ONAPSIS-SAP Security in-Depth Vol 04

Abstract

SAP Application Servers Java, supported by the J2EE Engine, serve as the base

framework for running critical solutions such as the SAP Enterprise Portal, SAP Exchange

Infrastructure (XI), SAP Process Integration (PI) and SAP Mobile Infrastructure (MI).

Furthermore, customers can also deploy their own custom Java applications over

these platforms.

On December 2010, SAP released an important white-paper describing how to protect

against common attacks to these applications. Among the security concepts detailed,

there was one that was particularly critical: the Invoker Servlet. This functionality

introduces several threats to SAP platforms, such as the possibility of completely

bypassing the authentication and authorization mechanisms.

This publication analyzes the Invoker Servlet Detour attack, identifying the root cause of

this threat, how to verify whether your platform is exposed and how to mitigate it,

effectively protecting your business-critical information against cyber attacks.

© 2011 Onapsis SRL. All Rights Reserved.

SAP® Security In-DepthThe Invoker Servlet: A Dangerous Detour into SAP Java solutions

by Mariano Nuñez Di Croce & Jordan Santarsieri

Vol. 4 / July 2011

© Copyright Onapsis SRL 2011 - All rights reserved.

No portion of this document may be reproduced in whole or in part without the prior written permission of Onapsis SRL.

Onapsis offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Onapsis makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards.

This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries.

SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.

What is the SAP Security In-Depth Publication?

Until these days, SAP security keeps being regarded as a synonym of Segregation of Duties (SoD) or security of roles and profiles by most part of the professional community. While this kind of security is mandatory and of absolute importance, there are many threats that have been so far overlooked by the Auditing and Information Security industries and entail much higher levels of business risk.

The technological components of these business-critical solutions introduce many specific security aspects that, if not implemented appropriately, can be subject to information security attacks to the confidentiality, integrity and/or availability of the critical business information processed by these systems. Translating this to business terms, the failure to protect these components can leave the business information at risk for espionage, fraud and sabotage attacks. SAP Security In-Depth is a publication leaded by the Onapsis Research Labs with the purpose of providing specialized information about the current and future risks in this matter, allowing all the different actors (financial managers, information security managers, SAP administrators, auditors, consultants and the general professional community) to better understand the involved risks and the techniques and tools available to assess and mitigate them.

TABLE OF CONTENTS

What is the SAP Security In-Depth Publication?.................................................. 3

Executive Summary.............................................................................................. 5

1. Introduction....................................................................................................... 6

2. SAP Java Applications basics...........................................................................7

3. Introduction to the Invoker Servlet....................................................................9

4. SAP Invoker Servlet Detour Attacks............................................................... 10

5. Which could be the real-world impact?...........................................................12

6. Countermeasures........................................................................................... 13

7. Conclusions.....................................................................................................14

SAP Security In-Depth - Vol. 4The Invoker Servlet: A Dangerous Detour into SAP Java solutions

EXECUTIVE SUMMARY

While the SAP Security In-Depth publication delves into highly technical security aspects of these platforms, we consider it's important to provide the Management-level officers with an executive summary, using a non-technical language, of the most outstanding concepts and risks presented in this volume.

Key concepts analyzed in this edition:

• Several critical standard SAP and custom applications are supported by Java Application Servers.

• On December 2010, SAP released a new white-paper1 describing how to protect against attacks to these platforms.

• One of the presented security measures is related with a critical security vulnerability, whose exploitation (code-named Invoker Servlet Detour attack) can result in severe business attacks.

• This edition analyzes the root cause of this vulnerability, how to identify and mitigate it.

Key findings and risks:

1 http://service.sap.com/~form/sapnet?_SHORTKEY=01100035870000733716&_SCENARIO=01100035870000000202&

© 2011 Onapsis S.R.L. 5

Invoker Servlet Detour attacks may allow remote, malicious hackers to bypass authentication mechanisms and perform unauthorized business activities over the vulnerable SAP systems.

The root cause and impact of the Invoker Servlet vulnerability was not clear for many customers, which were in the need of a more in-depth analysis to better understand and manage existing risks.

Customers have been traditionally focused in securing ABAP-based SAP systems. The security of SAP Java platforms is equally important and must be tightly enforced. The white-paper released by SAP in December is a must-read for any SAP security professional.


