Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


01:13 AM

Hiding SAP Attacks In Plain Sight

Black Hat presenter uses test service and server-side request forgery to root SAP deployments

As some of the biggest processors of regulated data in any large organization, business-critical applications like enterprise resource planning (ERP) applications from SAP are well within the purview of compliance auditors and malicious attackers. And yet many organizations feel that if these systems are set behind firewalls, they're safely segmented enough to not require further hardening. But as one researcher demonstrated at Black Hat USA in Las Vegas last week, business-critical application servers never process data as an island. And in those connections are opportunities for attack by hiding malicious packets within admissible ones.

Click here for more of Dark Reading's Black Hat articles.

Called server-side request forgery (SSRF), the attack technique highlighted by Alexander Polyakov, head of Russian firm ERPScan, makes it possible to execute a multichained attack on SAP applications that can be executed from the Internet while bypassing firewalls, IDS systems, and internal SAP security configurations.

First publicly detailed in 2008 at ShmooCon, SSRF has been around for a while, but this is the first time a researcher has shown how it can be used as a means to attack vulnerabilities in business-critical applications like SAP. The general principle behind SSRF is that the attacker avoids detection and blocking of malicious server requests by hiding those requests within packets normally admissible by a service running to a secured server. The malicious packet could include exploits that take advantage of vulnerabilities on the server that would be otherwise difficult to exploit due to proper network segmentation.

Such an attack method is particularly juicy for SAP and other ERP implementations. Often these systems run with numerous open vulnerabilities because of the complications of patching such complex and customized deployments. Instead, organizations often depend primarily on firewalls for protection.

"Most companies usually don't patch them and secure those systems using firewalls and DMZs," Polyakov said, explaining on its face it appears to business leaders that attackers have to bypass three or more lines of defense before they get to the vulnerability. "It looks OK until somebody finds a way to attack a secured system through trusted sources."

Polyakov demonstrated at Black Hat how, using an SSRF attack, he was able to take advantage of a critical vulnerability in XML parsing and a test service used by SAP named after the famous Dilbert cartoon character to root a secured system with a single request from the Internet.

"It was epic," Polyakov said of his discovery of the relatively unknown service he used to execute his attacks. "There's a Web service in SAP called dilbertmsg service -- I'm not kidding. It was created for testing purposes, and when you send some kind of request to it, it answers with a lot of funny Dilbert jokes. It's a test service, but it can be accessed without any authentication."

Meanwhile, Polyakov took advantage of the XML parsing vulnerability through an XML eXternal Entity (XXE) attack, which takes advantage of improper parsing to allow him to use malformed XML input in his attack. Doing so enables what he calls XXE tunneling, where it is possible for an attacker to use a vulnerable system as a tunnel to break into secured networks in order to exploit business-critical systems like process integration systems, which use XML interfaces.

"Those systems connect other business software, like Bank Processing, ERP, SCADA and even PLC devices. By compromising those systems, which usually can be accessed from the Internet, it is possible to disrupt the most valuable corporate resources," Polyakov said.

According to Polyakov, SAP recently fixed the flaw that made it possible for him to carry out the XXE tunneling attack he demonstrated at Black Hat, but organizations that fail to patch this and other flaws could be at risk of such an attack. He also stressed that this attack technique has much broader implications beyond SAP and into Oracle and other systems.

Meanwhile, his firm released a new penetration testing tool called XXEScanner that can help organizations identify SAP deployments that could be vulnerable to such SSRF attacks as the one he demonstrated.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...