SAP Security In-Depth


The Invoker Servlet: A Dangerous Detour into SAP Java solutions
by Mariano Nuñez Di Croce & Jordan Santarsieri

Vol. 4 / July 2011

Abstract SAP Application Servers Java, supported by the J2EE Engine, serve as the base framework for running critical solutions such as the SAP Enterprise Portal, SAP Exchange Infrastructure (XI), SAP Process Integration (PI) and SAP Mobile Infrastructure (MI). Furthermore, customers can also deploy their own custom Java applications over these platforms. On December 2010, SAP released an important white-paper describing how to protect against common attacks to these applications. Among the security concepts detailed, there was one that was particularly critical: the Invoker Servlet. This functionality introduces several threats to SAP platforms, such as the possibility of completely bypassing the authentication and authorization mechanisms. This publication analyzes the Invoker Servlet Detour attack, identifying the root cause of this threat, how to verify whether your platform is exposed and how to mitigate it, effectively protecting your business-critical information against cyber attacks.

© 2011 Onapsis SRL. All Rights Reserved.

.All rights reserved. SAP. and SAP Group shall not be liable for errors or omissions with respect to the materials. Crystal Reports. This publication contains references to the products of SAP AG. ByDesign. Crystal Decisions. PartnerEdge. Business Objects and the Business Objects logo. but the professional staff of Onapsis makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards. xApps. Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. R/3. SAP NetWeaver. Web Intelligence. Onapsis offers no specific guarantee regarding the accuracy or completeness of the information presented. BusinessObjects. xApp. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content. Duet. SAP Business ByDesign. No portion of this document may be reproduced in whole or in part without the prior written permission of Onapsis SRL. and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world.© Copyright Onapsis SRL 2011 .

SAP administrators. . SAP Security In-Depth is a publication leaded by the Onapsis Research Labs with the purpose of providing specialized information about the current and future risks in this matter. there are many threats that have been so far overlooked by the Auditing and Information Security industries and entail much higher levels of business risk. can be subject to information security attacks to the confidentiality. While this kind of security is mandatory and of absolute importance. SAP security keeps being regarded as a synonym of Segregation of Duties (SoD) or security of roles and profiles by most part of the professional community.What is the SAP Security In-Depth Publication? Until these days. Translating this to business terms. information security managers. the failure to protect these components can leave the business information at risk for espionage. The technological components of these business-critical solutions introduce many specific security aspects that. auditors. allowing all the different actors (financial managers. if not implemented appropriately. consultants and the general professional community) to better understand the involved risks and the techniques and tools available to assess and mitigate them. integrity and/or availability of the critical business information processed by these systems. fraud and sabotage attacks.

................................... Introduction...................................................................................... Which could be the real-world impact?...... Countermeasures.....................................................14 ..............................7 3..................................................................................................... 13 7........ SAP Java Applications basics............................................................................................. SAP Invoker Servlet Detour Attacks..................... 10 5.................. 5 1................. 3 Executive Summary......................................................................... Introduction to the Invoker Servlet................................................................................... Conclusions.......................... 6 2............................ 9 4..TABLE OF CONTENTS What is the SAP Security In-Depth Publication?......12 6..........................

Key concepts analyzed in this edition: • • • • Several critical standard SAP and custom applications are supported by Java Application Servers. 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions EXECUTIVE SUMMARY While the SAP Security In-Depth publication delves into highly technical security aspects of these platforms. 5 . The white-paper released by SAP in December is a must-read for any SAP security professional. which were in the need of a more in-depth analysis to better understand and manage existing risks. 1 http://service.R. One of the presented security measures is related with a critical security vulnerability. how to identify and mitigate it.Vol. SAP released a new white-paper 1 describing how to protect against attacks to these _SHORTKEY=01100035870000733716&_SCENARIO=01100035870000000202& © 2011 Onapsis S. of the most outstanding concepts and risks presented in this volume. we consider it's important to provide the Management-level officers with an executive summary. whose exploitation (code-named Invoker Servlet Detour attack) can result in severe business attacks. Key findings and risks: Customers have been traditionally focused in securing ABAPbased SAP systems. using a non-technical language. The root cause and impact of the Invoker Servlet vulnerability was not clear for many On December 2010. malicious hackers to bypass authentication mechanisms and perform unauthorized business activities over the vulnerable SAP systems.SAP Security In-Depth . Invoker Servlet Detour attacks may allow remote.L. This edition analyzes the root cause of this vulnerability. The security of SAP Java platforms is equally important and must be tightly enforced.

