Full Report
[2011/9/6 Edited to add Slideshare embed] I am currently in London at the first ever 44con conference. It’s been a fantastic experience so far – excellent talks & friendly people. Yesterday, I presented a paper titled “Systems Applications Proxy Pwnage” . The talk precis sums it up nicely: It has been common knowledge for a number of years that SAP GUI communicates using an unencrypted and compressed protocol by default, and numerous papers have been published by security professionals and researchers dealing with decompressing this traffic.
Analysis Summary
# Research: Systems Applications Proxy Pwnage
## Metadata
- Authors: Ian de Villiers
- Institution: SensePost
- Publication: Presented at 44con conference (Blog post published online)
- Date: September 2, 2011 (Presentation date reference)
## Abstract
This research focuses on bridging the gap in understanding and analyzing the proprietary communication protocol used by the SAP GUI. While the fact that this protocol is unencrypted and compressed has been known, existing analysis methods were often complex and primarily focused on credential harvesting. This work introduces a novel toolkit designed to facilitate comprehensive parsing, decompression, and analysis of SAP GUI traffic, ultimately demonstrating how this protocol introduces vulnerabilities previously associated with standard web applications.
## Research Objective
The primary objective was to move beyond simple traffic decryption (which was already noted in prior research) to achieve a thorough understanding of the SAP GUI communication protocol. The research aimed to demonstrate that this protocol makes SAP applications susceptible to a wide range of attacks commonly seen in the web application space.
## Methodology
### Approach
The research involved developing a custom toolset capable of intercepting, analyzing, and decompressing SAP GUI network traffic to understand the underlying protocol structure. The approach included demonstrating the feasibility of applying standard web application attacks (e.g., injection, manipulation) against an SAP environment mediated by this protocol.
### Dataset/Environment
The environment involved capturing and analyzing live SAP GUI network traffic.
### Tools & Technologies
The core methodology was realized through the creation and release of two key tools:
1. **SApCap:** A Java-based packet sniffer, decompressor, and protocol analysis tool for SAP GUI. This tool leveraged a third-party JNI interface for pCap integration and a custom-built JNI decompression interface for SAP.
2. **SAPProx:** A proxy tool specifically designed for SAP GUI traffic, analogous to WebScarab for HTTP traffic, enabling man-in-the-middle style analysis and modification.
## Key Findings
### Primary Results
1. The proprietary SAP GUI protocol, despite being compressed, can be reliably decompressed and analyzed using custom tooling.
2. A functional proxy capable of intercepting and manipulating live SAP GUI sessions was developed and demonstrated publicly.
3. The protocol structure allows SAP applications to be vulnerable to various attacks typical of less-secure web protocols.
### Supporting Evidence
- Successful, flawless demonstration of the developed tools (SApCap and SAPProx) during the 44con presentation.
### Novel Contributions
- **Development of the world's first SAP GUI proxy:** SAPProx effectively translates the secure application proxy concept (common for web) to the SAP environment.
- **Creation of a custom, accessible SAP decompression library:** This abstracted the difficult step of protocol reversal, making further research easier.
- **Shift in Focus:** Moving the security analysis focus from mere data exposure (credentials) to structural protocol flaws and application-level exploitability.
## Technical Details
The core technical innovation rests on the custom JNI (Java Native Interface) library designed specifically to handle the decompression algorithms used by the SAP GUI protocol. This allowed the Java-based analysis tools to process the compressed network streams efficiently.
## Practical Implications
### For Security Practitioners
Security professionals can now utilize dedicated tools (SAPProx) to conduct professional penetration testing against SAP GUI environments, similar to standard web application assessments. This moves testing beyond manual configuration inspection to active protocol manipulation.
### For Defenders
Defenders need to recognize that SAP GUI traffic should be treated as sensitive. Deploying network segmentation, deep packet inspection (if capable of handling the compression/decompression), and potentially exploring encrypted SAP communication channels (if available and configured) becomes critical.
### For Researchers
The release of the tools and the underlying decompression library lowers the barrier to entry for researchers interested in protocol analysis and security of proprietary enterprise applications.
## Limitations
The author noted that binary libraries for the JNI decompression interface were initially only built for specific platforms (Mac OS/X, Linux 32-bit, and Windows 32-bit), requiring users on other architectures or newer systems to compile the source code themselves.
## Comparison to Prior Work
Prior research had established the unencrypted and compressed nature of the traffic. This work significantly advances the field by providing easy-to-use tooling for *thorough understanding* of the protocol structure, rather than just extracting sensitive data, and by introducing a proxy mechanism.
## Real-world Applications
- **Penetration Testing:** Conducting authenticated and unauthenticated assessments of SAP environments.
- **Protocol Forensics:** Analyzing potential security incidents involving SAP GUI communication.
## Future Work
The author implies future work based on the demand for the tools, likely involving support for more platforms and potentially deeper investigation into the specific application-level vulnerabilities enabled by the protocol weaknesses demonstrated.
## References
- Jpcap Library documentation (used for packet capture in SApCap).
- Prior publications dealing with SAP traffic decompression (implied context).