Two world biggest conferences devoted to security were held in Las-Vegas from 4 to 9 August. This event gathered 8500 and 15000 visitors simultaneously. This year ERPScan specialists gave a talk at the BlackHat and took part in Defcon CTF (Capture The Flag) competition, where practical skills in reverse-engineering, exploitation, pen-tests and remote attacks defense were needed.
The team (IV) where our employee took part won 4th place and left behind a lot of old school participants of this event. Such a result is great for the first time. The report about new security threats in J2EE engine of SAP NetWeaver platform made by Alexander Polyakov made noise in mass-media even before the presentation. So after the presentation that was high-rated by the audience and foreign colleagues, it was covered by world-famous editions like CIO, PCWORLD, ItProPortal, CbrOnline and also on the internal portal of SAP Company.
Media paid attention to the new vulnerability allowing to manipulate HTTP headers to avoid authentication in SAP web applications. Thus, by sending Head request instead of GET to the interface of one undocumented application you can perform any actions in the system. The example presented on the conference showed how the account with the administrative access was created by the anonymous request; that could be used by the attackers for getting critical data and full control over the system. Another vulnerable application gives the opportunity to execute DoS attack by rewriting any system file.
At the moment SAP has closed only 2 examples of vulnerabilities of this type, but according to the results of our research, there are about 40 potentially vulnerable SAP applications as well as user-made applications.
ERPScan has created free utility called ERPScan web.xml checker that is a part of ERPScan Security Scanner which helps to check J2EE SAP applications security settings; there are 9 different typical misconfigurations, so the analysis will help the administrator to securely tune the system and show if there are any flaws.