This article focus on:
- Different SAP web Application Servers
- Fingerprint SAP web applications
- Countermeasures
Different SAP web Application Servers:
Internet Transaction Server (ITS)
- SAP introduced ITS (Internet Transaction Server), its initial approach to enable internal access to SAP Servers. ITS acts as a middleware that is capable of translating SAP Dynpros (Dynamic Programs) into HTML Pages. ITS was integrated in WAS 6.40 (Web Application Server).
- ITS is composed of two major components AGate (application gateway) which links the ITS to the SAP System by receiving Web browser requests from the WGate (Web gateway) via the Web server and communicating with the application server using the DIAG or RFC protocol.
URL syntax to access ITS web service:
http://<server>:<port>/<path_to_wgate>/<service_name>/!?<optional_params>
Internet Communication Manager (ICM)
- ICM (Internet Communication Manager) ensures that communication between the SAP Web Application Server and the outside world via HTTP, HTTPS and SMTP protocols works properly.
- ICM is a component of the SAP NetWeaver Application Server. ICM web requests are handled by ICF (Internet Communication Framework), which provides the service based on arriving URLs, by default ICF services are inactive. ICM Parameters to configure the SAP Server for HTTP, HTTPS, and SMTP.
# Definition of the ports icm/server_port_0 = PROT=HTTP, PORT=1080 icm/server_port_1 = PROT=HTTPS, PORT=1443 icm/server_port_2 = PROT=SMTP, PORT=1025 # Parameters for SSL support sec/libsapsecu = $(DIR_EXECUTABLE)/libsapcrypto.so ssl/ssl_lib = $(DIR_EXECUTABLE)/libsapcrypto.so # Parameter for ICM Security Log [Parameters MAXSIZEKB=<max size in KB>, SWITCHTF=<options>, FILEWRAP=on] icm/security_log = LOGFILE=<file name>, LEVEL=<security level> # Parameter for ICM logging [Parameters LOGFORMAT=<format>, FILTER=<filter>, MAXSIZEKB=<size in kbytes>, SWITCHTF=<options>, FILEWRAP=on] icm/HTTP/logging_00 = PREFIX=<URL prefix>, LOGFILE=<log file name>
SAP Enterprise Portal (EP)
- Portal provides single point of access to organization’s SAP and non-SAP information sources, enterprise applications, databases and services across organizational via web-based interface.
- It’s a complex Java application running on J2EE engine, providing role-based access to enterprise information and applications.
Enterprise Portal Ports HTTP 5xx00 HTTPS 5xx01 Where xx is the Java instance number (JCxx).
Fingerprint SAP web applications
- It’s common to have the SAP application to be accessed via Internet. Which makes it easier for anonymous users to find and fingerprint SAP Systems. A simply means of finding SAP system connected to Internet is via Search Engine like Google, Shodan, etc.
- Once the attacker identifies the SAP systems on the web, attacker can gather version information of the SAP components “ITS, ICM, J2EE Engine (EP)” easily by sending simple HTTP requests to SAP web server, which responds back with sensitive information (send to attacker).
- Exploring through Enterprise Portal error messages, we can identify the version of enterprise portal installed as below (In the case Enterprise Portal version: 7.00)
- Exploring through ICM error messages, we can gather SAP System information like SAP Server Hostname: sapides, System ID: IDS, Instance Number: 00
- There are more than 1500 standard ICM services within SAP ECC and each service is used to access the application data. In some SAP installations few of those services are active by default, which may lead to sensitive information disclosure as below.
- Access to ICM Service “/sap/public/info”, can be used to gather sensitive information like SAP System ID, Hostname, Database Type, SAP Release, Patch level, SAP kernel version, OS type, etc.
In ICM there are two types of services Public and Private. Public services can be executed directly whereas Private services requires initial authentication and later based on the SAP ICF (Internet Communication Framework) authorization objects that were assigned to the user, he/she can execute the required ICM service.
Reference:
No comments:
Post a Comment