Last year I encountered a slight variation of an internal port scan vulnerability for the CrystalReports component of SAP Business Objects. The original vulnerability was presented and disclosed by rapid7 in the talk “Hacking SAP Business Objects”. The corresponding slides can be found here.
Basically, the original vulnerability allowed port scanning of (internal) systems via the URL http://hostname/CrystalReports/viewrpt.cwr?id=$ID&wid=$WID&apstoken=ip:port@$TOKEN. By accessing this URL, different responses were received depending on if the port (parameter port in the URL) of the system (parameter ip in the URL) was in the state “open” or “closed”. The original vulnerability has been fixed a long time ago (SAP security note 1432881), but the fix did allow for a slight variation to make the attack work again.
More specifically, it was possible to use the response time for the requests to the URL given above to distinguish if a port is open or closed. Let me demonstrate this issue with a short example:
The following request is sent (e.g. from the Internet to the exposed CrystalReports component of SAP Business Objects) in order to scan the port 80 of another (internal) system with the IP address 10.0.0.2. Let us assume that the port is open then the response time will be around 10 seconds.
# Request 1 GET /CrystalReports/viewrpt.cwr?id=$ID&wid=$WID&apstoken=10.0.0.2:80@$TOKEN HTTP/1.1 Host: SAP-SYSTEM:8080 [...] # Response 1 HTTP/1.1. 200 OK [...] Response time: ~ 10 seconds
If the port for the internal system is open, the response time for the corresponding server response differs significantly from the one for a closed port, i.e. 1 second for a closed port in comparison to 10 seconds for an open port.
Therefore, if a similar request is sent, for example, for the closed port 81, then the following response will be obtained:
# Request 2 GET /CrystalReports/viewrpt.cwr?id=$ID&wid=$WID&apstoken=10.0.0.2:81@$TOKEN HTTP/1.1 Host: SAP-SYSTEM:8080 [...] # Response 2 HTTP/1.1. 200 OK [...] Response time: ~ 1 second
This allows scanning internal systems (i.e. the systems reside behind a firewall but are reachable by the SAP Business Objects system) for open ports.
Moreover, the response time for systems that do not exist/answer to requests is also significantly higher than for systems that do exist/answer to requests, i.e. 1 second in comparison to 20 seconds. This also allows determining if a certain internal IP address is in use.
To mitigate the vulnerability, update your system corresponding to SAP security note 2336795.
Timeline of disclosure process:
15.06.2016 – Initial report of the vulnerability
24.06.2016 – Confirmation of the vulnerability
13.12.2016 – Release of security note
13.03.2017 – Blogpost
P.S.: And if you are at Troopers next week and want to learn more on the security of SAP systems, make sure to visit the dedicated SAP Track.