Hey Rex,
As you have mentioned (thanks for the kudos), I have conducted a
blackbox assessment of the SAP RFC interface a while ago, which result
was the
"Attacking the Giants: Exploiting SAP Internals" whitepaper
(http://www.cybsec.com/upload/bh-eu-07-nunez-di-croce-WP_paper.pdf).
In this paper I have detailed different attack vectors against SAP
Application Servers, as well as External Servers working with the RFC
Library.
As a result, I have developed sapyto, an opensource SAP Penetration
Testing Framework (http://www.cybsec.com/vuln/tools/sapyto.tgz).
sapyto is a plugin-based architecture and the current available
version (0.93) was shipped with the following ones:
Audit:
. RFC ping
. Registration of External Servers (checking Gateway security)
. Detection of RFCEXEC.
. Detection of SAPXPG.
. Get system information through RFC_SYSTEM_INFO.
. Get External Server documentation.
Attack:
. Execute remote os commands through RFCEXEC.
. Execute remote os commands through SAPXPG.
. StickShell (block connections from other clients).
. EvilTwin (registers a twin registered server, hijacking RFC calls
and for callback attacks)
. Get remote RFCShell (purely RFC-based os commanding)
Tools:
. RFC password obfuscator/de-obfuscator
Regarding practical experience, I can tell you that we use sapyto in
our SAP pentest projects and we have been able to penetrate the
systems many
times...
Hope this helps,
----------------------------------------------------------
Mariano Nuñez Di Croce
CYBSEC S.A. Security Systems
Email: mnunez@cybsec.com
Tel/Fax: (54-11) 4371-4444
Web: http://www.cybsec.com
PGP: http://www.cybsec.com/pgp/mnunez.txt
---------------------------------------------------------
RexRufi wrote:
Hello,
I am preparing to conduct black-box and white-box pen testing against
an SAP architecture. One of my concerns in the architecture is the
usage of RFC to communicate from less-trusted to more-trusted security
zones. I picture this architecture having both RPC-like
vulnerabilities (e.g. ability to enumerate services, potentially
execute calls to perform unauthorized actions) and SQL Injection-like
vulnerabilities (e.g. ability to manipulate messages from A to B that
flow through a trusted RFC channel once I compromise A).
I have three main questions:
1- Has anyone successfully performed, or seen (e.g. actual attack), an
attack where RFC was used as the vector? I have never pen-tested RFC,
but I picture that it could be similar to hacking RPC, which I have
done.
2- Is it possible to "inject" commands into RFC messages from
component A to component B? I'm picturing the RFC calls as being
analogous to database calls (in some ways) between an application and
its back-end database. In this situation, one could use "SQL
injection" techniques to pass information to the database (e.g. by
inserting it into a variable that has not been appropriately
sanitized) and the database will interpret it as a command. More
specifically, is there any opportunity to modify the command portion
of an RFC call by manipulating data that is passed into the call?
3- If you've done this, what RFC calls did you find to be most useful
for exploitation of the host layer? (I have read Mariano Nunez Di
Croce's excellent presentation from CYBSEC on exploiting SAP so I have
some idea, but I'm interested to hear stories where anyone has
leveraged these in practice)
Thanks for your insight,
Rex
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
