Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

SAP - Remote Function Call (RFC) hacking

From: RexRufi <rexrufi () gmail com>
Date: Tue, 15 Apr 2008 10:42:22 -0400
Hello,

I am preparing to conduct black-box and white-box pen testing against
an SAP architecture.  One of my concerns in the architecture is the
usage of RFC to communicate from less-trusted to more-trusted security
zones. I picture this architecture having both RPC-like
vulnerabilities (e.g. ability to enumerate services, potentially
execute calls to perform unauthorized actions) and SQL Injection-like
vulnerabilities (e.g. ability to manipulate messages from A to B that
flow through a trusted RFC channel once I compromise A).

I have three main questions:

1- Has anyone successfully performed, or seen (e.g. actual attack), an
attack where RFC was used as the vector?  I have never pen-tested RFC,
but I picture that it could be similar to hacking RPC, which I have
done.

2- Is it possible to "inject" commands into RFC messages from
component A to component B?  I'm picturing the RFC calls as being
analogous to database calls (in some ways) between an application and
its back-end database.  In this situation, one could use "SQL
injection" techniques to pass information to the database (e.g. by
inserting it into a variable that has not been appropriately
sanitized) and the database will interpret it as a command.  More
specifically, is there any opportunity to modify the command portion
of an RFC call by manipulating data that is passed into the call?

3- If you've done this, what RFC calls did you find to be most useful
for exploitation of the host layer? (I have read Mariano Nunez Di
Croce's excellent presentation from CYBSEC on exploiting SAP so I have
some idea, but I'm interested to hear stories where anyone has
leveraged these in practice)


Thanks for your insight,

Rex

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: