Re: SAP - Remote Function Call (RFC) hacking

["Mariano Nuñez Di Croce" <mnunezdicroce () gmail com>]

Hey Rex,

 As you have mentioned (thanks for the kudos), I have conducted a
blackbox assessment of the SAP RFC interface a while ago, which result
was the
"Attacking the Giants: Exploiting SAP Internals" whitepaper
(http://www.cybsec.com/upload/bh-eu-07-nunez-di-croce-WP_paper.pdf).
 In this paper I have detailed different attack vectors against SAP
Application Servers, as well as External Servers working with the RFC
Library.

 As a result, I have developed sapyto, an opensource SAP Penetration
Testing Framework (http://www.cybsec.com/vuln/tools/sapyto.tgz).
 sapyto is a plugin-based architecture and the current available
version (0.93) was shipped with the following ones:

 Audit:
 . RFC ping
 . Registration of External Servers (checking Gateway security)
 . Detection of RFCEXEC.
 . Detection of SAPXPG.
 . Get system information through RFC_SYSTEM_INFO.
 . Get External Server documentation.

 Attack:
 . Execute remote os commands through RFCEXEC.
 . Execute remote os commands through SAPXPG.
 . StickShell (block connections from other clients).
 . EvilTwin (registers a twin registered server, hijacking RFC calls
and for callback attacks)
 . Get remote RFCShell (purely RFC-based os commanding)

 Tools:
 . RFC password obfuscator/de-obfuscator

 Regarding practical experience, I can tell you that we use sapyto in
our SAP pentest projects and we have been able to penetrate the
systems many
times...

 Hope this helps,

----------------------------------------------------------
Mariano Nuñez Di Croce

CYBSEC S.A. Security Systems
Email: mnunez () cybsec com
Tel/Fax: (54-11) 4371-4444
Web: http://www.cybsec.com
PGP: http://www.cybsec.com/pgp/mnunez.txt
---------------------------------------------------------


RexRufi wrote:

> Hello,
>
> I am preparing to conduct black-box and white-box pen testing against
> an SAP architecture. One of my concerns in the architecture is the
> usage of RFC to communicate from less-trusted to more-trusted security
> zones. I picture this architecture having both RPC-like
> vulnerabilities (e.g. ability to enumerate services, potentially
> execute calls to perform unauthorized actions) and SQL Injection-like
> vulnerabilities (e.g. ability to manipulate messages from A to B that
> flow through a trusted RFC channel once I compromise A).
>
> I have three main questions:
>
> 1- Has anyone successfully performed, or seen (e.g. actual attack), an
> attack where RFC was used as the vector? I have never pen-tested RFC,
> but I picture that it could be similar to hacking RPC, which I have
> done.
>
> 2- Is it possible to "inject" commands into RFC messages from
> component A to component B? I'm picturing the RFC calls as being
> analogous to database calls (in some ways) between an application and
> its back-end database. In this situation, one could use "SQL
> injection" techniques to pass information to the database (e.g. by
> inserting it into a variable that has not been appropriately
> sanitized) and the database will interpret it as a command. More
> specifically, is there any opportunity to modify the command portion
> of an RFC call by manipulating data that is passed into the call?
>
> 3- If you've done this, what RFC calls did you find to be most useful
> for exploitation of the host layer? (I have read Mariano Nunez Di
> Croce's excellent presentation from CYBSEC on exploiting SAP so I have
> some idea, but I'm interested to hear stories where anyone has
> leveraged these in practice)
>
>
> Thanks for your insight,
>
> Rex
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------