HitB2012AMS: Inception of the SAP Platformâ€™s Brain: Hacking the SAP Solution ManagerFrank Breedijk
Onapsis focuses on the security of ERP systems and is constantly researchng the vulnerability of these systems. They also develop systems to secure SAP system.
The information in SAP systems is usually of high value it can be used for espionage, sabotage and fraud. It is therefore therefore surprising that over 95% of the SPA systems tested by Juan Pablo company is exposed to these attacks. Without the need for credentials to perform these attacks.
The SAP Solution manager
The SAP solution manager is required in every SAP implementation. It is the central point of administration for the SAP systems. The solution manager itself does not hold any business information, only technical information and in hosted scenario’s it often connects to multiple SAP solutions of different customers.
The solution manager is used to manager users, download and install patches, etc.
Step 1: Compromised a satellite system
If not compliant with BIZEC TEC/11 an anonymous attacker could easily compromise a satellite SPA system, because many vulnerabilities exist.
Juan Pablo demonstrates an attack abusing default account settings.
Step 2: Escalate from satellite to Solution manager
From the satellite system you can easily connect back to the solution manager by default.
Step 3: Compromise another satellite
The SPA Solution Manager is highly dependent on the Gateway. I fthe attacker kanws/guesses the TPNAME and the Gateway is not protected (by default) then all Gateway attacks are possible.
Some SAP systems use Central User Administration (CUA). The solution manager is the CUA mster. If it is compromised, any user can be created with any privileges.
Another often installed service is the CCSM monitoring services. It too can be used to compromised satellite systems.
This attack is demonstrated by Juan.
Alternative step 1 & 2: Solution Manager Diagnostics
By default SAP installation run SMD which has two vulnerabilities that allow you to make a connection to the SAP solution manager.
Again the attacks are demonstrated by Juan Pablo.
If an attack breaks into the SAP solution manager the game is over.
Trust relationships are needed in most SAP implementations, but are vulnerable
If possible don’t used the same solution manager for different SAP systems with different security requirements
All SAP systems must be secured, a single insecure SAP system can destroy the security of all connected systems.
Do not expose the Solution Manager
Restrict network access to the SAP systems.
Update your SAP system
Presentation materials available from http://conference.hitb.org/hitbsecconf2012ams/materials/
ABOUT JUAN PEREZ-ETCHEGOYEN
Juan Perez-Etchegoyen is the CTO of Onapsis, leading the Research and Development teams that keep the company in the cutting-edge of the ERP security field. Juan is fully involved in the design, research and development of all the innovative Onapsis software solutions. Responsible for managing the Onapsis Research Labs, Juan has also been actively involved in the coordination and research of critical security vulnerabilities in ERP applications and business-critical infrastructure, such as SAP, Oracle and JD Edwards.
He has extensive experience in the information security field, being involved in large research, penetration testing, vulnerability assessment and security implementations projects, among other kind. As a result of his research work and experience, Juan has been invited to lecture and train in security conferences such as BlackHat, HITB Malaysia and Ekoparty, as well as to host private trainings on different aspects of information security for Global Fortune-100 organizations.