attacks on sap mobile
TRANSCRIPT
![Page 1: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/1.jpg)
Invest in security to secure investments
Attacks on SAP Mobile
Vahagn Vardanyan. ERPScan
![Page 2: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/2.jpg)
Vahagn Vardanyan
SAP and Web application researcher
Specialist degree in information security
2
@vah_13
![Page 3: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/3.jpg)
About ERPScan
• The only 360-degree SAP Security solution - ERPScan Security Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ )
• 60+ presentations key security conferences worldwide
• 25 Awards and nominations
• Research team - 20 experts with experience in different areas of security
• Headquarters in Palo Alto (US) and Amsterdam (EU)
3
![Page 4: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/4.jpg)
Agenda
4
About SAP Mobile Platform SAP Control Center SAP SQL Anywhere services SAP Mobile Server SAP Mobile Platform vulnerability Decrypt GIOP protocol XXE SAP Control Center CSRF in SMP 3.0 Cassini 1.0 SQL Anywhere BoF SAP EMR Unwired SQL injection Conclusion
![Page 5: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/5.jpg)
SAP Mobile Platform
5
![Page 6: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/6.jpg)
SMP architecture
6
![Page 7: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/7.jpg)
SMP protocols
SUP 2.1.3 SUP 2.2 SMP 2.3 SMP 3.0
SMP Messaging x x x x
SMP Replication x x x x
HTTP Rest API x x x
SAP Agentry x x
8
![Page 8: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/8.jpg)
SMP services
SAP Control Center
SAP SQL Anywhere services
SAP Mobile Server
9
![Page 9: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/9.jpg)
SAP Control Center
• Working process: sccservice.exe
• Open ports: • 2100 (Messaging service)
• 8282/8283 ( SCC )
• 9999 (RMI)
10
![Page 10: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/10.jpg)
SMP services
SAP Control Center
SAP SQL Anywhere services
SAP Mobile Server
11
![Page 11: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/11.jpg)
SQL Anywhere
• Version 3: 1992
………………………….
• Version 10: 2006 - renamed SQL Anywhere (high availability, intra-query parallelism, materialized views)
• Version 11: 2008 (full text search, BlackBerry support)
• Version 12: 2010 (support for spatial data)
• Version 16: April 18, 2013 - (faster synchronization and improved security)
12
![Page 12: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/12.jpg)
SQL Anywhere
13
![Page 13: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/13.jpg)
SMP services
SAP Control Center
SAP SQL Anywhere services
SAP Mobile Server
14
![Page 14: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/14.jpg)
SAP Mobile Server
• MobiLink
• AdminWebServices
• MlsrvWrapper
• InfoboxMultiplexer
• OBMO
• JMSBridge
15
![Page 15: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/15.jpg)
SAP Mobile Server (MobiLink)
16
![Page 16: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/16.jpg)
AdminWebServices
• Uses Cassini Web Server 1.0
• Listens to the local port 5100
17
![Page 17: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/17.jpg)
SAP Mobile Platform vulnerabilities
18
![Page 18: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/18.jpg)
Decrypting the SAP Mobile Platform GIOP protocol
19
![Page 19: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/19.jpg)
Decrypting the SAP Mobile Platform GIOP protocol
• GIOP – General Inter-ORB Protocol (GIOP) is the abstract protocol by which object request brokers (ORBs) communicate
• Uses mlsrv16.exe (Mobilink) – port 2000
20
![Page 20: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/20.jpg)
XXE in the SAP Mobile Platform portal page
CVE-2015-2813
21
![Page 21: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/21.jpg)
XXE in the SAP Mobile Platform portal page…
22
![Page 22: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/22.jpg)
XXE in the SAP Mobile Platform portal page…
• Portal URL: https://IP_ADDR:8283/scc
• web.xml & services-config.xml
C:\SAP\SCC-3_2\services\EmbeddedWebContainer\container\Jetty-7.6.2.v20120308\work\jetty-0.0.0.0-8282-scc.war-_scc-any-\webapp\WEB-INF\web.xml
<servlet-mapping>
<servlet-name>MessageBrokerServlet</servlet-
name>
<url-pattern>/messagebroker/*</url-pattern>
</servlet-mapping>
23
![Page 23: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/23.jpg)
…XXE…
C:\SAP\SCC-3_2\services\EmbeddedWebContainer\container\Jetty-7.6.2.v20120308\work\jetty-0.0.0.0-8282-scc.war-_scc-any-\webapp\WEB-INF\flex\services-config.xml
********************************
<channel-definition id="scc-http"
class="mx.messaging.channels.HTTPChannel">
<endpoint
url="http://{server.name}:{server.port}/scc/messagebroker/http"
class="flex.messaging.endpoints.HTTPEndpoint" />
</channel-definition>
********************************
1. /scc/messagebroker/amfpolling
2. /scc/messagebroker/amfsecurepolling
3. /scc/messagebroker/http
4. /scc/messagebroker/httpsecure
5. /scc/messagebroker/amflongpolling
24