onapsis. Among these requirements. This highly important document describes a set of “measures SAP strongly recommends that its customers apply to enhance the level of security with respect to certain common attack types”. which only outlines security recommendations for ABAP-based SAP systems 3. sales or payment-related external systems. several widely-used SAP solutions require the deployment of SAP Application Servers Java. such as working as front-ends to the back-end SAP ABAP systems and/or handling critical functionality such as interfaces with banking. SAP Exchange Infrastructure (XI). whose core engine is known as the SAP J2EE Engine. Over the last decade. there was a particular one that many customers and security professionals were failing to properly understand: the vulnerability related to the Invoker Servlet. SAP Process Integration (PI) and SAP Mobile Infrastructure (MI). helping several customers to comply with the required measures in order to keep their systems protected against the latest threats. SAP released a white-paper titled SAP Security Recommendations: Protecting Apart from the sensitive out-of-the-box functionality provided by these solutions. As a leading collaborator in discovering and solving vulnerabilities in SAP systems. These solutions serve different needs.L.and ABAP-based SAP Applications against common attacks. 6 . logistics. Onapsis followed-up on the release of this white-paper over the last months. The present publication has the goal of providing an in-depth analysis of this security threat. Some examples include SAP Enterprise Portal (EP). 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions 1. 2 https://websmp203. © 2011 Onapsis S. Nowadays. SAP has adopted and extended the J2EE standard for supporting its business applications.pdf 3 Onapsis X1 is the first solution to automatically check for compliance with this guidelines. Different from the previous issue released on September 2010 2. For more information check http://www.R. enabling the proper understanding of how to detect. this last document also comprises the protection of one of the others fundamentals of SAP platforms: Java-based solutions.Vol.SAP Security In-Depth . INTRODUCTION On December customers and third-parties also develop and run their own J2EE applications on top of these platforms. assess and mitigate Invoker Servlet Detour attacks to better protect customers' SAP platforms against real-world threats.

the following excerpt of an web. <servlet> <servlet-name>privateServlet1</servlet-name> <servlet-class>com... but wishes to restrict access to certain private functionality only to a group of Administrators: . Just as standard J2EE applications.publicServlet2Interface</servlet-class> </servlet> .L.xml file. the servlets in use in the application. 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions 2. it is first necessary to familiarize with certain aspects of the configuration of SAP Java applications.R.SAP Security In-Depth . This file declares. 7 . SAP JAVA APPLICATIONS BASICS In order to understand the vulnerability exploited by the Invoker Servlet Detour attack. specifies part of the configuration of an application which serves some public content freely.Vol. SAP Java applications are configured through a web. <servlet-mapping> <servlet-name>privateServlet1</servlet-name> <url-pattern>/private</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>publicServlet2</servlet-name> <url-pattern>/public</url-pattern> </servlet-mapping> … <security-constraint> <display-name>rd</display-name> <web-resource-collection> <web-resource-name>rd</web-resource-name> <url-pattern>/private/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> <http-method>HEAD</http-method> </web-resource-collection> <auth-constraint> <description>Administrators</description> <role-name>administer</role-name> </auth-constraint> </security-constraint> … Table 1: Sample Java application © 2011 Onapsis S. among other things. how they are mapped for user access and the security constraints around</servlet-class> </servlet> <servlet> <servlet-name>publicServlet2</servlet-name> <servlet-class>com. As an example.

L. In this scenario.SAP Security In-Depth . This servlet has its own class (servlet-class attribute) and is mapped to a specific URL (urlpattern attribute). the SAP Application Server Java will demand that any client that tries to connect to the /private mapping. if an anonymous attacker tries to access the application using the defined URL mapping (http://sap-server/appname/private). 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions As shown in the file.Vol. 8 . access will be denied. he will be required to enter authentication credentials: Picture 1: Security constraint working properly © 2011 Onapsis S. there is one servlet called privateServlet1. has the administer role (mapped internally to a real SAP role). Therefore. The security-constraint area defines on which specific URL (url-pattern attribute) the authorization check is to be performed.R. Otherwise.

