Dear readers!
In upcoming posts about SAP Portal Security I am planning to cover common mistakes done by IT departments during exposure of SAP Portals to the world wide web. We will start with the most basic ones, and dive in to the more complicated ones, but I will try to keep it as simple as it gets.
I suggest reviewing my previous post about exposing SAP NetWeaver to the world, if you are not yet exposing your SAP Portals to the internet.
In upcoming posts about SAP Portal Security I am planning to cover common mistakes done by IT departments during exposure of SAP Portals to the world wide web. We will start with the most basic ones, and dive in to the more complicated ones, but I will try to keep it as simple as it gets.
I suggest reviewing my previous post about exposing SAP NetWeaver to the world, if you are not yet exposing your SAP Portals to the internet.
Intro
SAP portal is used in many companies as a central access point to other SAP and non-SAP applications. There are plenty of reasons to do that, such Single Sign On (SSO), ease of access, user-friendly interface and many others. SAP portals, exposed to the internet, become an attractive target for hackers and enthusiasts like myself. Potential information stored in this SAP module can be used for business intelligence by competitors, which can steal information or affect the company's image by sabotaging the system.
Architecture
Let's take a look at SAP Portal architecture. It is important to know the elements of our system, how they interact, and how they can be hacked with a bit of knowledge. Here is a basic schema from SAP documentation:
The platform behind our SAP Portal is J2EE, which operates java applications, iViews, web services, servlets, and supports many standard protocols, such as WebDAV and others. From the scheme above you can see that SAP Portal is connected to back end modules, such as ERP, CRM, BW, LDAP and SQL server. The system can be installed on Microsoft / UNIX operating systems and have different SQL servers connected through JDBC, and it is important for our future sessions.
Finding exposed SAP portals
There is a mistaken opinion that SAP portals are rarely exposed to the World Wide Web, and they are heavily secured. You can search for the following expression to see how many there are:
Lesson 1: Knowledge Management
I would like to start our vulnerabilities discovery with the most basic portal module - Knowledge Management (KM). This module is not actively changed by SAP for many years now, and it delivers many low-level protocols and features that are rarely secured. It can become a critical access point to the system, providing access to file repositories and system storage.
Here is a basic architecture overview of portal KM from SAP documentation:
As you can see from the overview, there is WebDAV through HTTP/S. Developers or hackers with a bit on scripting can perform Denial Of Service (DOS) attacks and overload the system storage, or steal information by accessing the module even with Guest authorization.
Let's give it a try. You will be surprised how many companies are not blocking access to their KM module, thus exposing their repositories to the internet without even knowing it. Try adding /irj/go/km/docs to the portal URL you have found before, and you will be able to navigate to the KM module. Here is a live example I found:
Some companies might be holding sensitive information on their KM repositories, without really managing authorizations and access points. This mistake is very common, and I believe it is the most amateur one.
But hey, we have another great feature that is not managed properly, it's called WebDAV protocol. It's widely-used protocol for reading / writing documents on web servers, and it appears to be wrongly treated in many organizations.
For example, you can connect many web-facing KM repositories as network drives on your PCs, simple as that:
After doing that, injecting files to remote servers becomes a copy-paste task. What's even worse - in many cases you can delete content through WebDAV, which can sabotage the company.
Tips to keep it secure
1. Use SAP WebDispatcher (or other reverse proxy) to control accessible URLs by URL filtering
2. Do not connect your server file system as KM repository
3. Maintain KM permissions properly
4. Restrict WebDAV access to sensitive folders
Next time we will dive deeper, exploring servlets and security mechanisms in SAP portal, which allow creating users, assigning them to Administrators group, and performing OS-level commands.
Stay tuned! :-)