SAP NetWeaver platform is the most popular software solution for ERP and automatization of business processes. SAP NetWeaver consists of 2 modules: AS ABAP and AS JAVA. SAP NetWeaver AS ABAP and AS JAVA can work both independently and on one platform.
For these modules, developers can create their own programs to resolve custom corporative goals. For SAP NetWeaver AS ABAP or AS JAVA, the SAP company released a lot of modules written in ABAP or JAVA languages: applications for automatization, CRM, SRM, and others.
The full attack scenario is:
An attacker uses the directory traversal vulnerability to read administrator password from system config file
After that, he/she decrypts this password and logins to SAP CRM portal
Then, the attacker uses another directory traversal vulnerability and change SAP log file path to the web application root path
Finally, using special request, he/she can inject the log file JS RCE code and call it anonymously from a remote web server.
In this talk, we will show how attackers can get full access to the SAP NetWeaver platform by using a simple chain of web vulnerabilities.