Penetration Testing mailing list archives
Re: SAP - Remote Function Call (RFC) hacking
From: "Mariano Nuñez Di Croce" <mnunezdicroce () gmail com>
Date: Fri, 18 Apr 2008 13:16:14 -0300
Hey Rex, As you have mentioned (thanks for the kudos), I have conducted a blackbox assessment of the SAP RFC interface a while ago, which result was the "Attacking the Giants: Exploiting SAP Internals" whitepaper (http://www.cybsec.com/upload/bh-eu-07-nunez-di-croce-WP_paper.pdf). In this paper I have detailed different attack vectors against SAP Application Servers, as well as External Servers working with the RFC Library. As a result, I have developed sapyto, an opensource SAP Penetration Testing Framework (http://www.cybsec.com/vuln/tools/sapyto.tgz). sapyto is a plugin-based architecture and the current available version (0.93) was shipped with the following ones: Audit: . RFC ping . Registration of External Servers (checking Gateway security) . Detection of RFCEXEC. . Detection of SAPXPG. . Get system information through RFC_SYSTEM_INFO. . Get External Server documentation. Attack: . Execute remote os commands through RFCEXEC. . Execute remote os commands through SAPXPG. . StickShell (block connections from other clients). . EvilTwin (registers a twin registered server, hijacking RFC calls and for callback attacks) . Get remote RFCShell (purely RFC-based os commanding) Tools: . RFC password obfuscator/de-obfuscator Regarding practical experience, I can tell you that we use sapyto in our SAP pentest projects and we have been able to penetrate the systems many times... Hope this helps, ---------------------------------------------------------- Mariano Nuñez Di Croce CYBSEC S.A. Security Systems Email: mnunez () cybsec com Tel/Fax: (54-11) 4371-4444 Web: http://www.cybsec.com PGP: http://www.cybsec.com/pgp/mnunez.txt --------------------------------------------------------- RexRufi wrote:
Hello, I am preparing to conduct black-box and white-box pen testing against an SAP architecture. One of my concerns in the architecture is the usage of RFC to communicate from less-trusted to more-trusted security zones. I picture this architecture having both RPC-like vulnerabilities (e.g. ability to enumerate services, potentially execute calls to perform unauthorized actions) and SQL Injection-like vulnerabilities (e.g. ability to manipulate messages from A to B that flow through a trusted RFC channel once I compromise A). I have three main questions: 1- Has anyone successfully performed, or seen (e.g. actual attack), an attack where RFC was used as the vector? I have never pen-tested RFC, but I picture that it could be similar to hacking RPC, which I have done. 2- Is it possible to "inject" commands into RFC messages from component A to component B? I'm picturing the RFC calls as being analogous to database calls (in some ways) between an application and its back-end database. In this situation, one could use "SQL injection" techniques to pass information to the database (e.g. by inserting it into a variable that has not been appropriately sanitized) and the database will interpret it as a command. More specifically, is there any opportunity to modify the command portion of an RFC call by manipulating data that is passed into the call? 3- If you've done this, what RFC calls did you find to be most useful for exploitation of the host layer? (I have read Mariano Nunez Di Croce's excellent presentation from CYBSEC on exploiting SAP so I have some idea, but I'm interested to hear stories where anyone has leveraged these in practice) Thanks for your insight, Rex ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- SAP - Remote Function Call (RFC) hacking RexRufi (Apr 16)
- <Possible follow-ups>
- Re: SAP - Remote Function Call (RFC) hacking Mariano Nuñez Di Croce (Apr 19)