SAP RCE : The Agent Who Spoke Too Much


1. Introduction

A quick introduction of the presenter, followed by an overview of SAP Applications, SAP Solution Manager (SOLMAN) and SAP SMDAgent. We will also introduce the importance and relevance of all these specific components.

2. Why did we look at this component ?

In this brief overview, we show that one of the most important security files of this component is encoded in base64 by default, which provided additional hints to continue learning deeper into this application.

3. Authentication Bypass

Just after startup, the Agent initiates communication between the SOLMAN and itself.
In this section we describe a way to hijack this communication by bruteforcing protocol fields based on time. An anonymous attacker could remotely execute any Agent function through this communication.

4. OS Command Whitelist Bypass

One of the Agent’s functions, called ‘remoteOS’, allows an authenticated SOLMAN user to remotely execute an OS Command on an Agent host as Agent administrator. This particular function uses only predetermined OS Commands, as well blacklists some characters. We will describe how an attacker could bypass these protections and execute arbitrary commands.

5. Privilege Escalation to the complete SAP landscape

The Agent handles, in an encrypted configuration file, several critical credentials for SOLMAN. We will explain and demonstrate how an attacker could decrypt this configuration file and how these credentials could be mis-used to eventually achieve unauthorized SAP Administrator privileges on all SAP systems connected to the SAP Solution Manager.

Demo #1 Full chain attack. Where remote attacker bypass authentication, execute OS command then decrypt configuration file to exfiltrate SOLMAN credentials.

6. Tamper the SOLMAN Security Report

SAP Solution Manager handles a lot of technical features for SAP administrator. One of them, called ‘System Recommendations’, it is used to automatically calculate missing security patches for all SAP Systems in the landscape. As a real post-exploitation example, we will explain how an attacker, by exploiting the previous shown vulnerabilities, could be able to trick this feature to make it avoid showing missing critical security patches.

Demo #2 Hiding hundreds security patches from SOLMAN Report.

7. Silent the Agent

We will provide details on all patches and will describe configuration recommendations to mitigate the presented vulnerabilities so organizations can protect their SAP landscape against these threats.
CVE-2019-0330, CVE-2019-0318, CVE-2019-0307, CVE-2019-0291

8. Conclusions

We will provide final conclusions on how to address cybersecurity for SAP Applications across the enterprise, thanks and opening to questions.


DATE: July 26, 2020

TIME: 04:00 PM - 05:00 PM (GMT +8)


Got a question for our speakers or just want to chat? Join us on Discord!