Assessing a SAProuter's Security with Onapsis Bizploit: Part II

In our previous post, we were able to understand the topology and configuration in place, useful whenever you want to analyze how secure a SAProuter implementation is. In this article, we'll check if our SAProuter is secure or whether it would be possible for an attacker to retrieve information and connect to our internal network.

Using SAPRouter Agents

We have already retrieved useful information from the SAProuter, which is potentially connected to an untrusted network. But that's not all of it. If the SAProuter is mis-configured, then it would be possible for a remote attacker to access the internal network and connect to arbitrary systems and services, even beyond standard SAP protocols.

The SAProuter has a special feature that enables it to route arbitrary protocols, which is called “native routing”. Refer to our SAProuter SAP Security In-Depth publication, specifically section 3.3, for further information on this topic.

Based on this feature provided by the SAProuter, another Bizploit plugin to include in any vulnerability assessment is the “SAProuterNative”. This plugin tries to detect whether native protocol routing is enabled.

To enable the plugin, follow the next steps:

  1. Type plugins and hit enter.
  2. Type vulnassess saprouterNative and hit enter.
  3. Type vulnassess config saprouterNativeand hit enter.
  4. Type set targets <ip_to_route_the_packets> and hit enter.
  5. Type back and hit enter.
  6. Type start and hit enter.

It is possible to configure the ports to scan with custom ports, to use this option and view others execute the viewcommand, under the plugin configuration options.

In the image it is possible to see the module's output.

This means that, in this case, it is possible to route SSH traffic to host through the SAProuter.

To illustrate the potential impact of this vulnerability, Bizploit has an integrated exploit plugin. In order to run it, follow the next steps:

  1. Type exploit and hit enter.
  2. Type exploit sapRouterAgent <vuln_id> and hit enter. If you need to know the vulnerability ID exploitable by this plugin you can use the list command.
  3. Type start and hit enter.

If the attack was successful, then a SAProuter Agent will be created. This agent can be used to route traffic to the target host acting as a SOCKS proxy server. The SAProuterAgent translates SOCKS traffic to SAProuter's native protocol!

The next step is to configure the agent to listen and forward traffic:

  1. Type back and hit enter.
  2. Type agents start <agent_id> and hit enter. In order to find the agent ID it is possible use the agents show command.
  3. Type startProxying and hit enter.

The result is shown in the next image:

At this point, we have just to use any tool that is able to route traffic through a SOCKS proxy and that will be forwarded to the destination system.

In this case, to connect to the SAProuterAgent and tunnel the traffic, the tsocks proxying library will be used. See tsocks documentation on how to setup the SOCKS proxy information.

The following command can be used to connect to the SSH Server (at IP Address through the SAProuter Agent: tsocks ssh [email protected]

If the above aforementioned command is executed, then the traffic will be sent through the SAProuter to the target server, effectively connecting to an SSH server located in the internal network.


I hope that you now know how to use Bizploit to perform a quick security assessment of your SAProuter implementation. In our first article, we used its discovery plugins to gain valuable information about the target SAProuter such as clients connected, SAP servers, SAP clients and ports open in LAN hosts. This information could be highly useful for a malicious party to perform another additional attacks or to gain knowledge about the network topology we are testing.

Additionally, we have explained how to verify if the SAProuter is not properly configured, which would potentially allow remote attackers to bypass the security restrictions and gain access to our company's internal network, including both SAP and non-SAP systems.

Please refer to the SAP Security In Depth publication Securing the Gate to the Kingdom: Auditing the SAProuter to understand how to secure your SAProuter holistically and protect yourself from malicious hacker attacks.

Leave a comment