Training course materials and research notes that I created to teach how to perform a technical security audit and penetration test of SAP (hosted on-premises).
- 0. Useful tools and resources
- 1. SAP security controls and configuration hardening review
- 2. How to get unauthorized access to SAP tables and data using SAP transactions
- 3. How to get remote OS commands execution using SAP transactions
- 4. Risks of having the ABAP Debugger enabled in production environment
- 5. Sensitive information disclosure from SAP Spool
- 6. Development kits and transactions
- 7. SAP user and access management
- 8. SAP Hana database security configuration review
- 9. SAP penetration testing using NMAP and the Metasploit framework
Useful tools for auditing SAP
—————————————————————————————
➤ SAPgui - GUI client for SAP ERP (https://community.sap.com/topics/gui)
➤ Database clients (e.g. HDBSQL, sql*plus)
➤ NMAP - Network port scanner (https://nmap.org)
➤ Metasploit penetration testing framework (https://www.metasploit.com)
➤ 'John the Ripper' - Password cracker (https://www.openwall.com/john/)
➤ Various scripts (source:kali/Github/your owns)
Useful resources regarding SAP security
———————————————————————————————————————
➤ SAP provides multiple security guides:
- Security Guide for SAP S/4HANA 2022 (dating from 2023-11-15)
➤ https://help.sap.com/doc/d7c2c95f2ed2402c9efa2f58f7c233ec/2022/en-US/SEC_OP2022.pdf
- Security Guide for SAP S/4HANA 2021 (dating from 2023-11-08)
➤ https://help.sap.com/doc/d7c2c95f2ed2402c9efa2f58f7c233ec/2021/en-US/SEC_OP2021.pdf
- SAP NetWeaver Security Guide
➤ https://help.sap.com/docs/SAP_NETWEAVER_AS_ABAP_FOR_SOH_740/621bb4e3951b4a8ca633ca7ed1c0aba2/4aaf6fd65e233893e10000000a42189c.html
- Protect Your SAP S/4HANA Cloud (Security Recommendations)
➤ https://help.sap.com/docs/SAP_S4HANA_CLOUD/55a7cb346519450cb9e6d21c1ecd6ec1/52a1403b71464a8580bc2211b7ce0e32.html?locale=en-US
- SAP HANA Security (dating from 2021)
➤ https://www.sap.com/documents/2016/06/3ea239ad-757c-0010-82c7-eda71af511fa.html
- Security Whitepapers
➤ https://support.sap.com/en/security-whitepapers.html
- SAP Security Operations On Azure (Blog post)
➤ https://community.sap.com/t5/enterprise-resource-planning-blogs-by-members/sap-security-operations-on-azure/ba-p/13403609
- SAP Help Portal (Documentation)
➤ https://help.sap.com/docs/
➤ Azure Cloud and SAP
- Security operations for SAP on Azure
➤ https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations
- Introduction to an SAP adoption scenario
➤ https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/sap/
➤ AWS Cloud and SAP
- How to migrate, implement, configure, and operate SAP solutions on AWS
➤ https://docs.aws.amazon.com/sap/latest/sap-netweaver/sec-orc-sap-nw-lx.html
➤ https://aws.amazon.com/fr/sap/docs/
➤ Operating System Security Hardening Guide for SAP HANA for SUSE Linux Enterprise Server
- https://documentation.suse.com/sbp/sap-15/html/OS_Security_Hardening_Guide_for_SAP_HANA_SLES15/index.html
SAP Security controls (CoBIT)
Check that the following technical security controls are implemented.
- The superuser "SAP*" is properly secured
- The default passwords for users "DDIC", "SAPCPIC" and "EarlyWatch" have been changed
- The powerful profiles are restricted (SAP_ALL, SAP_NEW)
- Logging & monitoring activities are in place for use of powerful accounts and profiles
- Changes made to the data dictionary are authorized and reviewed regularly
- Log and trace files are appropriately configured and secured
- SAP ERP Remote Function Call (RFC) and Common Programming Interface — Communications (CPI-C) are secured
- Access to information and information systems is authorized
- Information systems processing is protected physically from unauthorized access and from accidental or deliberate loss or damage
- Information processing can be recovered and resumed after operations have been interrupted
- Critical user activities can be maintained and recovered following interruption
- Configuration changes are made in the development environment and transported to production
- Changes to critical number ranges are controlled
- Access to system and customizing tables is narrowly restricted
- Application modifications are planned, tested and implemented in a phased manner
- Customized ABAP/4 programs are secured appropriately
- Batch processing operations are secured appropriately
- Critical and sensitive transaction codes are locked in production
- Strong password management for system users
- SAP Router is configured to act as a gateway to secure communications
- Remote access by software vendors is controlled adequately
Review the security level of the SAP Architecture/Infrastructure
Check that the technology infrastructure is configured to secure communications and operations in the SAP ERP environment.
> Firewall
> SNC - Secure Network Communications (ideally should be set to « Privacy Protection »)
> Secure Store and Forward (SSF) mechanisms and digital signatures
> Workstation security
> Operating system (server) and database security
> Citrix Gateway and environment (if used)
> SAP Router configuration
> …
Check the security policy settings (password policy, network encryption, ..)
