Large enterprises! Attack client for SAP security (1)

Bkjia.com exclusive Article] in the complex information security processing process, one of the most important tasks is the security of business application software. Today, the SAP platform is the most widely used platform for managing enterprise systems and storing the most important data. Unfortunately, the security concerns of SAP are still insufficient. We have introduced in detail some attack methods against the SAP client through the instance, hoping that this will attract sufficient attention from security personnel.

I. Introduction

One of the most important tasks in complex information security processing is the security of business application software. Today, the SAP platform is the most widely used platform for managing enterprise systems and storing the most important data. Unfortunately, the security concerns of SAP are still insufficient. In fact, there are still many problems at various levels of the SAP system, such as the network level, business system level, database level, application level, and representation level, that is, the SAP client. There are many articles about the security of SAP servers, but it is rare to introduce the security of SAP clients. In fact, even if the SAP server environment is secure, as long as there is a leak on the SAP client, the security of the entire system will crash due to the Barrel Principle.

In this article, we will discuss the security of the SAP client. The SAP client may launch attacks not only from the enterprise network, but also from the enterprise network and the public network of the user workstation that has the right to access the SAP server and key business data.

Ii. Use the overflow vulnerability to attack the SAP Client

SAPGUI is a standard application that connects to SAP and uses relevant data. This application is installed on almost all SAP client workstations in large companies that use SAP.

Like other applications with complex structures, this application also has many vulnerabilities. In view of the popularity of this application, the severity of vulnerabilities found in SAPGUI is comparable to that in IE browser or Microsoft office software. The Windows infrastructure is easy to update, and the Administrator will also receive notifications about severe Windows vulnerabilities, but the SAP client is different. There are two major security issues on the SAP client. One is that the client software does not automatically update the system, and the other is that there is still a lack of information on the existing problems and solutions.

Because the SAP system is accessed through a browser, the XSS security vulnerability on the SAP Web server may cause various attacks against the SAP client and increase the possibility of attacking the SAP client.

In this article, we will further examine various vulnerabilities in sap gui client applications and SAP Web servers, as well as buffer overflow in sap gui application SAPlpd components.

Early last year, security experts discovered some buffer overflow vulnerabilities in SAPlpd and SAPsprint components. The SAPlpd component is part of the sap gui of the customer application installed on each SAP User workstation and runs on port 515 to provide the Print Service. Many vulnerabilities have been found in the protocols used by SAPlpd. These vulnerabilities allow attackers to remotely control vulnerable systems, perform denial-of-service attacks, or stop printing services. Details of these vulnerabilities can be found in SAP's official report. The main feature is that vulnerable service ports are disabled by default and are only enabled when the user prints the next document. At first glance, this feature makes it more difficult to attack user workstations. In fact, this is not the case.

Considering that SAP companies generally have hundreds or even thousands of SAP users, it is very likely that someone can print documents at a given time. Therefore, you can write a script to scan the network, search for open ports, and enable the vulnerability when detecting open ports. Use the code to quickly obtain the management and access permissions of workstation of vulnerable users.

This is not only a theoretical idea, but also a very simple practice. The vulnerability exploitation code for specific security vulnerabilities has been added to the Metasploit framework, and Metasploit can be downloaded free of charge from the Internet. What the attacker needs to do is to select a shell-code to be used on the client, and then use the db_autopwn module to add a column of IP addresses of the customer workstation. If the version of SAPlpd has vulnerabilities and the user starts the Print Service at the moment, the attacker can obtain access permission 1 for the user's workstation ). In fact, 67% of SAPGUI installations are vulnerable to such attacks.

Figure 1 obtain access permissions for SAP clients with SAPlpd Security Vulnerabilities

After obtaining the access permission from the user's workstation command prompt, attackers can do something more out of the box. For example, they can install a Trojan horse to steal the user's password or extract the user's password from sapiconcept. the ini configuration file reads the user certificate so that you can directly access the SAP server and key business data.