Penetration Testing mailing list archives
SAP - Remote Function Call (RFC) hacking
From: RexRufi <rexrufi () gmail com>
Date: Tue, 15 Apr 2008 10:42:22 -0400
Hello, I am preparing to conduct black-box and white-box pen testing against an SAP architecture. One of my concerns in the architecture is the usage of RFC to communicate from less-trusted to more-trusted security zones. I picture this architecture having both RPC-like vulnerabilities (e.g. ability to enumerate services, potentially execute calls to perform unauthorized actions) and SQL Injection-like vulnerabilities (e.g. ability to manipulate messages from A to B that flow through a trusted RFC channel once I compromise A). I have three main questions: 1- Has anyone successfully performed, or seen (e.g. actual attack), an attack where RFC was used as the vector? I have never pen-tested RFC, but I picture that it could be similar to hacking RPC, which I have done. 2- Is it possible to "inject" commands into RFC messages from component A to component B? I'm picturing the RFC calls as being analogous to database calls (in some ways) between an application and its back-end database. In this situation, one could use "SQL injection" techniques to pass information to the database (e.g. by inserting it into a variable that has not been appropriately sanitized) and the database will interpret it as a command. More specifically, is there any opportunity to modify the command portion of an RFC call by manipulating data that is passed into the call? 3- If you've done this, what RFC calls did you find to be most useful for exploitation of the host layer? (I have read Mariano Nunez Di Croce's excellent presentation from CYBSEC on exploiting SAP so I have some idea, but I'm interested to hear stories where anyone has leveraged these in practice) Thanks for your insight, Rex ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- SAP - Remote Function Call (RFC) hacking RexRufi (Apr 16)
- <Possible follow-ups>
- Re: SAP - Remote Function Call (RFC) hacking Mariano Nuñez Di Croce (Apr 19)