Collect and review the "RSPARAM" configuration file (Use the Tcode SA38 and then enter RSPARAM)
> Login / password_Expiration - Frequency of forced password change (default = 0 = off)
> Login / min_password - Minimum password length (default = 3)
> Login / fails_to_user_lock - Number of invalid password attempts before user is locked (default = 12)
> Login / failed_user_auto_unlock - If user account is locked is it permanently locked until released by administrator
or automatically unlocked at midnight (default = 1 = unlocked at midnight)
> Rdisp / gui_auto_logout - User is logged off of SAP after a period of inactivity (default = 7200 seconds = 2 hours)
> Login / disable_multi_gui_login - (default = 0 = multiple logons permitted)
NOTE: if multi-login is disabled some users can still be permitted multiple logins via the “login/multi_login_users” setting where user-ids
can be listed which can be permitted to logon multiple times
Parameters Description
————————————————————————————————————————————————————————————————————————————————————————————————
* login/disable_multi_gui_login Disable multiple sapgui logons (for same SAP account)
* login/disable_password_logon Login/disable_password_logon
* login/failed_user_auto_unlock Enable automatic unlock off locked user at midnight
* login/fails_to_session_end Number of invalid login attempts until session end
* login/fails_to_user_lock Number of invalid login attempts until user lock
* login/isolate_rfc_system_calls
* login/min_password_diff Min. number of chars which differ between old and new password
* login/min_password_digits Min. number of digits in passwords
* login/min_password_letters Min. number of letters in passwords
* login/min_password_lng Minimum Password Length
* login/min_password_lowercase Minimum number of lower-case characters in passwords
* login/min_password_specials Min. number of special characters in passwords
* login/min_password_uppercase Minimum number of upper-case characters in passwords
* login/multi_login_users List of exceptional users: multiple logon allowed
* login/no_automatic_user_sapstar Control of the automatic login user SAP*
* login/password_change_for_SSO Handling of password change enforcements in Single Sign-On situations
* login/password_change_waittime Password change possible after # days (since last change)
* login/password_charset
* login/password_compliance_to_current_policy
* login/password_downwards_compatibility Password downwards compatibility (8 / 40 characters, case-sensitivity)
* login/password_expiration_time Dates until password must be changed
* login/password_history_size Number of records to be stored in the password history
* login/password_logon_usergroup Users of this group can still logon with passwords
* login/password_max_idle_initial Maximum #days a password (set by the admin) can be unused (idle)
* login/password_max_idle_productive maximum #days a password (set by the user) can be unused (idle)
Notes: The administration of security policies can be performed via the transaction SECPOL, which is secured by two authorization objects: S_SECPOL is checked during the maintenance of the policies themselves, while S_SECPOL_A is used to define the values that may be assigned to the security policy attributes. Easy ways to see which users have security policies assigned to them: Option 1: SUIM: “Users > by Complex Selection Criteria” or “Users > by Logon Date and Password Change” Option 2: Directly in table USR02 (field SECURITY_POLICY).
Check that the SAP default passwords have been changed
This can be done by testing manually the default logins and passwords or using a script. This can also be done by dumping the USR02 table and performing password dictionary attack with tools like 'John the Ripper' (password cracking tool).
+ List of default SAP accounts and passwords
Login Password Clients/Mandants
————————————————————————————————————————————————————————————
SAP* PASS or 06071992 000, 001, 066
DDIC 19920706 000, 001
TSMADM PASSWORD 000, 001
EARLYWATCH SUPPORT 066
SAPCPIC ADMIN 000, 001
SAPR3 SAP (SAP Local Database)
RISK USER PASSWORD CLIENT/Mandants REMARK
——————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————
Very High SAP* 06071992 / PASS 001,066,etc… Hardcoded kernel user
Very High IDEADM admin Almost all IDES clients Only in IDES systems
Very High DDIC 19920706 000,001,… User has SAP_ALL
High CTB_ADMIN sap123 N.A. Java user
High EARLYWATCH SUPPORT 066 Has rights to get password hash for SAP* from USR02 table and sometimes OS execution
Medium TMSADM PASSWORD / $1Pawd2& 000, sometimes copied to others
Medium /Low SAPCPIC ADMIN 000,001 Can be used for information retrieval and in some cases for vulnerabilities where only authentication is needed
RISK USER TYPE PASSWORD SOLMAN SATELLITE
———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————
HIGH SMD_ADMIN System init1234 X
HIGH SMD_BI_RFC System init1234 X
HIGH SMD_RFC System init1234 X
HIGH SOLMAN_ADMIN Dialog init1234 X
HIGH SOLMAN_BTC System init1234 X
HIGH SAPSUPPORT Dialog init1234 X
HIGH SOLMAN<SID><CLNT> Dialog init1234 X
MED/HIGH SMDAGENT_<SID> System init1234 X
MED CONTENTSERV System init1234 X
MED SMD_AGT System init1234
SAP Password Hash Formats in table USR02
—————————————————————————————————————————
If the field "CODVN" = « G » then the password code versions/formats will be B & F
If the field "CODVN" = « I » then the password code versions/formats will be B, F & H
Notes:
+ B = BCODE (MD5-based; Maximum pwd length=8, only upper case),
+ F = PASSCODE (SHA1-based; Maximum pwd length=40, case sensitive)
+ H = PWDSALTEDHASH (iSSHA-1; Maximum pwd length=40, case sensitive)
Standard Security Reports to run (RSUSR via AID, SA38, or SUIM)
> RSUSR003 – Check passwords for SAP* and DDIC
> RSUSR006 – locked users / unsuccessful login attempts
> RSUSR200 - Users with original passwords, users not logged in for xx days, users who have not changed password in xx days
> RSUSR002 - Can be used to determine who has access to powerful BASIS transactions such as the following
Review the SAP Gateway Security Files (SECINFO and REGINFO)
> The "secinfo" security file is used to prevent unauthorized launching of external programs.
> The file "reginfo" controls the registration of external programs in the gateway.
> Useful transaction to display and edit the files = SMGW
You can define the file path using profile parameters gw/sec_info and gw/reg_info.
The default value is:
> gw/sec_info = $(DIR_DATA)/secinfo
> gw/reg_info = $(DIR_DATA)/reginfo
Example of a SECINFO file in new syntax
———————————————————————————————————————
#VERSION=2
D HOST=* USER=* TP=/bin/sap/cpict4 //Program cpict4 is not permitted to be started.
P HOST=* USER=* TP=/bin/sap/cpict* //All other programs starting with cpict4 are allowed to be started (on every host and by every user).
P TP=hugo HOST=local USER=* //Program hugo is allowed to be started on every local host and by every user.
P TP=* USER=* USER-HOST=internal HOST=internal //All programs started by hosts within the SAP system can be started on all hosts in the system.
Example of a REGINFO file in new syntax
———————————————————————————————————————
#VERSION=2
P TP=cpict4 HOST=10.18.210.140 //Program cpict4 is allowed to be registered if it arrives from the host with address 10.18.210.140.
D TP=* HOST=10.18.210.140 //All other programs from host 10.18.210.140 are not allowed to be registered.
P TP=cpict2 ACCESS=ld8060,localhost CANCEL=ld8060,localhost //Program cpict2 is allowed to be registered, but can only be run and stopped on the local host or hostld8060.
P TP=cpict4 //Program cpict4 is allowed to be registered by any host.
P TP=* USER=* HOST=internal //Programs within the system are allowed to register.
SAP logging strategies / Audit trails
Tracing a Transaction
—————————————————————
> SE30 ABAP/4 Runtime Analysis
> ST01 System Trace
> STAT User Activity at UNIX Level (this transaction is very slow)
LOGS in SAP (programme RDDPRCHK)
————————————————————————————————
> Existence de la mise en oeuvre de journaux sur les tables
> lancer SA38 puis utiliser le programme RDDPRCHK et paramètre REC / Client pour les tables mandant-dépendantes
et preuve de leur exploitation.
