Las Vegas, CA - July 26, 2012 The biggest infosec venue. BlackHat conference was the place to show a new example of a targeted attack on SAP systems. The researchers from ERPScan company, which is focused on developing security solutions for SAP applications, gave a talk where they showed a very complex attack on the SAP system which uses multiple exploits including a 0-day technique called XML tunneling – an example of SSRF (Server Side Request Forgery) attack.
Nowadays you see a lot of hype about critical infrastructure and examples of malware that is created for cyber espionage. However too little information is related to business systems as well as to the corporate espionage and fraud which can be executed by attacking ERP systems like SAP. As long as all the information critical to business is stored in an ERP system, a competitor can use it for corporate espionage by breaking into the financial module, where financial reports can be found before they are published on stocks. Corporate wars are more than possible and some big companies can be the targets of such type of malware. Disruptive attacks like denial of service on SAP system are also more than possible
– Alexander Polyakov, CTO of ERPScan.
The attack which was presented uses a chain of vulnerabilities:
- unauthorized access to a web service on SAP PI, which allows sending XML packets. SAP PI can usually be accessed from the Internet.
- XML Tunneling: a new technique which allows sending any TCP packet to internal systems by putting them into XML packets.
- buffer overflow in SAP Kernel.
The whole attack was implemented in one packet which is nearly impossible to identify as malware for signature-based IDS systems. Alexander Polyakov described the attack scenario in his interview for InfosecIsland.
SAP has been working closely with the speaker to ensure its customers are well protected, and has received technical background information on the content of the presentation. The presentation describes possible attacks that exploit weaknesses in the parsers used to process XML. These weaknesses affect many software vendors, including SAP. As a result of this early cooperation with the researchers, SAP was able to fix the vulnerability well in advance of the presentation, and has provided security patches on the monthly patch day back in June, 2012 (SAP Security Note 1707494) and has provided further protection as part of the July patch day (SAP Security Note 1723641 and 1721309). If you haven't already applied these fixes, SAP strongly recommends doing so.
– SAP AG warned its customers on their web portal and honored the researchers by dedicating a special security note to the presentation.
But we know that users still don't implement all patches in due time. That's why we are concentrated on proactive monitoring of SAP systems. We are adding checks for 0-day vulnerabilities and their remediation into ERPScan system to prevent possible attacks. We are also checking custom based issues in ABAP code like vulnerabilities and possible backdoors. What's more, we saw an example of a backdoor in a SAP system which was left in the ABAP code by the developer. This backdoor was intended for stealing money out of some payments
– Alexander said.
While the presented issue is successfully patched by SAP, a similar problem was found 2 weeks ago in Oracle JVM. That means that any business system like Peoplesoft or Oracle EBS, which is based on J2EE and uses XML to transfer data, can be potentially vulnerable for an SSRF style attack.
The presentation called "SSRF vs business-critical applications. XXE Tunneling in SAP" can be downloaded here.