Exploits Target SAP Applications

Black Hat DC researcher to demonstrate exploits against Web-enabled SAP apps

A researcher at next weeks Black Hat DC will show how attackers can target an enterprises Web-enabled SAP applications by exploiting the way enterprises have misconfigured them, as well as some inherent design issues in the enterprise resource management (ERP) apps.
Mariano Nunez Di Croce, director of research and development for
Onapsis
, will demonstrate bypassing authentication in SAP Enterprise Portal, injecting a backdoor into a compromised SAP Enterprise Portal, internal port-scanning via SAP Web services, and exploiting vulnerable SAP Web services.
Because SAP apps are becoming more Internet-connected, they are also becoming more of a target for cyberespionage, sabotage, and fraud purposes, he says. SAPs Web-based apps include Enterprise Portal, Internet Communication Manager (ICM), and Internet Transaction Server (ITS), which come with security features. But Onapsis has found via penetration tests that most of its own customers, which include Fortune 100 firms, have not properly locked down their SAP apps, which typically run sensitive business processes, such as finance, sales, production, expenditures, billing, and payroll.
Most customers dont change the default [user and password] settings [for SAP], Nunez Di Croce says. Ninety-five percent of them are susceptible to being compromised and to possible espionage and fraud due to these default settings remaining unchanged, he says.
In previous research, Di Croce
showed how an attacker can insert backdoor Trojans and rootkits into SAP applications
that arent properly secured. The attacks took advantage of unsecured integration settings between the SAP app and another application running on the system to then take over the SAP app with elevated user privileges. Nunez Di Croce also showed how an attacker could exploit the underlying database to insert a backdoor. The attack connects directly to the production database so the attacker can modify code in the SAP production system, he says.
At Black Hat DC, Nunez Di Croce will use exploits created by Onapsis that mainly take advantage of poorly configured SAP apps, as well as prey on the apps design. These attacks are possible due to design issues and the failure of customers to configure systems securely, he says.
The authentication bypass attack on SAP Enterprise Portal has been known about since 2006, but mostly only within SAP circles, Nunez Di Croce says. The attack, which exploits the way third-party access management tools are integrated with the portal, can basically let an intruder impersonate an authenticated third-party tool and gain access to the Enterprise Portal -- even though it uses two-factor authentication.
An attacker could then take control of the portals on the enterprises intranet, steal customer data, sabotage the system, or gain access to back-end SAP systems, Nunez Di Croce says. This delegation of authentication mechanisms for Enterprise Portal with an external solution is flawed, he says. We still find this [misconfigured] a lot.
Hell also show how an attacker could inject a backdoor into a compromised SAP Enterprise Portal to get a foothold into the system for future access, for instance, as well as how to use internal port scanning via SAP Web services to discover systems and apps on the targeted network.
Nunez Di Croce says hes not releasing any of his exploit tools at this time.
What can SAP users do to protect their apps? Follow SAPs security recommendations for configuring the various components, he says, which range from restricting access to unused functionality, deploying servers in protected DMZs, and applying SAP instances own security settings.
We are trying to raise awareness on the fact that SAP security is more than segregation-of-duties controls, which is what the industry has been focusing on for the last 10 years, Nunez Di Croce says.
SAP has instituted a more regular patching cycle, he says, as well as adding other security features to the apps. We have been closely working with them since 2006 and we always keep them aware of our research before going public. In this case, while the attacks described are new, the base security problems that enable them have been known for a long time, he says.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Exploits Target SAP Applications