Types of users in SAP
There are five types of users in SAP (useful link: https://www.stechies.com/type-of-users-in-sap/)
Dialog users (A)
————————————————
A normal dialog user is used for all logon types by exactly one person. This is used to logon using SAP GUI.
During a dialog logon, the system checks for expired/initial passwords.
The user can change his or her own password. Multiple dialog logons are checked and, if appropriate, logged.
These users are used for carrying out normal transactions.
This is an interactive type of logon.
The initial multiple logons are 6.
They are set according to companies policy.
System Users (B)
————————————————
These are non interactive users. They are used for background processing and internal communication in the
system (such as RFC users for ALE, Workflow, TMS, and CUA).
Their passwords cannot be changed by the end users. Only the user administrator can change their passwords.
Multiple logon is permitted in these type of users. Dialog logon is not possible for these type of users.
Communication Users (C)
———————————————————————
Used for dialog-free communication between systems.
It is not possible to use this type of user for a dialog logon.
Their passwords are valid for certain period of time so they expire. The users have option to change their own passwords.
Service User (S)
————————————————
Dialog user available to a larger, anonymous group of users.
The system does not check for expired/initial passwords during logon.
Only the user administrator can change the passwords. Generally, highly restricted authorizations are given to this type of users.
Reference User (L)
——————————————————
A reference user is, like the service user, a general non-person-related user.
Dialog logon is not possible with this kind of user.
A reference user is used only to assign additional authorizations.
To assign a reference user to a dialog user, specify it when maintaining the dialog user on the Roles tab page.
Access to tables that include sensitive data should be carefully granted and monitored, specifically to inspect who is allowed to see/edit the data and who actually sees/edits it; who is able to use the table in QuickViewer / Data Browser (...) and who actually did; in which views the table is being used and who viewed the data; and finally in which queries the table is used and who performed these queries.
There are multiple ways to display & edit tables in SAP
—————————————————————————————————————————————————————————
+ Standard table browsing and maintenance transactions:
> SE16 & SE16N (Data Browser),
> SE17 (General Table Display)
> SM30 (Enhanced Table Maintenance Tool)
> SM31 (Standard Table Maintenance Tool - Old)
+ Proxy-transactions like SPRO (which call the aforementioned ones internally).
+ SAP Query transactions:
> SQVI (SAP Quick Viewer),
> SQ01 (SAP Standard Query),
> SCMP (View / Table Comparison),
+ The ABAP report/program "RK_SE16N" that can be launched via the transaction SA38 (potential only / not tested).
+ The module pool "SAPMSVMA" that can be launched using SE38 (potential only / not tested).
+ Database monitoring tool (ST04).
Example of tables containing sensitive data
————————————————————————————————————————————
+ Useful "User Master Tables"
> USR01 - User Master Records
> USR02 - User IDs and Passwords (includes last logon data)
> USH02 - password change history
> VUSR02_PWD - View containing User IDs and Passwords
> USR40 - Non-permissible password values
> USR04 - User Master Authorizations
> USR10 - Authorization Profiles (i.e. &_SAP_ALL)
> USR11 - User Master Profiles and Descriptions
> USR12 - User Master Authorization Values
+ Useful "Authorization Tables"
> UST04 - User Masters (all Users with profiles)
> UST10C - User Master: Composite Profiles
> UST10S - User Master: Simple profiles
> UST12 - User Master: Authorizations
> AGR_1250 - Role and. Authorization data.
> AGR_DEFINE - To See All Roles (Role definition).
+ Useful « Bank/Payment Tables »
> T012 - House Banks
> T012A / B - Allocation payment methods > Bank transfer
> T012C - Terms for bank transactions
> T012D - Parameter for DMEs and foreign PM
> T012E - EDI-compatible house banks / PM
> T012K - House Bank Accounts
> T012O - ORBIAN Detail: Bank Accounts, ...
> BNKA - Bank Master
> TIBAN - IBAN (International Bank Account Number)
SAP privilege escalation technique 1
Dump SAP password hashes from the table USR02 or the view VUSR02_PWD and crack them with « John The Ripper »
+ Read privilege over the table USR02 or the view VUSR02_PWD (using SE16/SE16n, SM30, SQVI…) can allow a
malevolent person to collect the password hashes of the SAP local accounts and then try to crack the passwords
of SAP privileged accounts using the tool « John The Ripper ».
+ Read privilege over the table USH02 (using for example SE16/SE16n, SM30, SQVI) can allow a malevolent person
to collect the old password hashes of SAP local accounts, then crack them using John The Ripper and try to guess
the new one (based on the old password pattern).
Tips for SAP passcode cracking
——————————————————————————————
+ SAP passcode (G format) collected in the USR02 table (for the SAP local account "SAP_ADM"): "55D85A52F82E02FE246E9E505F0D2C9BC82C9E14"
+ Password format to use with the tool « John The Ripper » :
> login:login$PASSCODE
> SAP_ADM:SAP_ADM$55D85A52F82E02FE246E9E505F0D2C9BC82C9E14
+ Command to crack the SAP passwords with the tool « John The Ripper » :
> John --session=1 --format=sapg --wordlist=rockyou.txt <File-containg-password-hashes>
SAP privilege escalation technique 2
Edit sensitive tables (e.g. USR02, USR04, USR10, USR11,…) using ST04 or SM30 or SM31
+ Edit privilege over the users, authorizations and profiles tables could allow a malevolent person to escalate its privileges via multiple ways.
For examples:
> Create a new SAP administrator account (SAP_ALL, SAP_New, SAP Basis profiles)
> Modify the password hashes of an existing SAP administrator account (e.g. SAP*, DDIC, …)
> Add his/her account in a powerful group such as SAP_ALL, SAP_New or SAP Basis
+ Edit privilege over sensitive financial tables could allow a malevolent person to commit frauds by modifying suppliers/employees bank account numbers, pay slips and/or money transfers.
+ How to determine who can do table updates in production (should not be permitted)
> SAP transactions = SM30, SM31 (and also ST04)
> Object = S_TABU_DIS, (client independent tables also require S_TABU_CLI )
> Activity = 01, 02
> "sap_edit"
Defense tips & Recommendations
+ Prevent users from being granted sensitive authorizations unless they genuinely need it for performing business tasks.
Users should be assigned only the minimum number of Authorizations required to perform their duties.
> Note: Removing SE16N from S_TCODE (for a particular table), but allowing for instance SA38 or START_REPORT does not necessarily prevent direct table access.