![Page 24: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/24.jpg)
…XXE
25
![Page 25: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/25.jpg)
Read file with XXE
C:\SAP\MobilePlatform\Servers\UnwiredServer\Repository\Instance\com\sybase\sup\server\SUPServer\sup.properties
sup.imo.upa = 457ba103a46559486a81350d552a9e47fb085927eb6df0ccc79231bc3d
26
![Page 26: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/26.jpg)
Decrypt sup.imo.upa
27
![Page 27: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/27.jpg)
SAP Mobile Platform unauthenticated access to other servlets
• Architecture and program vulnerabilities in SAP’s J2EE engine (BlackHat USA 2011)
• web.xml files revealed hidden methods to: – Read and generate logs
28
![Page 28: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/28.jpg)
Prevention
Install SAP security note 2125358 SAP Mobile Platform XXE vulnarability
29
![Page 29: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/29.jpg)
CSRF in SMP 3.0
30
![Page 30: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/30.jpg)
CSRF in SMP 3.0
31
![Page 31: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/31.jpg)
CSRF in SMP 3.0
32
![Page 32: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/32.jpg)
CSRF in SMP 3.0
33
• addAdministrator
• addRepository
• removeServerLogs
• createApplication
• createBackendConnection
********************
![Page 33: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/33.jpg)
Prevention
Install SAP security note 2114316 SAP Mobile Platform CSRF vulnarability
34
![Page 34: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/34.jpg)
Cassini 1.0
35
![Page 35: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/35.jpg)
AdminWebService
POST /MobileOffice/Admin.asmx/AddAdminUser HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: length
strUserName=Admin2&strActivationCode=123QWEasd&iExpirat
ionHours=100
36
![Page 36: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/36.jpg)
AdminWebService
37
![Page 37: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/37.jpg)
SAP SQL Anywhere Buffer Overflow/Code Execution
CVE-2015-2819
38
![Page 38: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/38.jpg)
SAP SQL Anywhere BoF/Code Execution
• CVE-2008-0912 – The MobiLink server is affected by a heap overflow which happens
during the handling of strings like username, version, and remote ID (all pre-auth) which are longer than 128 bytes
• CVE-2014-9264 – Stack-based buffer overflow in the .NET Data Provider in SAP SQL
Anywhere allows remote attackers to execute arbitrary code via a crafted column alias
39
![Page 39: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/39.jpg)
First PSH request
40
![Page 40: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/40.jpg)
First PSH request
•
41
![Page 41: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/41.jpg)
SQL Anywhere BoF
42
![Page 42: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/42.jpg)
Prevention
Install SAP security note 2108161 Denial of service in SAP SQL Anywhere
43
![Page 43: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/43.jpg)
SAP EMR Unwired SQL injection
CVE-2013-7096
44
![Page 44: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/44.jpg)
SAP EMR Unwired SQL injection
• CVE-2013-7096 (CVSS 7.5)
• AndroidManifest.xml: <provider android:name=".providers.ModiDataDbProvider"
android:authorities="com.sap.mobi.docsprovider" />
1. content://com.sap.mobi.docsprovider/documents/offline_cat
2. content://com.sap.mobi.docsprovider/documents/offline/
3. content://com.sap.mobi.docsprovider/documents/sample
4. content://com.sap.mobi.docsprovider/documents/online
5. content://com.sap.mobi.docsprovider/documents/offline_auth
6. content://com.sap.mobi.docsprovider/documents/offline
7. content://com.sap.mobi.docsprovider/documents/online_auth
8. content://com.sap.mobi.docsprovider/documents/sample/
9. content://com.sap.mobi.docsprovider/documents/online_cat
45
![Page 45: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/45.jpg)
Prevention
Install SAP security note 1864518 Security Improvements for MOB-APP-EMR-AND
46
![Page 46: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/46.jpg)
Conclusion
47
SAP Guides
Regular security assessments
Monitoring technical security
Segregation of Duties
Security events monitoring
![Page 47: Attacks on SAP Mobile](https://reader034.vdocuments.us/reader034/viewer/2022042818/55b35bbebb61ebfe438b4778/html5/thumbnails/47.jpg)
Each SAP landscape is unique and we pay close attention to the requirements of
our customers and prospects. ERPScan development team constantly addresses
these specific needs and is actively involved in product advancement. If you wish to
know whether our scanner addresses a particular aspect, or simply have a feature
wish list, please e-mail us. We will be glad to consider your suggestions for the
future releases or monthly updates.
48
About
228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
USA HQ
Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam
EU HQ
www.erpscan.com [email protected]