A researcher at next week's Black Hat DC will show how attackers can target an enterprise's Web-enabled SAP applications by exploiting the way enterprises have misconfigured them, as well as some inherent design issues in the enterprise resource management (ERP) apps.

Mariano Nunez Di Croce, director of research and development for Onapsis, will demonstrate bypassing authentication in SAP Enterprise Portal, injecting a backdoor into a compromised SAP Enterprise Portal, internal port-scanning via SAP Web services, and exploiting vulnerable SAP Web services.

Because SAP apps are becoming more Internet-connected, they are also becoming more of a target for cyberespionage, sabotage, and fraud purposes, he says. SAP's Web-based apps include Enterprise Portal, Internet Communication Manager (ICM), and Internet Transaction Server (ITS), which come with security features. But Onapsis has found via penetration tests that most of its own customers, which include Fortune 100 firms, have not properly locked down their SAP apps, which typically run sensitive business processes, such as finance, sales, production, expenditures, billing, and payroll.

"Most customers don't change the default [user and password] settings [for SAP]," Nunez Di Croce says. "Ninety-five percent of them are susceptible to being compromised and to possible espionage and fraud" due to these default settings remaining unchanged, he says.

In previous research, Di Croce showed how an attacker can insert backdoor Trojans and rootkits into SAP applications that aren't properly secured. The attacks took advantage of unsecured integration settings between the SAP app and another application running on the system to then take over the SAP app with elevated user privileges. Nunez Di Croce also showed how an attacker could exploit the underlying database to insert a backdoor. The attack connects directly to the production database so the attacker can modify code in the SAP production system, he says.

At Black Hat DC, Nunez Di Croce will use exploits created by Onapsis that mainly take advantage of poorly configured SAP apps, as well as prey on the apps' design. "These attacks are possible due to design issues and the failure of customers to configure systems securely," he says.

The authentication bypass attack on SAP Enterprise Portal has been known about since 2006, but mostly only within SAP circles, Nunez Di Croce says. The attack, which exploits the way third-party access management tools are integrated with the portal, can basically let an intruder impersonate an authenticated third-party tool and gain access to the Enterprise Portal -- even though it uses two-factor authentication.

An attacker could then take control of the portals on the enterprise's intranet, steal customer data, sabotage the system, or gain access to back-end SAP systems, Nunez Di Croce says. "This delegation of authentication mechanisms for Enterprise Portal with an external solution is flawed," he says. "We still find this [misconfigured] a lot."

He'll also show how an attacker could inject a backdoor into a compromised SAP Enterprise Portal to get a foothold into the system for future access, for instance, as well as how to use internal port scanning via SAP Web services to "discover" systems and apps on the targeted network.

Nunez Di Croce says he's not releasing any of his exploit tools at this time.

What can SAP users do to protect their apps? Follow SAP's security recommendations for configuring the various components, he says, which range from restricting access to unused functionality, deploying servers in protected DMZs, and applying SAP instances' own security settings.

"We are trying to raise awareness on the fact that SAP security is more than segregation-of-duties controls, which is what the industry has been focusing on for the last 10 years," Nunez Di Croce says.

SAP has instituted a more regular patching cycle, he says, as well as adding other security features to the apps. "We have been closely working with them since 2006 and we always keep them aware of our research before going public. In this case, while the attacks described are new, the base security problems that enable them have been known for a long time," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.