Verb Tampering issues in CTC
SAP Security Patch in August 2011 includes a patch related to a J2EE Engine vulnerability. The risk this security patch addresses was prominently discussed as part of a recent presentation at the Black Hat security conference. The relevant secure note is security fix # 1589525 (with update-note 1624450).
In the note, it shows that “the CTC/Configuration Wizard application (also known as the Template Installer) contains verb tampering vulnerabilities. This means that there is a risk of information disclosure if the application is accessed with HTTP requests containing unexpected HTTP methods. Verb tampering issues can be exploited from arbitrary network locations. A Verb Tampering attack cannot be performed without the usage of special tools and without the understanding of HTML and/or HTTP. You cannot access the remote target systems but can access the information on the local AS Java where the Configuration Wizard is running. This can lead to an indirect attack on the target systems.”
Central Technical Configuration/Configuration Wizard provides an automated way to perform configuration tasks as part of post-installation. It is helpful for customers to enter technical configuration settings easily and centrally, and therefore reduce efforts on configurations. Details can refer to SAP Online help:
and also SAP note 923359
The direct fix it to apply SAP patch, which mentioned in the note. The patch can be downloaded from SAP service marketplace. Also, the note supplies a manual implementation and two workarounds which can be used if automatic patch is not available for the specific release.
I did test the manual implementation and workarounds in my own test system, and would like to share my implementation.
With respect to the manual implementation, as my system is Netweaver 700 EHP1, according to the note, the relevant components are:
SAP NetWeaver 7.0x
Java stack system information shows LM-TOOLS version is 7.01 SP6 patch 0:
In SAP service market place, download the LM-TOOLS,
After extraction, find the web.xml,
Edit the xml file (remove highlight lines) according to the note instruction,
Put the modified web.xml to the original path,and then upload the modified .sda file to the server, where Java As is on. Because I used the ftp to upload the file, here, I have to use ‘binary’option to avoid file corruption.
Deploy the component via SDM:
For more informaiton about the using of SDM under Netweaver 7.0 EHP1, please refer to: http://help.sap.com/saphelp_nw70ehp1/helpdata/en/22/a7663bb3808c1fe10000000a114084/frameset.htm
Regarding the other components, the procedure is similar. For different releases, the deployment tool may not be same, for example, for Netweaver 7.10, JSPM is used.
Concerning the two workarounds, I would also share my understanding:
Find the services mentioned in the note, and make the change:
Workaround two is to block the url via firewall or other IDS prevent remote connections to CTC through URL blocking.
Just wanted to say thanks for posting this important information in a way that is so clear and easy to understand.