1. INTRODUCTION

On December 2010, SAP released a white-paper titled SAP Security Recommendations: Protecting Java- and ABAP-based SAP Applications against common attacks. This highly important document describes a set of “measures SAP strongly recommends that its customers apply to enhance the level of security with respect to certain common attack types”.

Different from the previous issue released on September 20102, which only outlines security recommendations for ABAP-based SAP systems3, this last document also comprises the protection of one of the others fundamentals of SAP platforms: Java-based solutions.

Over the last decade, SAP has adopted and extended the J2EE standard for supporting its business applications. Nowadays, several widely-used SAP solutions require the deployment of SAP Application Servers Java, whose core engine is known as the SAP J2EE Engine. Some examples include SAP Enterprise Portal (EP), SAP Exchange Infrastructure (XI), SAP Process Integration (PI) and SAP Mobile Infrastructure (MI).

These solutions serve different needs, such as working as front-ends to the back-end SAP ABAP systems and/or handling critical functionality such as interfaces with banking, tax, logistics, sales or payment-related external systems.

Apart from the sensitive out-of-the-box functionality provided by these solutions, customers and third-parties also develop and run their own J2EE applications on top of these platforms.

As a leading collaborator in discovering and solving vulnerabilities in SAP systems, Onapsis followed-up on the release of this white-paper over the last months, helping several customers to comply with the required measures in order to keep their systems protected against the latest threats.

Among these requirements, there was a particular one that many customers and security professionals were failing to properly understand: the vulnerability related to the Invoker Servlet.

The present publication has the goal of providing an in-depth analysis of this security threat, enabling the proper understanding of how to detect, assess and mitigate Invoker Servlet Detour attacks to better protect customers' SAP platforms against real-world threats.

2 https://websmp203.sap-ag.de/~sapdownload/011000358700000968282010E/SAP-Sec-Rec.pdf

3 Onapsis X1 is the first solution to automatically check for compliance with this guidelines. For more information check http://www.onapsis.com/x1



2. SAP JAVA APPLICATIONS BASICS

In order to understand the vulnerability exploited by the Invoker Servlet Detour attack, it is first necessary to familiarize with certain aspects of the configuration of SAP Java applications.

Just as standard J2EE applications, SAP Java applications are configured through a web.xml file. This file declares, among other things, the servlets in use in the application, how they are mapped for user access and the security constraints around them.

As an example, the following excerpt of an web.xml file, specifies part of the configuration of an application which serves some public content freely, but wishes to restrict access to certain private functionality only to a group of Administrators:

..

<servlet> <servlet-name>privateServlet1</servlet-name> <servlet-class>com.company.pivateServlet1Interface</servlet-class> </servlet>

<servlet> <servlet-name>publicServlet2</servlet-name> <servlet-class>com.company.publicServlet2Interface</servlet-class> </servlet> ...

<servlet-mapping> <servlet-name>privateServlet1</servlet-name> <url-pattern>/private</url-pattern> </servlet-mapping>

<servlet-mapping> <servlet-name>publicServlet2</servlet-name> <url-pattern>/public</url-pattern> </servlet-mapping>

…

<security-constraint> <display-name>rd</display-name> <web-resource-collection> <web-resource-name>rd</web-resource-name> <url-pattern>/private/*</url-pattern>

<http-method>POST</http-method> <http-method>GET</http-method> <http-method>HEAD</http-method>

</web-resource-collection><auth-constraint> <description>Administrators</description> <role-name>administer</role-name></auth-constraint>

</security-constraint>…

Table 1: Sample Java application



As shown in the file, there is one servlet called privateServlet1. This servlet has its own class (servlet-class attribute) and is mapped to a specific URL (url-pattern attribute). The security-constraint area defines on which specific URL (url-pattern attribute) the authorization check is to be performed.

In this scenario, the SAP Application Server Java will demand that any client that tries to connect to the /private mapping, has the administer role (mapped internally to a real SAP role). Otherwise, access will be denied.

Therefore, if an anonymous attacker tries to access the application using the defined URL mapping (http://sap-server/appname/private), he will be required to enter authentication credentials:

Picture 1: Security constraint working properly


http://sap-server/appname/private


3. INTRODUCTION TO THE INVOKER SERVLET

The SAP J2EE Engine has a wide set of built-in functionality, providing a comprehensive framework of libraries and services to support the development and deployment of Java applications. One of these functionalities is the Invoker Servlet, which is part of the standard J2EE specification of Sun (now Oracle).

