Assessing a SAProuter's Security with Onapsis Bizploit: Part I

Hello there, my name is Nahuel D. Sanchez and I work as a Security Researcher at the Onapsis Research Labs.

The idea behind this post is to uncover and understand the options we have while performing a security assessment of the company's SAProuter implementation using the open source ERP Penetration Testing framework, Onapsis Bizploit.

For more information about vulnerabilities affecting the SAProuter, attacks and countermeasures, you should have a look at our SAP Security In Depth publication Securing the Gate to the Kingdom: Auditing the SAProuter.

Basic Concepts

Before we dig into the interesting stuff, it's necessary to review some basic concepts. If you're already familiar with the SAProuter, you can jump straight to the “Security Assessment Techniques” section.

SAProuter: A program which acts as a reverse proxy and routes incoming and/or outgoing connections to/from the organization's SAP systems to/from the LAN, remote partners or SAP support centers.

Route Permission Table: A text-file which contains the rules processed by the SAProuter to permit or deny a connection.

Security Assessment Techniques

As we said, we're going to use Bizploit to test the SAProuter.  For testing purposes, please consider the following network topology:

With Bizploit up and running we can go ahead and try our first assessment technique: retrieve the SAProuter's connected client list.

The first step is to configure the target (the SAProuter host) in Bizploit. To do this we can follow the next steps:

Note: It is possible use the “TAB” key to use the auto-complete features.

  1. Type targetsand hit enter.
  2. Type addTarget and hit enter.
  3. Type set host <ip_target_sap_router>and hit enter.
  4. Type back and hit enter.
  5. It is possible check whether the target was added correctly by using the commandshow.

The following image illustrates this process:

Bizploit target configuration

Once the target is set, the next step is to discover the available connector in the target. This can be done by following these steps:

  1. Type discoverConnectors<target_id> and hit enter.
  2. Type back and hit enter.

The following image shows the most significant part of the result.

The only meaningful connector for the purpose of this post is the SAPROUTER connector.

1. SAProuter connected client list retrieval

With the target configured and loaded and the connectors discovered, we can use the plug-in “getSAProuterInfo”.

  1. Type pluginsand hit enter.
  2. Type discovery getSaprouterInfo and hit enter.
  3. Type backand hit enter.
  4. Type start and hit enter.

The following image illustrates an example execution:

With the information obtained we can get the IP address of the SAP servers, SAP clients and the services currently being used.

2. Internal port scanning through SAProuter

Another interesting plug-in we can use is “saprouterSpy”. This plug-in performs a port scan of the configured host through the SAProuter. For this example consider the following topology:

Before using the plug-in we need to configure it:

  1. Type plugins discovery config saprouterSpyand hit enter.
  2. Type set targets and hit enter. This option establishes the host to be scanned. It can be one individual host or an IP range. In our example, this could be the Server A.
  3. Type backand hit enter.

Note: to view another configurable options use the command viewunder the plug-in configuration menu.

Once the plug-in is configured we can start it as follow:

  1. Type plugins discovery saprouterSpyand hit enter.
  2. Type start and hit enter.

Once bizploit is started, it will try to reach Server A going through the SAProuter. Depending on the answer that bizploit receives from SAProuter, it will report whether it's possible or not to access each port at target Server A.

In the following image we can view part of the result:

This image shows the open ports in the scanned host. It's important remark that the victim host isn't directly reachable, we are scanning this host through the SAProuter host. This information could be highly valuable for a remote attacker.

In the next article we'll learn how to use another plug-in and how a misconfigured SAProuter could be exposing not only our SAP systems, but our entire network. Stay tunned!



Leave a comment