It's amazing that this vulnerability was published as late as 2012, considering the fact that the SAP gateway is a standard interface for every SAP system. And specifically interfaces should be secured by all means. Eventually it was SAP themselves, which had drawn attention to the SAP Gateway Exploit. One of the most dangerous weaknesses of each SAP system is thus recognized - but still not secured at many SAP customers.
The utilization of the SAP Gateway exploit is shockingly easy. All you need is a SAP system. Any SAP system will do. For example the free NetWeaver-based version that is available to virtually everyone.
The exploit works like this:
From within your own SAP system, create a new connection to the targeted SAP system. Within that connection, calling a particular program (SAPXPG) will already get you full access to the operating system of the "hijacked" SAP system. Without speciyfing a user name or a password at any point in the process. For the attacker all options are now open: with a few commands you could restart the server, delete all data of the SAP system or create a new user with administrative rights for the SAP system and the operating system.
To be able to perform this stunt, all you need are the connection data of the target system. But that's a hurdle that can easily be circumvented in reality:
- A port scan of the SAP gateway port (usually 3300) finds all open SAP gateway servers on the Internet
- A laptop with its own SAP system, plugged into the company's internal network, provides full access to all SAP systems
- A poorly secured development system within the company can be abused for the exploit
Fortunately, this vulnerability is quite simple to close. Only two files need to be created and maintained. Simplified, these two files specify which computers are allowed to connect to the SAP system. But how can you that these two files are maintained correctly on all systems in the system landscape.
Well, you could log on to each and every system and manually verify that the SAP Gateway is set correctly. Or you can use the SystemProfiler by Virtual Forge – which can check for the proper protection of all SAP systems on a button by its centralized architecture.
Some of the other underestimated vulnerabilities we will describe in the following articles of this series.
Validating the correct maintenance of the SAP Gateway files is only one test case of about 500 security and quality checks. The Test Cases of SystemProfiler go far beyond the . scenario described above. SystemProfiler also covers the most common security recommendations and standards of various organizations, such as the DSAG or SAP, and there’s more. Additionally, the experience of Virtual Forge from over 15 years in SAP security are integrated into the comprehensive test catalog of SystemProfiler.
The SAP Gateway exploit is only one, albeit a particularly dangerous vulnerability.
Opportunities to enter into an SAP system are manyfold. And shockingly, neither do attackers require specialized know-how, nor are these vulnerabilities always protected.