The Importance of the SAP Gateway for Security
The following section uses insecure Reginfo and Secinfo ACL files to show which attacks on SAP systems are possible. This is not intended as a guide to attacking SAP systems. It merely draws attention to the importance of RFC gateway security for securing systems.
Attack on systems with an insecure Reginfo ACL file: Let's assume that our SAP Basis administrator has set the Reginfo ACL to be insecure. This can be done, for example, by one of the following configurations: gw/acl_mode = 0 and the Reginfo file does not exist; gw/sim_mode = 1 (this removes the implicit "Deny all" line).
Attacks from systems for which an Allow entry that is too open is entered in the Reginfo pose a risk. In this case, an attacker can register any programs with the gateway. He could choose the following configuration for an attack: ./program -a IGS. -g -x sapgw
RFC callback attack
IGS. is specified as the TP name. The attacker pretends to be an Internet Graphics Service (IGS). The IGS. program is called as soon as the IGS is used by a user.
An attacker could exploit this behavior to carry out an RFC callback attack. If the registered server (and therefore the implemented function module) is called, a connection handle automatically exists. The attacker can use this connection handle to call any other modules in the Abap. In practice, an attacker would, for example, create a user and assign SAP_ALL (or comparable authorizations) to this user. This example thus exploits two vulnerabilities in an SAP system, both of which are frequently found in systems in practice. A well-configured Reginfo ACL would prevent the attack in the same way as correctly configured RFC callback security.
Attack on systems with insecure Secinfo ACL: Attacks on a Secinfo ACL are even easier for an attacker to carry out if the configuration is insecure. The requirements for an attack are very similar to Reginfo. Profile parameters gw/acl_mode = 0 (with missing secinfo file), gw/sim_mode = 1 or an Allow entry that is too open for an attacker system can lead to an attack on the system being possible.
A proof of concept has already been created by Dmitry Chastuhin (https://github.com/chipik/SAP_GW_RCE_exploit). Any operating system command can be executed on the attacked system. However, an attacker can also achieve the same with a normal SAP system (as an attacker system). A type T RFC connection to the attacked system is set up with the sapxpg program. Next, an external OS command is created in SM49. This command is executed with the RFC-Type-T connection on the system to be attacked. As these settings or commands take place on the attacker system, authorization checks are irrelevant. In addition to good network segmentation, only a good Secinfo configuration offers protection.
Correct configuration of Reginfo and Secinfo: The question is how Reginfo and Secinfo can be set up securely without restricting the SAP system. SAP Note 1408081 provides a good basic framework for this. These basic settings can then be expanded through protocol analysis, if necessary in combination with the simulation mode. This ensures that Reginfo and Secinfo are configured correctly with relative ease.