4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions 3. Therefore. INTRODUCTION TO THE INVOKER SERVLET The SAP J2EE Engine has a wide set of built-in functionality.Vol.xml). This servlet is implemented in the InvokerServlet class. which is part of the standard J2EE specification of Sun (now Oracle). 9 . One of these functionalities is the Invoker Servlet.xml file. using the Invoker Servlet. © 2011 Onapsis S.R.SAP Security In-Depth . providing a comprehensive framework of libraries and services to support the development and deployment of Java applications. It was conceived as a rapid development instrument.xml) or by its fully qualified servlet class name (declaration not necessary in web. allowing developers to test their custom Java applications without the need to declare them in the web. The security implications of this functionality in SAP systems are explained in the following section. it is possible to call a servlet by its name (which is declared in the web.L. which is part of the SAP J2EE Engine's Web container.

4.1.SAP Security In-Depth . even though they have not been declared in the application's web. In order to illustrate this point.R. the possibility of performing arbitrary calls to them can result in unforeseen actions over the SAP server. which handles payments for an external banking interface.xml file. This includes any servlet class that is available to the application classloader. if the servlet is called through its fully-qualified class name. Execution of Arbitrary Servlets It would be possible for an attacker to call arbitrary servlets. when the application is deployed to production. it is instanced without the parameters being initialized. Exploitation of Non-initialized Servlet Parameters For each servlet. such as the classes located in the WEB-INF\classes. SAP INVOKER SERVLET DETOUR ATTACKS The Invoker Servlet functionality introduces several security threats to the SAP Java applications. 10 . The problem is that this automatic initialization takes place only if the servlet is called by its defined URL mapping or its name (servlet-name attribute). Many of the servlets shipped in a Java application have not been designed for direct client access. 4. To speed-up the project's testing. the web. consider the following sample servlet. This situation can lead to unforeseen security impacts. the parameter is initialized properly: <servlet> <servlet-name>DoPaymentServlet</servlet-name> <servlet-class>com.xml can also define parameters that are initialized by the SAP J2EE Engine Web container when the servlet is the servlet's developer included a special parameter to avoid validating the source account identity during internal QA.L. However. which are described below.DoPaymentServlet</servlet-class> <init-param> <param-name>validate_source_account</param-name> <param-value>True</param-value> </init-param> </servlet> Table 2: Servlet with initialization parameters © 2011 Onapsis S. Of course. WEB-INF\lib and WEB-INF\additionallib application directories. 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions 4.2. Therefore.Vol. but for internal interaction within the application.

as it was defined in the web. Depending on how the application's code handles the initial value for this parameter.xml file. According with the configured security-constraint in the sample application presented in Table 1. the attacker would be able to execute the privateServlet1 URL.privateServlet1Interface The problem is there is an authentication and authorization check performed if a client wants to access anything matching the /private/* virtual mapping.SAP Security In-Depth . As a mapping that matches “/servlet/.Vol. it might be possible for the attacker to abuse this situation and perform fraudulent payments. Picture 2: Authentication Bypass through an Invoker Servlet Detour attack © 2011 Onapsis S.L. through an Invoker Servlet Detour attack. the security constraint only applies when the mapping for /private/* is detected. effectively bypassing the SAP Java authentication and authorization mechanism. the validate_source_account parameter will not be initialized to True. However. 4. an attacker would access the servlet via it's fully-qualified servlet class name. Authentication Bypass in SAP Java Applications While the previously described security threats must not be underestimated.. 11 .” is not defined (and supposing the privateServlet1 is not performing a programmatic authorization check). using the following URL: http://sap-server/appname/servlet/com. 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions If an attacker performs an Invoker Servlet Detour attack to this application. accessing the /appname/servlet/com. the Invoker Servlet vulnerability introduces an even major security threat to SAP platforms..

fictitious Java applications have been used to provide an indepth understanding of the Invoker Servlet Detour attacks. such as SAP Enterprise Portals. just as the security constraints in these applications could be bypassed by a malicious attacker.Vol. PI. WHICH COULD BE THE REAL-WORLD IMPACT? In this document. This means that. the same could happen to many of the standard SAP applications running in vulnerable SAP Application Servers Java. MI systems.SAP Security In-Depth . if the systems are not properly protected. etc.L. However.R. sabotage and fraud attacks over the business-critical information and processes managed by them. XI. 12 . © 2011 Onapsis S. it would be possible for malicious attackers to bypass authentication mechanisms in critical components. and possibly perform espionage. 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions 5.