It's not a big deal, since table authorizations are checked as usual… but keep in mind: removing the tcodes from S_TCODE has a limited effect unless you also take care of S_TABU_*, S_PROGRAM and S_DEVELOP
(check SAP Note1012066 for the last one)!
+ Alert when a user:
> Directly accesses a table (via SE16,..), especially a table which is defined as sensitive.
> Performs a sensitive query.
> Is granted a sensitive authorization.
+ Data Dictionary updates in production should not be permitted
> TC = SE11, SE15, SE16, SE38, SE80
> Object = S_DEVELOP
> Activities = 01, 02, 06, 07
There are several SAP transactions that allow authorized users to execute OS commands on the Windows/Linux server(s) hosting a SAP application/instance and/or a SAP database. All the OS commands are executed by a local OS account « adm » which is used to manage the SAP software at the OS layer and which can log into the SAP database with high privileges. If a malevolent person can execute any commands on the server(s) hosting a SAP application/instance with the « adm » account, then he/she can take over the entire SAP ERP application and data (OS => Database => Application).
[Privesc technique 1]
Execute any OS commands on the server hosting the SAP application/instance using the transaction SA38 and the report "RSBDCOS0"
> Go to transaction SA38 (Execute ABAP program/report)
> Run the report "RSBDCOS0"
> Execute any OS commands
- write and run a reverse shell,
- add a SSH public key and login to the Linux server,
- identify OS or database clear-text passwords stored in config files, scripts or .bash_history
+ Defense tips: Disable the CALL ‘SYSTEM’ command setting the profile parameter ‘rdisp/call_system’ to ‘0’.
[Privesc technique 2]
Execute any OS commands on the server hosting the SAP application/instance using the transactions « SM69 + SM49 » or « SM69 + SM36 » or « SM69 + SM37 »
> Go to SM69 (Maintain external OS commands)
> Then create a new external command or edit an existing one
> Then set and save the OS command that you want to run
> Finally execute it using either:
- SM49 (Execute external OS commands)
or
- SM36 (Simple job selection/scheduler)
or
- SM37 (Extended job selection/scheduler)
+ Useful links: https://blogs.sap.com/2013/10/29/secure-execution-of-os-commands-by-abap-programs/
[Privesc technique 3]
Execute pre-defined/limited OS commands on the server hosting the SAP application/instance using the transactions SM49 or SM36 or SM37
Note: In some cases by using the transactions CG3Z (File upload), CG3Y (File upload) and AL11 (SAP OS Directory and file browser) in addition to either SM49 or SM36 or SM37 it is possible to execute any OS commands.
For example, if one of the pre-defined or customized OS commands available is to execute a script or a binary, then the following attack scenario is possible:
> Go to CG3Y (File download)
> Then select and download the script (or binary) that you are allow to execute
> Go to CG3Z (File upload)
> Select and upload/overwrite a malicious script (or binary) on the Windows/Linux server supporting the SAP application/instance
> Then execute it using either:
- SM49 (Execute external OS commands)
or
- SM36 (Simple job selection/scheduler)
or
- SM37 (Extended job selection/scheduler)
> Finally use CG3Z to replace your malicious script (or binary) by the legitimate one.
[Privesc technique 4]
Execute any OS commands on the server hosting the SAP application/instance using the transaction(s) SE38 or « SE38 + SA38 » or « SE38 + SM36 » or « SE38 + SM37 »
> Go to SE38 (ABAP editor - create/edit/run ABAP program)
> Create a new ABAP program (but you will need a developer key if you don't have a "developer" account)
> Then execute it using either:
SE38 (ABAP editor - create/edit/run ABAP program)
or
SA38 (Display/Execute ABAP program/report)
or
SM36 (Simple job selection/scheduler)
or
SM37 (Extended job selection/scheduler)
[Privesc technique 5]
Upload a backdoor on the server hosting the SAP application/instance using the transaction CG3Z (File upload)
> Use CG3Z to overwrite a legitimate script (or binary) with a malicious one that will be more-likely executed later by a legitimate IT admin or a scheduled batch.
[Privesc technique 6]
Execute any OS commands on the server hosting the SAP database using the transaction ST04 (remote OS command execution using Oracle or MSSQL database’s stored procedures)
SAP privilege escalation attack using remote OS commands
Using one or several of the methods described above perform the following attack:
+ Step 1. Get an interactive session on the Windows/Linux server(s) hosting a SAP application/instance and/or a SAP database with the « <SID>adm » account.
> Write and run a reverse shell (e.g. PowerShell, Python, Perl, Bash)
OR
> Add a SSH public key and then log into the Linux server,
OR
> Identify privileged OS or database clear-text passwords stored in config files, scripts or logs (e.g. .bash_history) and then log into the server,
+ Step 2. Login to the SAP database (privileged access)
+ Step 3. Steal and/or edit sensitive data stored in the SAP database to commit a fraud (for instance, modify bank accounts to receive fund transfers/payments)
+ Step 3.bis Edit SAP tables to add a new SAP user with SAP_ALL privileges and then use this new account to commit fraud.
Other / Notes
RSRFCCHECK
——————————
Permet de lister les RFC (sm59) pour lesquels un mot de passe est sauvegarder
Scanning files content in AL11
———————————————————————————————
To start this functionality you can press Shift+F1 and a popup will show. Then you can inform which expression you would like to search.
Simply execute AL11 and then execute /NSU53 immediately afterwards. A report of all authorisations checked will then be displayed.
Deleting a file (needs AL11 + SE37)
———————————————————————————————————
Step 1: Go to Transaction SE37, enter Function module name EPS_DELETE_FILE and click on execute button.
Step 2: Then, enter the File name in the FILE_NAME and the directory path (Excluding the file name) in the DIR_NAME and execute
Step 3: Finally use the AL11 transaction to check that the file has been deleted.
http://quelquepart.biz/article26/cure-de-rajeunissement-pour-al11
One of the major risks in SAP is its powerful debugging environment with the ability to stop each program and enter debugging mode while the program continues running (including the ability to change values at run time). The debugger allows bypassing certain controls (like authorization checks) and changing the system return-code (SY-SUBRC) for authorizations checks from Failed (4) to Succeeded (0). This could allow a hacker to either change an account number while running a payment program or change a report selection value or change the password of SAP privileged account.
SAP privilege escalation attack - Bypass security controls with the ABAP Debugger
+ If the ABAP Debugger is enabled in production, a malevolent person having read-only access to SAP tables with transactions such as SE16 or SE16n could bypass controls (authorizations checks) and modify data to perform a privilege escalation attack and/or a financial fraud.
