complications of patching such complex and customized deployments. Instead, organizations often depend primarily on firewalls for protection.

"Most companies usually don't patch them and secure those systems using firewalls and DMZs," Polyakov said, explaining on its face it appears to business leaders that attackers have to bypass three or more lines of defense before they get to the vulnerability. "It looks OK until somebody finds a way to attack a secured system through trusted sources."

Polyakov demonstrated at Black Hat how, using an SSRF attack, he was able to take advantage of a critical vulnerability in XML parsing and a test service used by SAP named after the famous Dilbert cartoon character to root a secured system with a single request from the Internet.

"It was epic," Polyakov said of his discovery of the relatively unknown service he used to execute his attacks. "There's a Web service in SAP called dilbertmsg service -- I'm not kidding. It was created for testing purposes, and when you send some kind of request to it, it answers with a lot of funny Dilbert jokes. It's a test service, but it can be accessed without any authentication."

Meanwhile, Polyakov took advantage of the XML parsing vulnerability through an XML eXternal Entity (XXE) attack, which takes advantage of improper parsing to allow him to use malformed XML input in his attack. Doing so enables what he calls XXE tunneling, where it is possible for an attacker to use a vulnerable system as a tunnel to break into secured networks in order to exploit business-critical systems like process integration systems, which use XML interfaces.

"Those systems connect other business software, like Bank Processing, ERP, SCADA and even PLC devices. By compromising those systems, which usually can be accessed from the Internet, it is possible to disrupt the most valuable corporate resources," Polyakov said.

According to Polyakov, SAP recently fixed the flaw that made it possible for him to carry out the XXE tunneling attack he demonstrated at Black Hat, but organizations that fail to patch this and other flaws could be at risk of such an attack. He also stressed that this attack technique has much broader implications beyond SAP and into Oracle and other systems.

Meanwhile, his firm released a new penetration testing tool called XXEScanner that can help organizations identify SAP deployments that could be vulnerable to such SSRF attacks as the one he demonstrated.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.