SSRF VS. BUSINESS CRITICAL APPLICATIONS

Black Hat USA 2012

Presented by: Dmitry Chastuhin, Alexander Polyakov
Date: Thursday July 26, 2012
Time: 17:00 - 18:00
Location: Palace I
Track: Enterprise Intrigue

Typical business critical applications have many vulnerabilities because of their complexity, customizable options and lack of awareness. Most countermeasures are designed to secure system using firewalls and DMZ's so that, for example, to enter technology network from the Internet, attacker has to bypass 3 or more lines of defense. It looks ok until somebody finds a way to attack secured system through trusted sources. With the help of SSRF and one of its implementations Ð XXE Tunneling Ð it is possible to root a system within one request which will be from trusted source and will bypass all restrictions.

SSRF, as in Server Side Request Forgery. A great concept of the attack which was discussed in 2008 with very little information about theory and practical examples. We have decided to change it and conducted a deep research in this area. As we deal with ERP security, we take SAP as the example for practicing SSRF attacks. The idea is to find victim server interfaces that will allow sending packets initiated by victim's server to the localhost interface of the victim server or to another server secured by firewall from outside. Ideally this interface must allow us to send any packet to any host and any port. And this interface must be accessed remotely without authentication or at least with minimum rights. Looks like a dream but this is possible. Why this attack is especially dangerous to SAP? Because many restrictions preventing the exploitation of previously found vulnerabilities, for example in RFC and Message Server or Oracle auth, prevent only attacks from external sources but not from localhost!

We have found various SSRF vulnerabilities which allow internal network port scanning, sending any HTTP requests from server, bruteforcing backed and more but the most powerful technique was XXE Tunneling. We made a deep research of the XXE vulnerability and most of the popular XML parsers and found that it can be used not only for file reading and hash stealing but even for getting shell or sending any packet to any host (0-day). What does it mean for business critical systems? Actually XML interfaces are normally used for data transfer between Portal's, ERP's, BI's, DCS's, SCADA's and other systems. Using an XXE vulnerability you can bypass firewalls and other security restrictions. What about practice? To show a real threat we took the most popular business application platform Ð SAP NetWeaver and its various XML parsers. We found that it is possible to bypass almost all security restrictions in SAP systems. Using XXE Tunneling it is possible to reopen many old attacks and conduct new ones which were impossible before.

A tool called XXEScanner which will help to gain critical information from server, make scans and execute attacks on victim host or backend will be released as part of the OWASP-EAS project.

Alexander Polyakov

Alexander Polyakov aka @sh2kerr, CTO at ERPSCAN, head of DSecRG and architect of ERPSCAN Security scanner for SAP. His expertise covers security of enterprise business-critical software like ERP, CRM, SRM, RDBMS, banking and processing software. He is the manager of OWASP-EAS ( OWASP subproject), a well-known security expert of the enterprise applications of such vendors as SAP and Oracle, who published a significant number of the vulnerabilities found in the applications of these vendors. He is the writer of multiple whitepapers devoted to information security research, and the author of the book Oracle Security from the Eye of the Auditor :Attack and Defense (in Russian). He is also one of the contributors to Oracle with Metasploit project. Alexander spoke at the international conferences like BlackHat, HITB (EU/ASIA), Source, DeepSec, CONFidence, Troopers.

Dmitry Chastuhin

The student of St. Petersburg State Polytechnic University, computer science department, he works upon SAP security, particularly upon Web applications and JAVA systems. He has official acknowledgements from SAP for the vulnerabilities found. Dmitriy is also a WEB 2.0 and social network security geek who found several critical bugs in Yandex services (Russian largest search engine), Google, Vkontakte (vk.com), the Russian largest social network. He is a contributor to the OWASP-EAS project. He spoke at the following conferences:Hack in the Box and BruCON. Actively participates in the life of the Russian Defcon Group


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats