Assessing and testing the security of an ERP environment is a challenging venture. Because of that and due the overall complexity and the business significance, ERP security should be designed with a holistic approach, focusing on some specific components could result in interesting findings.
The landscape of any actual ERP installation is comprised of several different components, each one showing their own attack surface and security posture. The attack paths and entry points can be very diverse, ranging from web applications and services to proprietary binary protocols. This is also true for SAP environments, which can be summarized as follows:
- Systems: Are the main building blocks of SAP Netweaver and are commonly divided by their usage type, such as Business Intelligence, Development Infrastructure, Enterprise Portal or Applications Servers in both stacks ABAP and Java.
- Standalone Engines: Are additional installable software units, such as the NW Identity Management, GRC components or the Web Dispatcher.
- Administration Systems: Are shared services running on central systems, used for administration and monitoring of main systems.
- Clients: These are additional tools or programs that can be reside on user’s workstations, such as the SAPGUI desktop application or Netweaver Developer Studio tools.
All these components are commonly distributed across different environments and work in an interconnected manner using different network protocols. The information flowing using these protocols and the way the different service endpoints make use of that information, is always an interesting entry point for assessing the security posture of an environment. Some of the protocols in use are:
- Remote Function Call (RFC): proprietary protocol used for communications between SAP systems and between external systems. Using this protocol, applications can use RFC to perform a remote function call in other systems.
- P4: transfer protocol for Remote Method Invocation (RMI) communications when using the Visual Administrator on Application Server Java stacks.
- Router: SAP Router is a program that acts as an application-level gateway in connections between internal SAP systems or to provide access control to external networks.
- Dynamic Information and Action Gateway (Diag): is the network protocol used for communications between the GUI application client and ABAP application servers.
At Core Security Consulting Services we have a tested and mature methodology to perform proactive security assessments and deliver penetration testing services. As part of our day-to-day research methodology we decided to setup a lab where we put into practice, our penetration testing methodology to assess a SAP environment. We managed to identify several threats that we decided to analyze with the goal of identifying vulnerabilities.
We started by analyzing the Diag protocol to fill the gap of security knowledge and gaining better understanding of the potential risks it could pose. We applied our methodology to run through the process of a security assessment for all the components that make use of the protocol under analysis. As a first step, we gather information about the protocol and available tools. Then, we moved forward with the analysis of the protocol and investigating its key elements. One of the most valuable techniques we used was mimicking valid protocol packets and commands, allowing us to interact with the different components without running through the limitations of the available tools. Malformed packets, invalid payloads and others were just part of the menu of techniques we used to identify vulnerabilities.
We were able to develop a set of tools that were complemented with manual tests, allowing confirmation of the presence of security vulnerabilities. Effective techniques lead to concrete results, we were able to identify and report 6 vulnerabilities that were fixed by the vendor, and delivered as a CORE Impact Professional exploit so customers can assess their own systems. Furthermore, this kind of knowledge allows us to perform more comprehensive assessments, for instance targeting environments where SAP systems are crucial or applying cross-vector testing to reveal attack paths across heterogeneous and complex infrastructures.
Security Consultant, CORE Security
I will be presenting more details in my DEFCON 20 presentation in Las Vegas later this month.