This blogpost contains summaries of talks from this year’s TROOPERS18 SAP Security Track.
SAP IGS : The ‘vulnerable’ forgotten component by Yvan Genuer
The Internet Graphics Server (IGS) is used to generate Web Based graphics from the SAP Web AS. Yvan Genuer looked at the security of an ancient component with very few public vulnerabilities available so far. In his talk he gave us insights on the structure of the IGS, its services, and problems he had when looking for documentation of the IGS and its components.
The IGS consists of different Services such as XMLChart, ZIPPER and IMGCONV. These services are exposed on different ports through a multiplexer.
After understanding the correct syntax of the requests, Yvan started tampering and tried the low-hanging fruits like XEE in the XMLChart service, arbitrary file reads in the IMGCONV server. Both approaches were successful.
The XMLChart service allows users to send XML files containing data which will be rendered as charts. When experimenting with XXE he figured out that a maximum of 440 chars can be printed in the generated image. But there is more. By providing a so-called XML customization file with a contained link, the XMLChart service created another file containing an ImageMap. The string length in the ImageMap file is not limited to 440 characters, which allowed Yvan to extract files through XXE.
The IMGCONV service, as the name suggests, converts an image from one format to another. Yvan spotted, that not only http:// and https:// but also file:// paths are accepted, allowing him to override arbitrary files on the SAP system with an image.
SAP provides security patches for all disclosed vulnerabilities.
If you are interested in other services Yvan analysed, have a look at the record of his talk at YouTube or download his slides.
Hacking and Securing SAP Hana Applications from a Penetration Testers Point of View by Frederik Wiedemann
Frederik Weidemann from Virtual Forge GmbH gave a talk about hacking and securing SAP HANA applications.
The talk focused on the application server, called XS Engine, that ships with the HANA database. He started with an introduction to the overall HANA architecture and introduced various default and advanced security settings that can be configured. These include e.g. per-application configurations that can be set in local configuration files in order to enable features like CSRF protections.
Weidemann described the capabilities of the XS Engine for example, building services that dynamically create HTML pages. He demonstrated that this could lead to typical web-application vulnerabilities like Cross-Site Scripting (XSS) and SQL Injections (SQLi) if the developers do not apply input sanitization and output encode of user supplied data. He also implemented vulnerable services to demonstrate the flaws, while he also described the correct mitigations for each flaw in the context of HANA applications.
Furthermore, he wants to make people aware of using the provided UI5 Elements for handling critical user input instead of using JQuery, JSONs or own implementations.
Besides trying to prevent XSS and SQLi flaws with UI5 Elements and prepared statements with parameter bindings other flaws like Directory Traversal or OS Command Injection should not be possible because of the missing interfaces of for I/O Operations and API Interfaces.
He also mentions the XS Advanced which is a successor of the XS Engine. It is backwards compatible, has some extensions and has a limited input filter against XSS. This input filter searches for simple XSS, but can be easily bypassed.
His conclusion is, that the most critical part on HANA development is to educate the people to implement the web-applications correctly and port the people from native ABAP development to SAP HANA.
The recording of the talk is available here. https://www.youtube.com/watch?v=AEkHGJhncn0
Slides are currently not available for this talk.
Thank you for reading!
Malte Heinzelmann, Timo Harder, and Tom Wellinger