Malware… the entry point could be your SAP System

CERT-DVT Sécurité SAP

Version Française
dev-light.png

Introduction

Security researchers, from ERPScan, discover a vulnerability on SAP Gui and disclose it during last Troopers Conference.

The vulnerability doesn’t impact directly the SAP System but the client use to connect into : the SAPGui. The SAPGui, SAP Graphical User Interface, is a software provided by SAP AG, to able end user to remotely access to the SAP System. It’s basically installed on every workstation of SAP users. Also, SAP Administrator use it of course, and sometimes in a high privilege environment…

 

dev-logistic.png

The vulnerability

The SAPGui are able to perform some actions on workstation where it’s installed like read, write or execute something. For example when you save an Excel export from SAP on your workstation, the SAPGui perform this activity. Security of these kind of actions are managed by security rules on each SAP Gui (saplogon.exe / top left icon / Options / Security). What researcher found is than one of this is rules, related to regsvr32.exe, is not well set and lead to dangerous behaviors : read, write or execute Windows application without the security popup question.
It’s worst, than regsvr32.exe is well know to execute command from remote http server.
Basically all SAPGui for Windows are vulnerable prior 7.40 SP012. To check if you are vulnerable just click on top left of the saplogon.exe then “About the SAP logon…”, and version information and support package are display.

 

dev-target.png

Attack scenario & PoC

Sometimes customers ask us “Ok, but what could you do practically after compromised our SAP System ?”. The below scenario, is a well answer to this question.
As prerequisite, we had compromised a SAP System. This is not a big deal, there a lot of way to do that, check out our previous articles as examples: Oracle OPS$, SAP Injection, HANA Trexnet or SAP Gateway.

  • 1) Attacker prepare a malicious sct file on his machine and share it :

This script, launch a cmd.exe, display a message then wait 60 sec.
It’s our poc ‘very bad malware’.

  • 2) On the compromised SAP system, attacker create an ABAP who call the function module WS_EXECUTE with desired parameters :

  • 3) To force any SAP users to execute this malicious report at login, some others actions need to be made on SAP System, like : create a transaction related to the report, create a role with this transaction, mass assign this role to every users, and at last but not the least force execution of this transaction at login for everyone.

Yes it could lead critical alert in security logs and traces entries (if they are well enable). But as we are SAP_ALL on this SAP System, we are able to tamper security logs also…
Yes again, it could be automated.

  • 4) On Monday morning, when users log into SAP as usual, they get our surprise :

User login into SAP, silently execute the transaction Z_SAPGUI_RCE with malicious ABAP Report, who call the regsvr32.exe with attacker malicious code, on user’s workstation. In our example, just a command line window with message and timeout… but worst things could happen here.

dev-risk-and-security.png

Remediation and conclusion

Because of this vulnerability SAP could be the entry point for any malware in your network, Ransonware, Rootkit, Keylogger, Trojan… and all that without any users interactions.

Remediation is describe in SAP Security note “2407616 – Remote Code Execution vulnerability in SAP GUI for Windows“.
If you are not using custom SAP GUI Security Module file saprules.xml, the correction is as simple as patch.
Patching SAPGui doesn’t impact the business workflow a lot, it’s not a big SAP upgrade, and can be done relatively quickly.
You should consider it as soon as possible.

Check out our SAP Security offer :
http://www.devoteam.fr/en/offers/risk-security/expert-articles/secure-your-sap-against-new-threats

  • SAP Audit Assessment
  • SAP Penetration Testing
  • Remediation Process
  • Training
  • etc.