> How-to:
https://sapbasissolutions.wordpress.com/2017/10/12/how-to-edit-sap-tables-without-coding-or-debugging/
+ If the ABAP Debugger is enabled in production, a malevolent person could bypass security controls to get unauthorized access to certain SAP transactions (goal: perform a privilege escalation attack or a financial fraud).
> How-to:
https://www.erpworkbench.com/sap-security/bypass/bypass-tcode.htm
https://blogs.sap.com/2013/09/06/abap-tip-and-trick-to-break-tcode-access-to-not-so-authorized-tcodes/
Defense tips & Recommendations
+ Remove debugging authorizations from all users while granting privileged access to users that really have to enter the debugging environment.
+ Define debugging as a sensitive authorization and receive an alert for when someone is granted such authorization.
> The S_DEVELOP authorization object controls access to the debugger.
> You can locate the roles that contain the S_DEVELOP authorization object using the SUIM report "Roles by Authorisation Values".
> You can locate the Users which have the S_DEVELOP authorization object using the SUIM report "Users by Authorisation Values".
+ Monitor users and their activities in the debugging environment.
> If a user replace variables (with the debugging mode) it creates a system log message; check SM21 !
+ Eliminate authorization to change values in the debugger, and instead permit only display options.
One of the overlooked backdoors for getting valuable and sensitive data is the SAP spool. When a user/job prints in SAP, the output is first collected in the SAP spool (called Spool Request) and only then sent to the physical printer. Many times the spool request is not deleted from the spool (for a very long time), even after the content is printed. Clearly, this turns the SAP spool into an excellent source for hackers to find information about money transfer slips, monthly pay-slips, check printouts, purchase orders and more. Furthermore, most users have access to the SAP spool (directly via T-Code SP01 or indirectly via T-Code SM37), and most organizations enable unlimited access to the spool items, including the options to view, download and re-print the content.
Defense tips & Recommendations
+ Inspect which users access SAP spool items, especially those that were not created by them.
+ Define sensitive spool items by criteria and alert when they are accessed.
SAP Developper/ABAP/Workbench
—————————————————————————————
> SE36 ABAP/4: Logical Databases
> SE37 ABAP/4 Function Modules
> SE38 ABAP/4 Program Development
> SE80 ABAP/4 Development Workbench
> SE81 SAP Application Hierarchy
> SE82 Customer Application Hierarchy
> SE84 ABAP/4 Repository Information System
> SE86 ABAP/4 Repository Information System
kit de développement RFC
—————————————————————————
Le kit de développement RFC permet de créer / modifier / supprimer une interface de type RFC (Remote Function Call).
Il est installé en standard par SAP.
La gestion des liaisons RFC est réservée à un groupe restreint d’administrateurs clairement identifiés. La liste est tenue à jour.
> suppression du kit de développement RFC (SDK « RFCSDK ») sur l’environnement de production.
Remove developer keys from productive systems
—————————————————————————————————————————————
Many auditors check on productive SAP systems if any developer keys exist (in table DEVACCESS).
If there are any, this might become a finding that can easily avoid (… although the system is properly protected against changes in SCC4 and SE03).
Restrict access and permissions to the SAP transactions allowing to display the tables containing the SAP password hashes
Several SAP transactions can be used to display the table USR02 and/or the view VUSR02_PWD that contain the local password hashes.
> SAP Quick Viewer : SQVI
> SAP Standard query : SQ01
> ST04
> SE16
> SE16n
> SCMP (View / Table Comparison)
Review who has access (and with which permissions) to the following list of powerful SAP transactions
> DBxx – Database related transactions
> SCC4, SCC5 - Client administration
> SE01, SE10 - CTS / TMS commands
> SE38 – ABAP Editor (display, edit, execute ABAP source code)
> SA38 – Only allows ABAP source code execution
> SE93 – Maintains transactions (ex. create or copy a TCODE)
> SM01 - Lock / unlock transactions
> SM12 – Lock entries
> SM30, SM31 – Table Maintenance (can be used to display and update table data)
> SE11, SE12, SE13, SE14 - Table structure maintenance
> SE14 - The database utility is the interface between the ABAP Dictionary and the relational database underlying the R/3 System.
It allows you to edit (create, delete and adjust to changes to their definition in the ABAP Dictionary) database objects
derived from objects of the ABAP Dictionary.
> SE15 – Data Dictionary
> ST04 - Database performance monitor (allow to send SQL request to the database)
> SM32 – Updates Table USR40 with invalid passwords
> SM3 – Displays and deletes processing job logs
> SM36/SM37 – Schedule Background Job
> SM49 – Execute external operating system commands
> SM52 – Execute operating system commands
> SM59 – Maintain Remote Function Calls destination definitions
> SM69 – Maintain external commands
> SP01 - Administer print spools
> PFCG - Role Maintenance (PFCG) can be used to create role and user like SU01
> SU01 - Maintain users, Security Administration transactions (create/delete/lock/unlock user account, change password etc.)
> SU02 - Allocate authorizations to a profile. Maintain SAP Authorization Profiles.
The transaction code SU02 can be use to manually edit SAP profiles.
As notification from the initial screen, SAP has recommended to not use this transaction any longer
for profile and user administration.
> SU10 - User MAss Maintenance (ex. Lock and Unlock user account, Change the password of a user?)
- Delete/add a profile for all users
> SU03n
> SU03 - Maintenance of Authorizations
> SU53 - Evaluate Authorization Check
> AL11 - Display all the SAP Directories and files stored on the underlying OS server
> Program/report "RPCIFU01" - Display OS files
> Program/report "RPCIFU03" - Download OS files
> Program/report "RSBDCOS0" - Execute OS commands
> CG3Z or GUI_upload and CG3Y or GUI_download - Upload / download files to SAP systems (underlying OS server)
> SXDA, SXDB - Data Transfer Workbench
> SXDA_TOOLS - DX Workbench: tools
> SU56 - User Authorization Buffer
> SM01 - Can be used to block specific transactions and to list all transactions
> RSUDO - idem SUDO mais pour SAP
> RSRT - Query monitor
> SCMP - Table/View Comparaison
> SQVI - Table Quickviewer
> SUIM - select USER and then "specific transactions" to see the list of users having access to specifics transactions
> OS04 - Local System Configuration
> OS05 - Remote System Configuration
> OS06 - Local Operating System Activity
> OS07 - Remote Operating System Activity
> SM13 - Administrate Update Records
> SM1 - Update Program Administration
> SM20 - Security Audit Log Assessment
> SM21 - Online System Log Analysis
> TU02 - Parameter changes
> SE06 - Set Up Transport Organizer
> STMS - Transport Management System
> SCC4 - (customize it to ztcode) - Administrationdes mandants
Weak parameter transactions
Parameter transactions execute an existing transaction delivering pre-defined screen input.
