Is it still sufficient to use the open Message Server ACL to execute operating system commands?

[abat-tst]

Hello everyone,

I have tried to recreate your attack and bypass the SAP Gateway ACL by using the open Message Server ACL. Unfortunately, I always fail at the same point. I tried it with different systems with different release statuses.

Setup:

(1) Attacker machine (VM in VirtualBox):

• SAP NetWeaver AS ABAP Developer Edition 7.52 SP04 on OpenSUSE Leap 15.0 (hereinafter referred to as attacker)
• Hostname: vhcalnplci.mycompanydomain.de with constant IP address

(2) Victim machine (physical SAP Netweaver):

• SAP ECC 6.0 with Kernel Release 722 and SAP_BASIS component 700 (hereinafter referred to as victim) (but same behaviour on newer releases as well)

Test 1 (always works):

• On the victim, the secinfo ACL is only maintained with asterisks
• The attacker defines a TCP/IP destination on his SAP system in SM59 with the startable program sapxpg
• Operating system commands defined in SM49 can be executed on the victim via the defined destination

Test 2 (does not work):

• On the victim, the secinfo ACL is maintained with User-Host = internal and otherwise asterisk

• The ACL of the victim's message server contains Host=*.

• On the attacker's OpenSuse, sap_ms_betrusted.py is executed (with slight modifications to make it run)

• On the victim, registration as a fake gateway is successful and IP addresses and host names are successfully stored

• SMMS:
  
  
  

• SM51:
  

But it is not possible to execute operating system commands with SM59 and SM49 as in the first test.

Gateway Logging

Mon Aug 19 2024 15:18:48:375 secinfo denied: USER=user, USER-HOST=vhcalnplci.mycompanydomain.de (ATTACKER_STATIC_IP), HOST=victim.mycompanydomain.de (VICTIM_STATIC_IP), TP=sapxpg

Gateway Trace

GwICheckSecInfo: check tp=sapxpg, user=user         , host=*, addr=VICTIM_STATIC_IP
GwICheckSecInfo: check entry [2] tp=*, lu=*
GwICheckSecInfo: check entry [2] tp=*, addr=::, mask=::
GwICheckSecInfo: entry not found
NiHLGetHostName: found address VICTIM_STATIC_IP in cache
NiHLGetHostName: retrying to get hostname for 'VICTIM_STATIC_IP'
NiHLGetHostName: got address VICTIM_STATIC_IP from operating system
NiIGetHostName: addr VICTIM_STATIC_IP = hostname 'victim.mycompanydomain.de' (fq)
NiHLGetHostName: found address ATTACKER_STATIC_IP in cache
NiHLGetHostName: retrying to get hostname for 'ATTACKER_STATIC_IP'
NiHLGetHostName: got address ATTACKER_STATIC_IP from operating system
NiIGetHostName: addr ATTACKER_STATIC_IP = hostname 'vhcalnplci.mycompanydomain.de' (fq)

*****************************************************************************
*
*  LOCATION    SAP-Gateway on host victim.mycompanydomain.de / sapgw00
*  ERROR       user user is not authorized to start TP sapxpg on host
*              victim.mycompanydomain.de
*
*  TIME        Mon Aug 19 15:18:48 2024
*  RELEASE     722
*  COMPONENT   SAP-Gateway
*  VERSION     2
*  RC          676
*  MODULE      gwr3cpic.c
*  LINE        6929
*  COUNTER     291184
*
*****************************************************************************

GwSaveErrInfo: save err info (218)
GwICheckStartPgm: not allowed, no rule found`

How can this be explained and solved?

Best regards
54ph4ck3r