Internal Server Error: Exploiting Inter-Process Communication in SAP's HTTP Server

The presentation discusses the exploitation of vulnerabilities in SAP's HTTP server, which is present in all SAP installations and handles all HTTP requests and responses. The vulnerabilities allow for remote exploitation and complete compromise of any SAP installation.

• SAP's HTTP server, the Internet Communication Manager (ICM), is present in all SAP installations and handles all HTTP requests and responses
• Two memory corruption vulnerabilities, CVE-2022-22536 and CVE-2022-22532, were found in the ICM and allow for remote exploitation and complete compromise of any SAP installation
• The first vulnerability allows for hijacking of all clients' accounts and the second vulnerability allows for tampering of messages belonging to other TCP connections and obtaining remote code execution
• The vulnerabilities were addressed by the US Cybersecurity and Infrastructure Security Agency and SAP released security notes and a manual workaround
• HTTP servers are great targets for attackers and reverse engineering them is easier than one might think
• It is possible to escalate low-level vulnerabilities using advanced exploitation techniques

The presentation demonstrated how to leverage the vulnerabilities to hijack every user's account with advanced HTTP Smuggling and take control of all responses using Cache Poisoning and Response Splitting theory. A new technique was introduced to take over a system, even in an 'impossible to exploit' scenario - without a proxy. This included a demo of the first desync botnet, using nothing more than JavaScript and Response Smuggling concepts.

More than 400,000 organizations, including 90% of Fortune 500 companies, rely on SAP's software to keep their business up and running. At the core of every SAP deployment is the Internet Communication Manager (ICM), the piece of software in charge of handling all HTTP requests and responses.This talk will demonstrate how to leverage two memory corruption vulnerabilities found in SAP's proprietary HTTP Server, using high-level protocol exploitation techniques. Both techniques, CVE-2022-22536 and CVE-2022-22532, were remotely exploitable and could be used by unauthenticated attackers to completely compromise any SAP installation on the planet. First, by escalating an error in the HTTP request-handling process, this presentation will show how to desynchronize ICM data buffers and hijack every user's account with advanced HTTP Smuggling. Furthermore, as the primitives of this vulnerability do not rely on parsing errors, a new technique will be introduced to take over a system, even in an "impossible to exploit" scenario - without a proxy! This will include a demo of the first desync botnet, using nothing more than JavaScript and Response Smuggling concepts.Next, this talk will examine a Use After Free vulnerability in the shared memory buffers used for Inter-Process Communication. By exploiting an incorrect deallocation, it was possible to tamper messages belonging to other TCP connections and take control of all responses using Cache Poisoning and Response Splitting theory. Finally, as the affected buffers are also used to contain Out Of Bounds data, a method to corrupt address pointers and obtain Remote Code Execution will be explained.The Internet Communication Manager Advanced Desync (ICMAD) vulnerabilities were addressed by the US Cybersecurity and Infrastructure Security Agency, as well as CERTs from all over the world, proving the tremendous impact they had on enterprise security.