This servlet is implemented in the InvokerServlet class, which is part of the SAP J2EE Engine's Web container. It was conceived as a rapid development instrument, allowing developers to test their custom Java applications without the need to declare them in the web.xml file.

Therefore, using the Invoker Servlet, it is possible to call a servlet by its name (which is declared in the web.xml) or by its fully qualified servlet class name (declaration not necessary in web.xml).

The security implications of this functionality in SAP systems are explained in the following section.



4. SAP INVOKER SERVLET DETOUR ATTACKS

The Invoker Servlet functionality introduces several security threats to the SAP Java applications, which are described below.

4.1. Execution of Arbitrary Servlets

It would be possible for an attacker to call arbitrary servlets, even though they have not been declared in the application's web.xml file. This includes any servlet class that is available to the application classloader, such as the classes located in the WEB-INF\classes, WEB-INF\lib and WEB-INF\additional-lib application directories.

Many of the servlets shipped in a Java application have not been designed for direct client access, but for internal interaction within the application. Therefore, the possibility of performing arbitrary calls to them can result in unforeseen actions over the SAP server.

4.2. Exploitation of Non-initialized Servlet Parameters

For each servlet, the web.xml can also define parameters that are initialized by the SAP J2EE Engine Web container when the servlet is loaded. The problem is that this automatic initialization takes place only if the servlet is called by its defined URL mapping or its name (servlet-name attribute). However, if the servlet is called through its fully-qualified class name, it is instanced without the parameters being initialized. This situation can lead to unforeseen security impacts.

In order to illustrate this point, consider the following sample servlet, which handles payments for an external banking interface. To speed-up the project's testing, the servlet's developer included a special parameter to avoid validating the source account identity during internal QA. Of course, when the application is deployed to production, the parameter is initialized properly:

<servlet> <servlet-name>DoPaymentServlet</servlet-name> <servlet-class>com.company.DoPaymentServlet</servlet-class> <init-param> <param-name>validate_source_account</param-name> <param-value>True</param-value> </init-param> </servlet>

Table 2: Servlet with initialization parameters



If an attacker performs an Invoker Servlet Detour attack to this application, accessing the /appname/servlet/com.company.DoPaymentServlet URL, the validate_source_account parameter will not be initialized to True. Depending on how the application's code handles the initial value for this parameter, it might be possible for the attacker to abuse this situation and perform fraudulent payments.

4.3. Authentication Bypass in SAP Java Applications

While the previously described security threats must not be underestimated, the Invoker Servlet vulnerability introduces an even major security threat to SAP platforms.

According with the configured security-constraint in the sample application presented in Table 1, there is an authentication and authorization check performed if a client wants to access anything matching the /private/* virtual mapping.

However, through an Invoker Servlet Detour attack, an attacker would access the servlet via it's fully-qualified servlet class name, using the following URL:

http://sap-server/appname/servlet/com.company.privateServlet1Interface

The problem is that, as it was defined in the web.xml file, the security constraint only applies when the mapping for /private/* is detected. As a mapping that matches “/servlet/...” is not defined (and supposing the privateServlet1 is not performing a programmatic authorization check), the attacker would be able to execute the privateServlet1 servlet, effectively bypassing the SAP Java authentication and authorization mechanism.

Picture 2: Authentication Bypass through an Invoker Servlet Detour attack


http://sap-server/appname/servet/com.company.privateServlet1Interface


5. WHICH COULD BE THE REAL-WORLD IMPACT?

In this document, fictitious Java applications have been used to provide an in-depth understanding of the Invoker Servlet Detour attacks.

However, just as the security constraints in these applications could be bypassed by a malicious attacker, the same could happen to many of the standard SAP applications running in vulnerable SAP Application Servers Java.

This means that, if the systems are not properly protected, it would be possible for malicious attackers to bypass authentication mechanisms in critical components, such as SAP Enterprise Portals, XI, PI, MI systems, etc. and possibly perform espionage, sabotage and fraud attacks over the business-critical information and processes managed by them.



