Using SAP Gateway as a proxy
Hi! In this post I want to summarize you another little-known behavior of SAP Gateway, which is its ability to act as a proxy. Basically when we want to perform an RFC connection two parameters are specified: the IP of the gateway and the IP of the application server. But wait... Is not the gateway always located in the same host than the application server? Yes, usually... but there are some specific cases where you need to use these parameters with different values. So at the end it is a nice feature, you can tell a gateway to perform a connection to another application server. However, there are consequences of this feature. Imagine this scenario: you have filtered at firewall level production IP addresses from developers, but no development IP addresses. These developers need access to development system, no need to production. These developers just need to change the parameter (handled by them) of the application server IP in order to pivot over the development gateway and reach the production server. It is not just something they are able to do, it is also undetectable for the final destination. In this scenario, the production server will see the request coming from a valid source (development system). Basically, this feature allows to bypass network segments and firewall restrictions. These behavior can be controlled using the profile parameter gw/prxy_info, you can create an ACL with rules to restrict this feature. In order to have more in-depth information about this feature, how it can be abused by an attacker and its implications, check our SSID about Pivoting. You also will find the required references to protect your systems from the misuse of this feature.