SAP IGS : The 'vulnerable' forgotten component

Presented at TROOPERS18 (2018), March 14, 2018, 10:30 a.m. (Unknown duration).

SAP Internet Graphics Server (IGS) is present by default in every SAP Netweaver system since 10 years now. This component provides several services like chart generating, zipping file, requesting spool information as well as converting pictures. Curiously it is not very well known or documented.

This talk will describe the way we used to understand how this component works, and how it could be exploited. It will include the difficulties we met, how we resolved them and what future work remains to be done.

All without authentication and remotely exploitable, we will speak about vulnerabilities like XXE, XSS, DoS or SSRF, and a particular arbitrary file upload issue. Also we introduce igstest.py, a tool to perform a quick SAP IGS assessment.

Please find below the synopsis/description :

After a quick ‘whoami' and introduction, I will speak about motivation for choosing SAP IGS, what it is and what public information we have on it.

Chart generator. Detail of interpreter ‘xmlchart'. Which way I used to understand how it works and explain the workaround I used to finally exploit a XXE and a XSS. Follow by live demonstration of these two vulnerabilities.

Zip service. Detail of interpreter ‘zipper'. By reversing some useful ABAP report and class, I found how it works. Also I will explain where a heap overflow occurs and leads to DoS, during a live demonstration.

Spool service. Detail of interpreter ‘rspoconnector'. Like zipper, reversing some ABAP reports and classes highlight information to understand how it works and how I found a simple SSRF in it.

Image converter. Detail of interpreter ‘imgconv'. In addition to ABAP reversing, some binary reverse was required here to able to find hidden feature who leads to arbitrary image uploaded in SAP system. Besides classical deface or DoS, I will live demonstrate, how it can be exploited to retrieve information remotely.

Securing IGS I will introduce a free little tool, igstest.py, to perform SAP IGS assessment, regarding all previous vulnerabilities plus some others. Then I will provide all SAP OSS Notes related to this talk, and general recommendation about SAP IGS security.

Closing part Finaly I will conclude with thanking, questions and reminder for the charity 10k run.


Presenters:

  • Yvan Genuer as Yvan GENUER
    Yvan has nearly 15 years of experience in SAP. Starting out as a SAP basis administrator for various well-known French companies, since 5 years, he focuses on SAP Security and is now the head of SAP assessment and pentesting at Devoteam security team. Although being a discreet person, he received official acknowledgements from SAP AG for vulnerabilities he's reported. Furthermore, he is a longtime member of the Grehack conference organization committee and has conducted a SAP pentest workshop at Clusir and Hack.lu, as well as a full training at Hack In Paris.

Links:

Similar Presentations: