The SAP landscape is complex and highly customized, with numerous systems such as SAP HANA, SAP Solman, SAP Cloud Connector, and SAP ME. Many companies use cloud solutions provided by SAP, such as Cloud SAP HANA and SAP BTP. Those can exchange data with on-premise solutions. The vulnerabilities or misconfigurations in any of these systems can potentially lead to a compromisation of the entire landscape.
In this research, we will discuss the various combinations of security issues and misconfigurations that we discovered last year, which can be exploited by remote attackers or insider users to fully compromise the SAP landscape, both on-premises and in the cloud. We will examine how vulnerabilities and misconfigurations in areas such as password storage and access controls can be exploited to gain unauthorized access to systems and sensitive data. By understanding these vulnerabilities and misconfigurations, companies can take action to improve their security and protect against successful attacks on their SAP landscape.
During this research, we will examine several security issues that can potentially be exploited to compromise the SAP landscape. These issues include:
Attack Vector #1
The vulnerabilities and misconfigurations combinations were discovered during the security assessment taking place at a real company: CVE-2022-39802 is a directory traversal vulnerability that allows an attacker to read any file on the system. By exploiting this vulnerability, it is possible to read the SAP secure storage and decrypt it to obtain the SAP admin username and password. Then this can be used to deploy a malicious application containing a web shell, allowing the attacker to execute commands on the system.
Using the SAP HostControl vulnerability (CVE-2023-0012), it is possible to gain SYSTEM user permissions. To access other SAP systems in the landscape, it may be necessary to bypass Microsoft Defender AV. The method for bypassing this antivirus will be demonstrated during the presentation.
Once access has been gained to the SAP CC server via SSH, it is possible to dump the LSASS process and extract credentials. The SAP CC has an SSFS (Secure Storage File System) that contains sensitive information, such as the
All of them are stored in encrypted form. By deep analyzing the libraries, it is possible to find a shared library with an exported function that can be called to obtain this sensitive information in decrypted form.
With this information, it is possible to create an admin user in the SAP cloud using the SCIM Service user, giving access to the SAP Cloud landscape.
Attack Vector #2.
There are numerous roles in SAP ABAP, and best practice recommendations for segregation of duties (SOD) suggest that users on production servers should not have roles such as S_DEVELOP and S_TRANSPRT. But, having a decade of experience in SAP audit, we can surely state that almost every company has a user with S_DEVELOP and S_TRANSPRT roles. In some cases, SAP administrators may restrict these roles in order to prevent the execution of critical transactions.
However, users with the S_DEVELOP, S_TRANSPRT roles can bypass these limitations and execute critical transactions with the highest privilege SAP_ALL role. This scenario can be demonstrated during the presentation, highlighting the importance of properly configuring SAP roles and enforcing SOD to prevent unauthorized access to critical transactions.