To determine all unsafe parameter transactions for SE16, SM30… you need to search for PARAMs matching "/N<TCD>" (e.g. "/NSM30*") in the table TSTCP.
=> The presence of "/*" indicates that the first screen is skipped and thus the view name cannot be overridden.
=> The presence of "/N<TCD>" (e.g. "/NSM30*") indicates that the first screen is not skipped and thus the pre-filled view name can be overridden (leaving the choice of the actual view name up to the user).
Sources:
- https://www.daniel-berlin.de/security/sap-sec/table-authorizations/
- https://www.daniel-berlin.de/security/sap-sec/weak-parameter-transactions-sap/
List of useful SQL queries to extract the database configuration (e.g. list of users, roles, privileges, password policy, logs)
'SELECT * FROM SYS.USERS LIMIT 500'
'SELECT * FROM SYS.USERS_PARAMETERS LIMIT 500'
'SELECT * FROM SYS.M_PASSWORD_POLICY'
'SELECT * FROM SYS.P_CREDENTIALS_'
'SELECT * FROM SYS.M_SECURESTORE'
'SELECT * FROM SYS.SCHEMAS LIMIT 500'
'SELECT * FROM SYS.ROLES LIMIT 500'
'SELECT * FROM SYS.PRIVILEGES’
'SELECT * FROM SYS.PROCEDURES'
'SELECT * FROM SYS.P_CREDENTIALS_' (not authorized)
'SELECT * FROM SYS.TABLES LIMIT 500'
'SELECT * FROM SYS.AUDIT_ACTIONS LIMIT 500'
'SELECT * FROM SYS.M_CONNECTIONS'
'SELECT * FROM SYS.M_DATABASE'
'SELECT * FROM SYS.M_HOST_INFORMATION'
'SELECT * FROM SYS.M_INIFILE_CONTENTS'
'SELECT * FROM usr02;'
How to log into the database to extract the configuration
> [Option 1] The SAP HANA configuration can be collected using a “SAP Basis” account with the ‘ST04’ and ‘DBxx’ transactions
> [Option 2] Use SAP HANA HDBSQL to execute SQL commands at OS level.
+ HDBSQL is a command line tool for executing commands on SAP HANA databases.
SAP HANA HDBSQL is also used to automate the HANA Database backups using cron scripts.
+ Requirement: You want to access SQL prompt using HDBSQL at OS level.
+ Prerequisites : You need password of <SID>ADM user and User with HANA database access, in our example we are connecting using SYSTEM.
+ Steps :
• Logon to HANA host with <SID>adm user.
• Once you are logged in as <SID>adm you can directly execute the hdbsql command , or you can go to following path and execute the hdbsql command.
• cd /hana/shared/<SID>/hdbclient
• Now execute the command
• hdbsql -n localhost -i 00 -u SYSTEM -p Ina123
Once you get the command , enter \s to get the system information you are connected to.
Exit HDBSQL by entering the command: exit or quit or \q
You can also log on with user credentials for the secure user store (hdbuserstore) with -U <user_key>.
HDBSQL Examples :
---------------
> hdbsql -n localhost -i 00 -u SYSTEM -p Ina123;
> hdbsql -S DEV -n localhost:30015 -u SYSTEM -p In123 ;
> hdbsql -n localhost -i 00 -u myuser -p myuserpassword "select * from sys.users";
> hdbsql -U myUserSecureStore "Select table_name, schema_name from m_tables" ;
> hdbsql -U SUPER "SELECT * FROM SYS.P_CREDENTIALS_" ;
> hdbsql -u SYSTEM -n HOSTNAME:34215 -s EEP -sslprovider commoncrypto -sslkeystore $SECUDIR/sapsrv.pse -ssltruststore $SECUDIR/sapsrv.pse "SELECT * FROM SYS.P_CREDENTIALS_" ;
Note:
"A user administrator can exclude users from this password check with the following SQL statement: ALTER USER <user_name> DISABLE PASSWORD LIFETIME.
However, this is recommended only for technical users only, not database users that correspond to real people.
A user administrator can re-enable the password lifetime check for a user with the following SQL statement: ALTER USER <user_name> ENABLE PASSWORD LIFETIME"
SAP Discovery using NMAP (network port scanner - https://nmap.org)
> root@kali-linux$ nmap -sS -sV -v -p- 10.13.34.12
<SNIP>
Nmap scan report for 10.13.34.12
<SNIP>
PORT STATE SERVICE VERSION
1128/tcp open soap gSOAP 2.7
3201/tcp open cpq-tasksmart?
3299/tcp open saprouter?
3301/tcp open unknown
3901/tcp open nimsh?
4901/tcp open sybase-adaptive Sybase Adaptive Server
4902/tcp open sybase-backup Sybase Backup Server
4903/tcp open unknown
8101/tcp open http SAP Message Server httpd release 745
30101/tcp open unknown
30102/tcp open unknown
30103/tcp open unknown
30104/tcp open unknown
30107/tcp open unknown
30108/tcp open unknown
30111/tcp open http BaseHTTPServer 0.3 (Python 2.7.10)
30116/tcp open unknown
40000/tcp open safetynetp?
40001/tcp open unknown
40002/tcp open unknown
40080/tcp open http SAP Internet Graphics Server httpd
46287/tcp open status 1 (RPC #100024)
50000/tcp open http SAP WebDispatcher
50001/tcp open ssl/http SAP WebDispatcher
50004/tcp open unknown
50007/tcp open unknown
50013/tcp open soap gSOAP 2.7
50014/tcp open ssl/soap gSOAP 2.7
50020/tcp open unknown
50113/tcp open soap gSOAP 2.7
50114/tcp open ssl/soap gSOAP 2.7
> root@kali-linux$ nmap -sV -p 80 --script http-sap-netweaver-leak 10.13.34.10
PORT STATE SERVICE REASON
443/tcp open https syn-ack
| http-sap-netweaver-leak:
| VULNERABLE:
| Anonymous access to SAP Netweaver Portal
| State: VULNERABLE (Exploitable)
| SAP Netweaver Portal with the Knowledge Management Unit allows attackers to obtain system information
| including file system structure, LDAP users, emails and other information.
|
| Disclosure date: 2018-02-1
| Check results:
| Visit /irj/go/km/navigation?Uri=/ to access this SAP instance.
