An Unauthenticated Journey to Root: Pwning Your Company's Enterprise Software Servers

The vulnerability of SAP Solution Manager allows unauthenticated users to perform remote code execution with the privileges of the TAADM. The presentation emphasizes the importance of securing the SAP Solution Manager and provides steps to prevent attacks.

• The vulnerability of SAP Solution Manager allows unauthenticated users to perform remote code execution with the privileges of the TAADM
• The presentation emphasizes the importance of securing the SAP Solution Manager
• Steps to prevent attacks include gathering information from the SMD agents, modifying the emenable property, uploading a script with remote code execution, and executing the code
• An anecdote is provided to illustrate the vulnerability and the ease of exploitation

The presentation provides a demo of an attacker compromising all SMD agents connected to a solution manager just by having network access, without the need for authentication. The attacker is able to get a reverse shell from all the exploitations that are connected to the SAP Solution Manager, regardless of whether they are running in Linux or Windows.

Often Fortune 1000 companies consist of a plethora of software, hardware, vendors, and solutions all operating to keep the business running and alive. With all this complexity, there is often a single vendor that's common amongst them all: SAP.SAP's software relationship with the enterprise is well established, often responsible for processing billions of dollars, but with such a vital role in business, what would the impact be if serious flaws were exploited? At the heart of every SAP deployment there is always one core mandatory product that's connected to many other systems: The SAP Solution Manager (SolMan). Think of this as what Active Directory is for Windows networks. Given the criticality of this component, the Onapsis Research Labs conducted a thorough security assessment of SolMan to understand the threat model, how attackers could compromise it and how customers should protect themselves. The results were overwhelming. From unauthenticated HTTP access, an attacker would be able to compromise all systems in the SAP landscape. Furthermore, chaining a series of vulnerabilities, it would be possible to get reliable root access not only in the attacked core system, but also in all satellites connected to it.The aim of this presentation is to show the journey we took while researching SolMan, a journey that included binary and Java application analysis, understanding how SolMan worked as well as how we identified exploitation methods that could be used by rogue parties to attack it. By talking about this journey, we hope attendees can use our experience to tackle similar projects where little, or no, information is available about how complex components work. Finally, we'll explain in detail, not only how these issues were fixed by SAP, but also what you can do in terms of detecting and preventing these kinds of threats at your organization.