Unauthenticated Access to SAP SolMan? root them All!
Often Fortune 1000 companies consist of a plethora of software, hardware, vendors, and solutions all operating to keep the business running and alive. With all this complexity, there is often a single vendor that’s common amongst them all: SAP.
SAP’s software relationship with the enterprise is well established, often responsible for processing billions of dollars, but with such a vital role in business, what would the impact be if serious flaws were exploited?
At the heart of every SAP deployment there is always one core mandatory product that’s connected to many other systems: The SAP Solution Manager (SolMan). Think of this as what Active Directory is for Windows networks.
Given the criticality of this component, the Onapsis Research Labs conducted a thorough security assessment of SolMan to understand the threat model, how attackers could compromise it and how customers should protect themselves. The results were overwhelming. From unauthenticated HTTP access, an attacker would be able to compromise all systems in the SAP landscape. Furthermore, chaining a series of vulnerabilities, it would be possible to get reliable root access not only in the attacked core system, but also in all satellites connected to it.
The aim of this presentation is to show the journey we took while researching SolMan, a journey that included binary and Java application analysis, understanding how SolMan worked as well as how we identified exploitation methods that could be used by rogue parties to attack it. By talking about this journey, we hope attendees can use our experience to tackle similar projects where little, or no, information is available about how complex components work.
Pablo Artuso is a Security Researcher at the Onapsis Research Labs. He is most of the time involved in projects of vulnerability research and penetration testing of SAP products, where he has helped to patch several bugs on its products. He is one of the responsible of delivering and keeping up to date SAP Security Training, and has also presented about SAP Security in other conferences around the world. In his spare time, he enjoys playing CTF's which include web exploitation, reverse engineering and crypto challenges.
Yvan Genuer is a Sr. Security Researcher at Onapsis. He has over 15 years of SAP experience. He has been delivering consultancy services around SAP Security as well as researching for vulnerabilities into SAP products, resulting in SAP AG official acknowledgements he has received, for several vulnerabilities he originally reported. Furthermore, he has also conducted both trainings and talks about this topic in conferences.
Level 0, Red Team Village