Hacking SAP CRM by chaining 2 vulnerabilities in SAP NetWeaver AS Java

Pierluigi Paganini March 16, 2018

Security experts at ERPScan explained that chaining 2 flaws recently patched it is possible to hack SAP CRM systems and access sensitive data.

Security experts at ERPScan discovered that chaining the exploits for two security vulnerabilities in SAP NetWeaver Application Server Java patched last month, an attacker can hack customer relationship management (CRM) systems.

CRMs are critical systems in business that are used to manage sensitive data such as clients’ personal information, prices, contact points.

The flaws are a directory traversal issue and a log injection vulnerability, their combination could lead to information disclosure, privilege escalation, and full compromise SAP CRM installations.

The flaws considered singularly are not particularly severe, they received CVSS Base Scores v.3 respectively of 6.3 and 7.7.

“The security researchers at ERPScan identified directory traversal and log injection vulnerabilities in the solution. The two issues in combination lead to information disclosure, privilege escalation, and complete SAP systems compromise. The two vulnerabilities can wreak havoc in any company running SAP CRM.” explained Vahagn Vardanyan, senior security researcher of ERPScan.

SAP flaw

According to ERPScan, there are more than 500 vulnerable SAP CRM systems exposed online.

The experts provided details about the full attack scenario is that is composed of the following steps:

  1. An attacker uses the first directory traversal vulnerability to read administrator credentials in an encrypted form.
  2. He or she decrypts the credentials since the algorithm is known and the key is stored in the same directory. More about decrypting SecStore can be found here.
  3. The attacker logs in SAP CRM portal.
  4. The attacker exploits another directory traversal vulnerability and changes SAP log file path to the web application root path.
  5. Finally, using special request, he or she can inject a malicious code (a web-shell) into the log file and call it anonymously from a remote web server.

ERPScan shared details of the vulnerabilities with SAP helping it for the development of the security patches.

ERPScan researchers disclosed details of the vulnerabilities during a talk at the Troopers security conference. The researchers explained how remote attackers can chain the flaws read any file on unpatched SAP CRM without authentication.

SAP urged customers to apply the updates, further info is available on a website published by ERPScan.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – SAP CRM, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment