In July 2016, SAP has corrected a vulnerability in SAP Netweaver, every versions concerned : a SQL and Code injection, SAP Note 2311011 and 2319506. This bug was found and reported by Devoteam.
The SAP disclosure guideline doesn?t allow us to detail it, however this article will explain the risk and impacts related to this kind of vulnerability in SAP system.
Types of injection in SAP
The proprietary programming language of SAP is ABAP, stands for Advanced Business Application Programming. Proprietary doesn?t mean secure. An ABAP program is subject to various security problems such as : directory traversal, cross client access, module execution, but also Code injection, SQL injection and OS injection.
Yes, natively ABAP language could perform an OS command or SQL statement. So it could be potentially vulnerable to this type of injection in addition to the ABAP injection itself, also called Code injection.
Code injection : Coding that dynamically creates and executes ABAP programs based on user input on a productive system, bypassing SE80 and the concept of a three-tier-system landscape.
Here an ID is expected by the program. But we are also able to add some ABAP code directly. For example make a privilege escalation using a SQL statement.
SQL injection : Coding that executes arbitrary (input-based) native SQL commands on the SAP database, bypassing any Open SQL restriction.
Here, an order command is expected, but this entry could be abuse by SQL injection. For example gathering information of database.
OS injection : Coding that executes arbitrary (input-based) commands on the operating system, bypassing the allowed commands specified in transaction SM49/SM69 and S_LOG_COM authorizations.
Here, the function module waits for a hostname, but it?s possible to directly execute command in OS level.
These kind of vulnerabilities aren?t rare on SAP : 136 injections has been corrected since 2010, with 17 last year.
Threat related to SAP injections
Generally, an authentified SAP user is necessary to exploit the vulnerable function module or report. However, the ease of exploitation and impacts are so important that these vulnerabilities are often classified as critical.
As example, following the CVSS information about SAP security note 2319506 :
CVSS v3 Base Score: 7.2 / 10
CVSS v3 Base Vector:
|AV : Attack Vector||Network (N)|
|AC : Attack Complexity||Low (L)|
|PR : Privileges Required||High (H)|
|UI : User Interaction||None (N)|
|S : Scope||Unchanged (U)|
|C : Impact to Confidentiality||High (H)|
|I : Impact to Integrity||High (H)|
|A : Impact to Availability||High (H)|
Impacts are :
- Read, modification or delete of database content
- Unauthorized execution of operating system command
- Deny of service
So a full compromise of SAP System.
Below an attack scenario using a SAP injection.
- Infection, through a malware, of a SAP end user workstation, then transfer of the sapshortcut.ini.
- Retrieve the encrypted password in it.
- Connection to SAP System using this credential (this is a not an administrator account).
- Gathering informations of the SAP system : Versions, components, type of database, etc. Then exploit a unpatched function module with an OS injection
- Take the control of SAP server, then perform post-exploitation (such as user creation, deny of service, or download confidential data)
Attacker could stop the SAP system.
Remediation et conclusion
There are not many alternatives to ensure this type of attack : it is necessary to correct vulnerables programs and reduce the SAP identity theft… This is neither quick, nor easy in production SAP landscape.
Applying SAP Security patchs as soon as possible, activate SAP Security logs, auditing SAP systems and create a global action plan to reduce the risk of injection exploitation appear essential.
Check out our SAP Security offer :
- SAP Audit Assessment
- SAP Penetration Testing
- Remediation Process