Compromising SAP by exploiting the RFC Gateway


Version Française
dev-light.png[x_custom_headline type=”none” level=”h4″ looks_like=”h4″]Introduction[/x_custom_headline]

Some of SAP vulnerabilities couldn’t be ‘patched’, because they do not concern a bug in a program but a bad configuration of a service or component. Sometimes the only way to protect your SAP System, is to activate and manage some access control lists (ACLs), which can quickly turn into nightmare as SAP is interconnected with other systems. The SAP RFC Gateway component is a part of these services, which even up to date can open critical flaw on SAP system.

dev-logistic.png[x_custom_headline type=”none” level=”h4″ looks_like=”h4″]SAP Gateway service[/x_custom_headline]

The SAP RFC Gateway is a technical component of the SAP system. It controls RFC communications between SAP and the rest of the world, either other SAP systems or third-party interfaces. By default, the SAP RFC Gateway service listens on port 33xx, where xx is the system number of the SAP system.

The SAP RFC Gateway security is controlled by two files : reginfo and secinfo.

dev-security.png[x_custom_headline type=”none” level=”h4″ looks_like=”h4″]The reginfo file[/x_custom_headline]

Some client may allow registering a service on SAP server. The reginfo file control the access to them, can cancel registration, determines external server and service allowed, etc. The path of this file is defined in gw/reg_info parameter.

Default is /usr/sap/<SID>/<INSTANCE>/data/reginfo

If this file doesn’t exists, no control is done, and any server may be registered from any hosts (since 7.20 kernel, gw/acl_mode manage this security purpose this case note 1480644).

Notice than reginfo file is read only once, during program registration. All changes in the reginfo file don’t affect successfully registered programs.

dev-security.png[x_custom_headline type=”none” level=”h4″ looks_like=”h4″]The secinfo file[/x_custom_headline]

The secinfo file, specify the external service that may be started, users allowed to start them and the external services allowed to be registered into SAP Gateway. To simplify, the secinfo is a security file to avoid unauthorized start of an external program.

Parameter gw/sec_info with default path /usr/sap/<SID>/<INSTANCE>/data/secinfo

If this file doesn’t exist, the system starts all external programs.

If this file is empty, no external service can be started.

Before start an external service, the SAP system check the secinfo file for a valid record.

dev-network.png[x_custom_headline type=”none” level=”h4″ looks_like=”h4″]Threat about SAP RFC Gateway[/x_custom_headline]

In case of secinfo and reginfo don’t exist or misconfigured, it’s possible to register any service into SAP Gateway and get unauthorized access to SAP server. It’s also possible to register a &quot;new&quot; service, with malicious functionality under the same name as one already existed, and execute command with this legitimate user (user owner of the already existed service). Also, with dangerous service registered, it’s also possible to executing OS commands remotely and anonymously.

Impacts are critical :

  • Read, modify or delete all database data
  • Unauthorized execution of operating system commands
  • Deny of service

dev-target.png[x_custom_headline type=”none” level=”h4″ looks_like=”h4″]Attack scenario[/x_custom_headline]

Below an attack scenario, exploiting an incorrectly configured ACL files of the SAP RFC Gateway service :

  • Scanning SAP services exposed, gathering information about SAP RFC Gateway port and SAP System number.

  • Check if remote registering in SAP RFC Gateway is possible.

  • Remote OS commands execution, without authentication, then post-exploitation example


[x_custom_headline type=”none” level=”h4″ looks_like=”h4″]Remediation and conclusion[/x_custom_headline]

Several actions are required to mitigate attacks against SAP RFC Gateway.

  • Activate the SAP RFC Gateway logs. They are disable by default.
  • Study logs content to identify legitimate clients and services allowed to communicate with SAP Gateway.
  • Use the simulation mode to avoid any workload and business flow trouble during evaluation of ACL files secinfo and reginfo.

Below relevant SAP Notes about this subject :

910919 - Setting up Gateway logging
1069911 - GW: Changes to the ACL list of the gateway (reginfo)
1425765 - Generating sec_info reg_info
1408081 - Basic settings for reg_info and sec_info
614971 - GW: Changes to the ACL list of the gateway (secinfo)
1910365 - GW: Extended check for "reg_info" and "sec_info"
2021627 - GW: Improvements in gateway logging
2355548 - GW: New function in display of gateway logging control

Check out our SAP Security offer :

  • SAP Audit Assessment
  • SAP Penetration Testing
  • Remediation Process
  • Training
  • etc.