| Extra information:
| ~system
| discussiongroups
| documents
| Entry Points
| etc
| Reporting
| References:
|_ https://help.sap.com/saphelp_nw73ehp1/helpdata/en/4a/5c004250995a6ae10000000a42189b/frameset.htm
SAP discovery using NMAP custom probes for a better detection of SAP services (https://github.com/gelim/nmap-erpscan)
=> https://github.com/gelim/nmap-erpscan/blob/master/sap_ports.py
> root@kali-linux$ nmap -p $(sap_ports.py) 10.3.3.7 -sV --open
<SNIP>
Not shown: 4496 closed ports
PORT STATE SERVICE VERSION
1128/tcp open saphostcontrol SAPHostControl
3201/tcp open sapjavaenq SAP Enqueue Server
3301/tcp open sapgateway SAP Gateway
3901/tcp open sapmsgserver SAP Message Server
8101/tcp open sapms SAP Message Server httpd release 745 (SID J45)
50000/tcp open sapnetweawer2 SAP NetWeaver Application Server (Kernel version 7.45, Java version 7.50)
50004/tcp open sapjavap4 SAP JAVA P4 (Potential internal IP 10.3.3.7)
50007/tcp open tcpwrapped
50013/tcp open sapstartservice SAP Maganement Console (SID J45, NR 00)
50014/tcp open tcpwrapped
50020/tcp open sapjoin SAP Java Cluster Join Service
50021/tcp open jdwp Java Debug Wire Protocol (Reference Implementation) version 1.8 1.8.0_51
50113/tcp open sapstartservice SAP Maganement Console (SID J45, NR 01)
50114/tcp open tcpwrapped
Service Info: Host: java745
SAP discovery using the Metasploit module 'sap_service_discovery' (https://www.metasploit.com)
Module to perform network scans against SAP platforms, which can be found under 'modules/auxiliary/scanner/sap/sap_service_discovery.rb':
msf > use auxiliary/scanner/sap/sap_service_discovery.
msf > set RHOST 192.168.1.149
msf > exploit
SAP Router
Module to launch a port scanner through a SAProuter.
The module is available on 'modules/auxiliary/scanner/sap/sap_router_portscanner.rb' and allows two types of working modes:
* SAP_PROTO: Allows port scanning when S(ecure) entries are set in the SAProuter ACL configuration.
* TCP: Allows port scanning when P(ermit) entries are set in the SAProuter ACL configuration.
In order to ping the ICF component from the exterior and get basic information about it, the unauthenticated /sap/public/ info service
(ICF) can be used if enabled, and that’s just what the auxiliary/scanner/sap/sap_icf_public_info.rb
> http://IP-address:8042/sap/public/info
Discovering ICF services with the mentioned module is as easy as shown below:
msf > use auxiliary/scanner/sap/sap_icm_urlscan
msf auxiliary(sap_icm_urlscan) > show options
Attacking the SOAP RFC with Metasploit (e.g.password brute-force, remote OS command execution)
When enabled, this service allows remote execution of ABAP programs and functions via HTTP SOAP requests.
This RFC calling mechanism is protected by HTTP Basic headers (valid SAP credentials are needed), and communications encryption is provided
only when HTTPS is enabled.
Module Description
auxiliary/scanner/sap/sap_soap_ rfc_brute_login.rb
> Attempts to brute force valid SAP credentials to access the SOAP interface via a call to the RFC_PING function.
Basic HTTP authentication is used for brute forcing.
auxiliary/scanner/sap/sap_soap_ rfc_system_info.rb
> Attempts to use the RFC_SYSTEM_INFO function to obtain different information about the remote system such as operating system, hostname,
IP addresses, time zone, etc. Valid SAP credentials are required.
auxiliary/scanner/sap/sap_soap_ rfc_ping.rb
> Attempts to use the RFC_PING function to test connectivity with the remote endpoint. Valid SAP credentials are required.
auxiliary/scanner/sap/sap_soap_ rfc_eps_get_directory_listing.rb
> Attempts to use the EPS_GET_DIRECTORY_LISTING function to disclose if a remote directory exists ( le system level) and the number of entries
into it. Valid SAP credentials are required. This module also can be used to launch an SMB Relay Attack.
auxiliary/scanner/sap/sap_soap_ rfc_p _check_os_file_existence.rb
> Attempts to use the PFL_CHECK_OS_FILE_EXISTENCE function to check if a le exists in the remote le system.
Valid SAP credentials are required. This module also can be used to launch an SMB Relay Attack.
auxiliary/scanner/sap/sap_soap_ th_saprel_disclosure.rb
> Attempts to use the RFC_READ_TABLE function to dump database data from the SAP system.
Valid SAP credentials are required.
auxiliary/scanner/sap/sap_soap_ rfc_read_table.rb
> Attempts to use the TH_SAPREL function to disclose information about the remote SAP system such as OS kernel version, database version,
or SAP version and patch level. Valid SAP credentials are required.
auxiliary/scanner/sap/sap_soap_ rfc_rzl_read_dir.rb
> Attempts to use the RZL_READ_DIR_LOCAL function to enumerate directory contents on the remote system.
Valid SAP credentials are required. This module also can be used to launch an SMB Relay Attack.
auxiliary/scanner/sap/sap_soap_ rfc_susr_rfc_user_interface.rb
> Attempts to use the SUSR_RFC_USER_INTERFACE function to create a remote SAP user.
Valid SAP credentials are required.
auxiliary/scanner/sap/sap_soap_ bapi_user_create1.rb
> Attempts to use the BAPI_USER_CREATE1 function to create or modify a remote SAP user.
Valid SAP credentials are required.
auxiliary/scanner/sap/sap_soap_ rfc_sxpg_call_system_exec.rb
> Attempts to use the SXPG_CALL_SYSTEM function to execute valid SM69 transaction commands in remote systems.
Valid SAP credentials are required.
auxiliary/scanner/sap/sap_soap_ rfc_sxpg_command_exec.rb
> Attempts to use the SXPG_COMMAND_EXECUTE function to execute valid SM69 transaction commands in the remote system.
Valid SAP credentials are required.
auxiliary/scanner/sap/sap_soap_ rfc_dbmcli_sxpg_call_system_ command_exec.rb
> Attempts to attack the SXPG_CALL_SYSTEM function to inject and execute arbitrary OS commands through the SM69 DBMCLI command.