2. 13 .20 (See SP Patch level section in SAP Note 1445998 for more details) and in the initial shipment of SAP NetWeaver 7. For more information. 4. please check SAP Note 1445998 . 3. If you are using SAP NetWeaver Portal.SAP Security In-Depth . 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions 6.30. If any of your existing applications require the use of the Invoker Servlet feature.L. please check SAP Note 1467771. In order to do so. COUNTERMEASURES It is strongly recommended to disable the Invoker Servlet to protect your systems against these attacks. The SAP Invoker Servlet has been disabled by default in SAP NetWeaver 7. Disable the invoker servlet functionality. the next steps must be followed: 1. Update to the latest patch level according your SAP platform. © 2011 Onapsis S. please check the official SAP white-paper.Vol.R. by changing the value of the “EnableInvokerServletGlobally” property of servlet_jsp on the server nodes to False.

4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions 7. It's highly critical to analyze whether your platform is affected by this vulnerability. By following the recommendations presented in this publication it is possible to decrease the probability of attacks in this aspect. the Invoker Servlet Detour attack. Onapsis X1 Enterprise 2 4.Vol. This document has focused only on one of the threats. In this sense. and will be covered in a future publication. CONCLUSIONS Protecting SAP Java Applications Servers is critical for the overall security of the SAP platform. providing an in-depth analysis of the root cause of the vulnerability being exploited.SAP Security In-Depth .R. These systems have a completely different security architecture and therefore its necessary to understand them deeply in order to be protected against the real-world threats that could result in severe attacks to the business. the possible impacts for the business and how to mitigate it. the first-and-only SAPcertified Security Assessment solution for SAP 4 http://www. A comprehensive assessment of all the security threats affecting these platforms was out of the scope of this document.onapsis. raising the overall security level of the platforms and reducing business risks. 14 . feel free to contact Onapsis at info@onapsis. can be of great help to automatically evaluate your entire platform. For further information into this subject or to request specialized assistance. detecting vulnerable systems and providing detailed mitigation © 2011 Onapsis S.

Being the first and only SAP-certified Security Assessment solution. Onapsis X1 Consulting Pro enables you to safely and easily demonstrate which are the real business risks of the existing technical weaknesses.SAP Security In-Depth . Using Onapsis X1 you can decrease financial fraud risks. you are provided with a wide-range of actionable reports that allows you to mitigate existing risks appropriately.L.Vol.onapsis. 15 . 4 The Invoker Servlet: A Dangerous Detour into SAP Java solutions About Onapsis X1 Onapsis X1TM is the industry's first comprehensive solution for the automated security assessment of ERP systems and business-critical infrastructure. Onapsis X1 Enterprise automatically discovers and remotely connects to every SAP system in your organization and detects the growing number of security risks that can result in espionage. Vulnerability Assessments and Penetration Tests over your SAP platform. As a result. Perform automated IT Security & Compliance Onapsis X1 Enterprise 2 is © 2011 Onapsis S. through our exclusive BizRisk IllustratorTM technology. enforce compliance requirements and reduce audit costs drastically. Get more information at www. sabotage and fraud attacks to your critical business information. currently supporting SAP® NetWeaverTM and R/3® business solutions. Furthermore.R.

html The Onapsis and Onapsis Securing Business Essentials names and logos and all other names. protecting their information and decreasing financial fraud risks. All other trademarks and service marks are the property of their respective owners. enforce compliance requirements and reduce audit costs drastically. currently supporting SAP platforms. such as Fortune-100 companies and governmental entities. © 2011 Onapsis SRL.About ONAPSIS Onapsis is the leading provider of solutions for the security of ERP systems and business-critical infrastructure. . Onapsis X1 is the industry's first comprehensive solution for continuous ERP security assessment. please contact us at info@onapsis. and slogans identifing Onapsis's products and services are trademarks and service marks or registered trademarks and service marks of Onapsis with several years of experience in the assessment and protection of critical platforms in world-wide customers. Through Onapsis X1 customers can decrease business fraud risks. All Rights Reserved. For further information about our solutions. Subject to Terms of Use available at Onapsis is built upon a team of world-renowned experts in the SAP security field. Through different innovative products and services.onapsis. logos. Onapsis helps its global customers to effectively increase the security level of their core business platforms.

Sign up to vote on this title
UsefulNot useful