Patch Me If You Can

Right after the Opening Keynote of TROOPERS16, an informative and interesting talk took place at the SAP Security track. This talk was given by three speakers; Damian Poddebniak who is currently a master student at the University of Applied Sciences of Münster, Sebastian Schinzel who works as an IT security Professor at the University of Applied Sciences of Münster and he is also the founder of CycleSEC GmbH and finally the sixth-time speaker at Troopers “Andreas Wiegenstein” who is the CTO of Virtual Forge GmbH and a professional SAP security consultant since 2003.

The main purpose of the talk was to introduce the security issues, which were founded by the speakers in the SAP Download Manager, which is used to download the different software packages from SAP download service. These issues only relate to the scenario in which the Marketplace service is used to select and manage the needed software packages, which later are downloaded using SAP Download Manager. As mentioned also during the talk, the speakers assumed that the main victim in this talk is the administrator of SAP system, which is run inside any environment. Moreover, these issues were discovered in a joined research project by Muenster University of applied sciences and Virtual Forge GmbH.

The talk was started with an introduction by Sebastian, who talked about the MITM attack in general and how this attack can be performed in a variety of ways, such as in open Wi-Fi networks, within company networks by exploiting the vulnerabilities in routers if founded, using Border Gateway Protocol (BGP) hijacking, DNS spoofing/poisoning or by paying to the black market for MITM attack.

During the introduction, Sebastian also pointed out the importance of the security objectives such as Authenticity, Confidentiality and Integrity, by explaining the main three methods to deliver the software packages in general. These methods are accomplished using HTTP or FTP, using HTTPS or SSH and by using Digital Signature over either an unencrypted or an encrypted link. The latter (i.e. using Digital Signature) was further explained by showing how SAP package is usually signed using SAP private key and then the package is sent to the customers, who can later use the SAP public key to check the validity of the package. In order for securely transfer the public key to the customers, SAP hardcodes it within the SAP Download Manager, Sebastian said.

After the introduction, Andreas took the lead and he started with telling the audience about the reason to care about SAP in any company’s network environment. As Andreas mentioned, SAP products are founded in more than 300,000 companies around the world, and beside that SAP systems are sometimes considered more complex than other systems in the environment. Andreas then explained how Marketplace service is usually used to select the packages to be downloaded and how these packages later are downloaded by SAP Download Manager. In this context, he also mentioned the two main types of the archive extension of the SAP downloaded packages, which include the “.CAR” (old extension) and “.SAR”. He also referred to the command-line tool that is used to extract the files from the downloaded archive, which is called “SAPCAR”.

After his introduction, Andreas started mentioning the security issues that were founded in SAP Download Manager at the early stages of their project, which included the following:

  • Using HTTP to download software packages instead of using HTTPS.
  • The password is stored locally in insecure way, by relying on a totally simple XOR operation.
  • Using HTTP basic authentication, this means that an attacker could simply compromise the administrator credentials. These credentials as told by Andreas are also used for reviewing the different supporting messages from different users, which as he said; gives the attacker the advantage of exploring the company’s SAP system issues.

After the above mentioned security issues were reported to SAP, the SAP Download Manager no longer uses HTTPS and instead it uses HTTPS, and also the password is not anymore stored locally, Andreas said.

At this moment, the stage was given to Damian to introduce the finding that was discovered after the SAP Download Manager was patched to use HTTPS. Despite the fact that SAP Download Manager uses HTTPS, it turned out that the HTTP Apache client that is used by the SAP Download Manager is vulnerable to CVE-2014-3577. To those who do not know this vulnerability, this vulnerability occurs as a result of the HTTP client fails to parse the Container Name (CN) parameter in the certificate, because the implementation searches for the first occurrence of the CN and takes its value. Therefore, the attacker can for example manipulate the Organizational Unit (OU) parameter, which is normally not verified by CA and hence assigning a value for it, which looks like the following value:

OU = CN = disguised domain

The above value fools the HTTP client and makes it think that the attacker certificate is the certificate of the domain, to which the client wants to communicate. In case of SAP Download Manager, this vulnerability allows the attacker under certain conditions to impersonate the SAP download service, and as stated by Damian these conditions to be met are:

  • The CA that is used by the attacker to obtain such a certificate should permit having a certificate that contains the OU name, which appears in the certificate before the CN name.
  • The fake certificate is paid and not free up to the knowledge of the speakers.

Furthermore, as the speakers said, there were three additional security issues beside the previous one, which are:

  • Users are still required to manually validate the signature of the SAP downloaded packages, because SAP does not provide an automatic way to validate the packages. This is done by using SAPCAR tool and the users should also take more attention while using this command with the old archive extension “.car”, as this extension requires using the suitable flag with the command.
  • The HTTPS to HTTP downgrade attack in certain download scenarios, which could be used by the attacker to inject his malicious content using MITM attack.
  • Directory traversal attack, which can take place while choosing the directory on which the downloaded packages are saved.

At the end of this talk, the speakers suggested the following recommendations for secure using of SAP Download Manager:

  • For those who still use an old version of SAP Download Manager, they should immediately update it to the latest patched version.
  • For those who already used SAP Download Manager before the patched version, it is highly recommended to perform a signature validation for these packages. As an additional precaution the password of SAP Download Manager should also be changed.
  • SAP Download Manager credentials should be restricted to be used only for downloading the software packages and not for anything else.
  • As there is no an automatic way to check the validity of the downloaded software packages, signature validation should be always manually performed.

For more information about this talk, please have a look at the published slides at the following link:

Patch Me If You Can

Thanks from me “Ali Hardudi” and I hope you enjoyed reading my post 🙂


Leave a Reply

Your email address will not be published. Required fields are marked *