Valid SAP credentials are required. For more information about the DBMCLI injection, see this blog from @ nmonkee.
auxiliary/scanner/sap/sap_soap_ rfc_dbmcli_sxpg_command_exec.rb
> Attempts to attack the SXPG_COMMAND_EXECUTE function to inject and execute arbitrary OS commands through the SM69 DBMCLI command.
Valid SAP credentials are required. For more information about the DBMCLI injection, see this blog from @ nmonkee.
exploits/multi/sap/sap_soap_rfc_ sxpg_call_system_exec.rb
> Attempts to attack command injection issues on SXPG_CALL_ SYSTEM to externally execute a Metasploit payload on the remote system.
Valid SAP credentials are required.
exploits/multi/sap/sap_soap_rfc_ sxpg_command_exec.rb
> Attempts to attack command injection issues on SXPG_ COMMAND_EXECUTE to externally execute a Metasploit payload on the remote system.
Valid SAP credentials are required.
SMB Relay attacks using Metasploit
There is also an interesting attack that can target different SAP functions and is reachable via the SOAP RFC or other components
such as those in the J2EE engine—more about that later.
While handling names, a lot of functions are vulnerable to SMB Relay Attacks.
These attacks send an UNC path pointing to a server capturing SMB hashes, which can be disclosed when the vulnerable component
tries to access it.
> Some SMB Relay Attack attacks, both unauthenticated and authenticated, have been collected by @nmonkee in an auxiliary module located
at /auxiliary/scanner/sap/sap_smb_relay.rb.
> Module to run to capture the SMB Hashs (LMhash and NTHash): auxiliary/server/capture/smb module capturing SMB hashes
SAP Web interface password brute-force using Metasploit
Launch password brute-force attacks against the Web GUI with the Metasploit module "auxiliary/scanner/sap/sap_web_gui_brute_login.rb"
msf > use auxiliary/scanner/sap/sap_web_gui_brute_login
msf auxiliary(sap_web_gui_brute_login) > show options
<SNIP>
msf auxiliary(sap_web_gui_brute_login) > set RHOSTS 192.168.172.179
msf auxiliary(sap_web_gui_brute_login) > set RPORT 8042
msf auxiliary(sap_web_gui_brute_login) > run
<SNIP>
[SAP] Credentials
=================
host port client user pass
---- ---- ------ ---- ----
192.168.172.179 8042 001 SAP* 06071992
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(sap_web_gui_brute_login)
SAP Portal - J2EE engine exploits
Alexander Polyakov and Dmitry Chastuhin presented work on the J2EE engine (SAPocalypse NOW: Crushing SAP’s J2EE Engine and Breaking SAP Portal).
Attacks from the above presentations have been published as Metasploit modules:
+ @nmonkee implemented the VERB tampering bypass (use HEAD as opposed to GET) to attack the ConfigServlet and create an operating system account.
> The module can be found at modules/auxiliary/scanner/sap/sap_ctc_verb_ tampering_user_mgmt.rb.
+ Andras Kabai implemented the ConfigServlet attack to execute arbitrary commands without authentication.
> The module can be found at modules/exploits/windows/http/sap_con gservlet_exec_no_auth.rb.
Attacking the SAP Management Console with Metasploit
Attack of the SAP MC SOAP interface to retrieve a lot of interesting information about an SAP system :
modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb
> Attempts to extract the ABAP syslog.
modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb
> Attempts to brute force the credentials for the SAP Management Console.
modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb
> Attempts to extract users from the ABAP syslog.
modules/auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints.rb
> Attempts to get a list of listening services within the SAP system.
modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb
> Attempts to get SAP environment settings.
modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb
> Attempts to download log les and developer trace les.
modules/auxiliary/scanner/sap/sap_mgmt_con_getprocesslist.rb
> Attempts to get a list of SAP processes.
modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.
> Attempts to get a list of SAP rb processes, parameters, and configurations.
modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb
> Attempts to get the instance properties.
modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb
> Attempts to get a list of available log files and developer trace files.
modules/auxiliary/scanner/sap/sap_mgmt_con_startpro le.rb
> Attempts to get the SAP startup profile.
modules/auxiliary/scanner/sap/sap_mgmt_con_version.rb
> Attempts to get the SAP version.
modules/exploits/windows/http/sap_mgmt_con_osexec_ payload.rb
> Attacks the OSExecute functionality on the SAP Management Console to run arbitrary commands and finally a Metasploit payload.
SAP Management Console credentials are required.
Exploiting SAPHostControl with Metasploit
The component that provides the SOAP endpoint for the SAP Management Console on the TCP port '50013' for the default instance is "startsrv".
According to the SAP documentation, the executable sapstartsrv runs in host mode for monitoring purposes only.
The interesting thing about this sapstartsrv component is that it’s also listening for SOAP requests.
The GetDatabaseStatus call was attacked by Michael Jordon in order to get an arbitrary code execution from a command injection.
The exploit for this attack is also available on Metasploit as modules/exploits/windows/http/sap_host_control_cmd_ exec.rb.
It’s worth mentioning that the injection technique inspired @nmonkee when writing the OS command injections for the "SXPG_CALL_SYSTEM_SXPG_CALL_SYSTEM"
and "SXPG_COMMAND_EXECUTE" RFC SOAP calls
(remember also to check his post for more information about these command injections).
The GetComputerSystem call was abused by Bruno Morisson to retrieve information related to the remote host without any authentication.
The exploit for this attack is available on modules/auxiliary/scanner/sap/sap_hostctrl_getcomputersystem.rb.
The next screenshot shows the information retrieved:
msf auxiliary(sap_hostctrl_getcomputersystem) > run
[+] 192.168.172.133:1128 - Information retrieved successfully
[*] 192.168.172.133:1128 - Response stored in /Users/juan/.msf4/loot/20131011090901_default_192.168.172.133_sap.getcomputers_832535.xml
(XML) and /Users/juan/.msf4/loot/20131011090901_default_192.168.172.133_sap.getcomputers_372729.txt (TXT)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(sap_hostctrl_getcomputersystem) > set verbose true
verbose => true
msf auxiliary(sap_hostctrl_getcomputersystem) > run
SAP NetWeaver Dispatcher
The disp+work.exe process is vulnerable to a buffer overflow (CVE-2012-2611) while handling Traces, which can be exploited with the metasploit module modules/exploits/windows/misc/sap_netweaver_dispatcher.rb:
msf exploit(sap_netweaver_dispatcher) > use exploit/windows/misc/sap_netweaver_dispatcher
msf exploit(sap_netweaver_dispatcher) > set RHOST 192.168.1.149
RHOST => 192.168.1.149
msf exploit(sap_netweaver_dispatcher) > exploit