TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Attacks on SAP Mobile
1. Invest in security
to secure investments
Attacks on SAP Mobile
Vahagn Vardanyan. ERPScan
2. Vahagn Vardanyan
SAP and Web application
researcher
Specialist degree in
information security
2
@vah_13
3. About ERPScan
• The only 360-degree SAP Security solution - ERPScan Security
Monitoring Suite for SAP
• Leader by the number of acknowledgements from SAP ( 150+ )
• 60+ presentations key security conferences worldwide
• 25 Awards and nominations
• Research team - 20 experts with experience in different areas
of security
• Headquarters in Palo Alto (US) and Amsterdam (EU)
3
4. Agenda
4
About SAP Mobile Platform
SAP Control Center
SAP SQL Anywhere services
SAP Mobile Server
SAP Mobile Platform vulnerability
Decrypt GIOP protocol
XXE SAP Control Center
CSRF in SMP 3.0
Cassini 1.0
SQL Anywhere BoF
SAP EMR Unwired SQL injection
Conclusion
19. Decrypting the
SAP Mobile Platform GIOP protocol
• GIOP – General Inter-ORB Protocol (GIOP) is the
abstract protocol by which object request brokers (ORBs)
communicate
• Uses mlsrv16.exe (Mobilink) – port 2000
20
20. XXE in the
SAP Mobile Platform portal page
CVE-2015-2813
21
27. SAP Mobile Platform
unauthenticated access to other servlets
• Architecture and program vulnerabilities in SAP’s J2EE engine
(BlackHat USA 2011)
• web.xml files revealed hidden methods to:
– Read and generate logs
28
38. SAP SQL Anywhere BoF/Code Execution
• CVE-2008-0912
– The MobiLink server is affected by a heap overflow which happens
during the handling of strings like username, version, and remote ID (all
pre-auth) which are longer than 128 bytes
• CVE-2014-9264
– Stack-based buffer overflow in the .NET Data Provider in SAP SQL
Anywhere allows remote attackers to execute arbitrary code via a crafted
column alias
39
47. Each SAP landscape is unique and we pay close attention to the requirements of
our customers and prospects. ERPScan development team constantly addresses
these specific needs and is actively involved in product advancement. If you wish to
know whether our scanner addresses a particular aspect, or simply have a feature
wish list, please e-mail us. We will be glad to consider your suggestions for the
future releases or monthly updates.
48
About
228 Hamilton Avenue, Fl. 3,
Palo Alto, CA. 94301
USA HQ
Luna ArenA 238 Herikerbergweg,
1101 CM Amsterdam
EU HQ
www.erpscan.com
info@erpscan.com