“SSRF vs Business Critical Applications” from BlackHat USA 2012
Typical business critical applications have many vulnerabilities because of their complexity, customizable options and lack of awareness. Most countermeasures are designed to secure system using firewalls and DMZ's so that, for example, to enter technology network from the Internet, attacker has to bypass 3 or more lines of defense. It looks ok until somebody finds a way to attack secured system through trusted sources. With the help of SSRF and one of its implementations - XXE Tunneling it is possible to root a system within one request which will be from trusted source and will bypass all restrictions.
SSRF, as in Server Side Request Forgery. A great concept of the attack which was discussed in 2008 with very little information about theory and practical examples. We have decided to change it and conducted a deep research in this area. As we deal with ERP security, we take SAP as the example for practicing SSRF attacks. The idea is to find victim server interfaces that will allow sending packets initiated by victim's server to the localhost interface of the victim server or to another server secured by firewall from outside. Ideally this interface must allow us to send any packet to any host and any port. And this interface must be accessed remotely without authentication or at least with minimum rights. Looks like a dream but this is possible. Why this attack is especially dangerous to SAP? Because many restrictions preventing the exploitation of previously found vulnerabilities, for example in RFC and Message Server or Oracle auth, prevent only attacks from external sources but not from localhost!
We have found various SSRF vulnerabilities which allow internal network port scanning, sending any HTTP requests from server, bruteforcing backend and more but the most powerful technique was XXE Tunneling. We made a deep research of the XXE vulnerability and most of the popular XML parsers and found that it can be used not only for file reading and hash stealing but even for getting shell or sending any packet to any host (0-day). What does it mean for business critical systems? Actually XML interfaces are normally used for data transfer between Portal's, ERP's, BI's, DCS's, SCADA's and other systems. Using an XXE vulnerability you can bypass firewalls and other security restrictions. What about practice? To show a real threat we took the most popular business application platform Ð SAP NetWeaver and its various XML parsers. We found that it is possible to bypass almost all security restrictions in SAP systems. Using XXE Tunneling it is possible to reopen many old attacks and conduct new ones which were impossible before.
A tool called XXEScanner which will help to gain critical information from server, make scans and execute attacks on victim host or backend will be released as part of the OWASP-EAS project.
SSRF vs business-critical applications. XXE Tunelling in SAP