6. COUNTERMEASURES

It is strongly recommended to disable the Invoker Servlet to protect your systems against these attacks. In order to do so, the next steps must be followed:

1. Update to the latest patch level according your SAP platform.2. If you are using SAP NetWeaver Portal, please check SAP Note

1467771.3. Disable the invoker servlet functionality, by changing the value of the

“EnableInvokerServletGlobally” property of servlet_jsp on the server nodes to False.

4. If any of your existing applications require the use of the Invoker Servlet feature, please check SAP Note 1445998 .

The SAP Invoker Servlet has been disabled by default in SAP NetWeaver 7.20 (See SP Patch level section in SAP Note 1445998 for more details) and in the initial shipment of SAP NetWeaver 7.30.

For more information, please check the official SAP white-paper.



7. CONCLUSIONS

Protecting SAP Java Applications Servers is critical for the overall security of the SAP platform. These systems have a completely different security architecture and therefore its necessary to understand them deeply in order to be protected against the real-world threats that could result in severe attacks to the business.

A comprehensive assessment of all the security threats affecting these platforms was out of the scope of this document, and will be covered in a future publication.

This document has focused only on one of the threats, the Invoker Servlet Detour attack, providing an in-depth analysis of the root cause of the vulnerability being exploited, the possible impacts for the business and how to mitigate it.

By following the recommendations presented in this publication it is possible to decrease the probability of attacks in this aspect, raising the overall security level of the platforms and reducing business risks.

It's highly critical to analyze whether your platform is affected by this vulnerability. In this sense, Onapsis X1 Enterprise 24, the first-and-only SAP-certified Security Assessment solution for SAP NetWeaver, can be of great help to automatically evaluate your entire platform, detecting vulnerable systems and providing detailed mitigation activities.

For further information into this subject or to request specialized assistance, feel free to contact Onapsis at [email protected]

4 http://www.onapsis.com/x1


mailto:[email protected]

http://www.onapsis.com/x1


About Onapsis X1

Onapsis X1TM is the industry's first comprehensive solution for the automated security assessment of ERP systems and business-critical infrastructure, currently supporting SAP® NetWeaverTM and R/3® business solutions.

Perform automated IT Security & Compliance Audits, Vulnerability Assessments and Penetration Tests over your SAP platform. Using Onapsis X1 you can decrease financial fraud risks, enforce compliance requirements and reduce audit costs drastically.

Being the first and only SAP-certified Security Assessment solution, Onapsis X1 Enterprise automatically discovers and remotely connects to every SAP system in your organization and detects the growing number of security risks that can result in espionage, sabotage and fraud attacks to your critical business information.

As a result, you are provided with a wide-range of actionable reports that allows you to mitigate existing risks appropriately.

Furthermore, through our exclusive BizRisk IllustratorTM technology, Onapsis X1 Consulting Pro enables you to safely and easily demonstrate which are the real business risks of the existing technical weaknesses.

Get more information at www.onapsis.com/x1


Onapsis X1 Enterprise 2 is

About ONAPSIS

Onapsis is the leading provider of solutions for the security of ERP systems and business-critical infrastructure.

Through different innovative products and services, Onapsis helps its global customers to effectively increase the security level of their core business platforms, protecting their information and decreasing financial fraud risks.

Onapsis X1 is the industry's first comprehensive solution for continuous ERP security assessment, currently supporting SAP platforms. Through Onapsis X1 customers can decrease business fraud risks, enforce compliance requirements and reduce audit costs drastically.

Onapsis is built upon a team of world-renowned experts in the SAP security field, with several years of experience in the assessment and protection of critical platforms in world-wide customers, such as Fortune-100 companies and governmental entities.

For further information about our solutions, please contact us at [email protected].

www.onapsis.com

© 2011 Onapsis SRL. All Rights Reserved.

Subject to Terms of Use available at http://www.onapsis.com/legal/terms-of-use.html

The Onapsis and Onapsis Securing Business Essentials names and logos and all other names, logos, and slogans identifing Onapsis's products and services are trademarks and service marks or registered trademarks and service marks of Onapsis SRL. All other trademarks and service marks are the property of their respective owners.

ONAPSIS-SAP Security in-Depth Vol 04

Documents

Transcript of ONAPSIS-SAP Security in-Depth Vol 04