Just recently, reports of a banking Trojan modified to look for SAP GUI (graphical user interface) installations reignited discussion about vulnerabilities impacting SAP ERP (enterprise resource planning) systems.
Hoping to build on the awareness, researchers at Rapid7 released a paper outlining how its Metasploit tool can be used to perform penetration tests on ERP systems.
“As criminals get smarter about ERP systems, I have no doubt they’ll use that to their advantage,” said Todd Beardsley, Metasploit Engineering Manager at Rapid7. “This is why we’re trying to educate legit security practitioners; the existence of a Trojan that targets SAP directly says that at least someone in the criminal underground already knows a thing or two about SAP, so Metasploit is striving to level the playing field between attackers and defenders.”
As part of its research, Rapid7 discovered approximately 3,000 SAP systems directly exposed to the Internet. Systems covered by SAP run the gamut from ERP to customer relationship management (CRM) and product lifecycle management (PLM) systems, Rapid7 noted, meaning that comprising them could spell disaster.
Oftentimes, attackers will try to get access to SAP systems through a compromised host on the target network; for example compromising a desktop computer through a spear-phishing email. In the report, Rapid7 runs through a number of attack vectors, such as attacking SOAP (Simple Object Access Protocol) remote function calls and bruteforcing the SAP Web GUI login with Metasploit.
“It is hard to imagine any type of important data that is not stored and processed in these systems,” according to the report. “Targeting SAP systems should therefore be part of every penetration test that simulates a malicious attack on an enterprise to mitigate espionage, sabotage and financial fraud risks. The challenge is that many penetration testers are more familiar with operating systems, databases, and web applications, so descending into the world of SAP systems can be daunting.”
Many of the vulnerabilities Rapid7 sees are related to abusing functions of the SAP platform in order to get profit and or abuse configuration issues and weaknesses, explained Juan Vazquez, Rapid7 Exploit Developer. Similar to other big software, there are also issues related to programming errors when handling input, like buffer overflows, he added.
“SAP is complex software that’s often treated like a black box from a security perspective; we believe that very few security organizations have a firm grasp on their SAP infrastructure,” Beardsley noted. “That’s why we wrote the paper in the first place, to educate both pen-testers and users of this software to these rather large question marks.”